I have just installed FreeIPA. When opening the main page, I get a blank page (completely blank) with the following error in the console: Error: Couldn't receive translations app.js:3:14945 translations http://freeipa.home.lan/ipa/ui/js/freeipa/app.js?40702:3
I figured out that all files of the page were loaded correctly (loader.js, jsquery.js, dojo.js etc ..) except file /ipa/i18n_messages which failed with the following error: { "error": { "code": 911, "data": { "referer": "http://freeipa.home.lan/ipa/ui/" }, "message": "Missing or invalid HTTP Referer, http://freeipa.home.lan/ipa/ui/", "name": "RefererError" }, "id": null, "principal": "UNKNOWN", "result": null, "version": "4.7.2" }
The request to fetch this particular file is built as the following: Host: freeipa.home.lan User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://freeipa.home.lan/ipa/ui/ Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 60 DNT: 1 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Now, when calling the same with Referer: https://freeipa.home.lan/ipa/ui/ (please not the "s" of https), I get what I suppose is the correct response, a json of size 13.68KB with different texts inside.
QUESTION: Why is the loading of all components of the page with Referer: http://freeipa.home.lan/ipa/ui/ works correctly except for /ipa/i18n_messages ?
* (Please note the "s" of https)
I think I have identified the source: freeipa/ipaserver/rpcserver.py - line 344: if not 'HTTP_REFERER' in environ: return self.marshal(result, RefererError(referer='missing'), _id) if not environ['HTTP_REFERER'].startswith('https://%s/ipa' % self.api.env.host) and not self.env.in_tree: return self.marshal(result, RefererError(referer=environ['HTTP_REFERER']), _id)
QUESTION (still valid): Considering that all components of the page are loaded with Referer = http://freeipa.home.lan/ipa/ui/ , why does the loading of /ipa/i18n_messages require a Referer with https ?
On pe, 19 huhti 2019, Manuki San via FreeIPA-users wrote:
I have just installed FreeIPA. When opening the main page, I get a blank page (completely blank) with the following error in the console: Error: Couldn't receive translations app.js:3:14945 translations http://freeipa.home.lan/ipa/ui/js/freeipa/app.js?40702:3
I figured out that all files of the page were loaded correctly (loader.js, jsquery.js, dojo.js etc ..) except file /ipa/i18n_messages which failed with the following error: { "error": { "code": 911, "data": { "referer": "http://freeipa.home.lan/ipa/ui/" }, "message": "Missing or invalid HTTP Referer, http://freeipa.home.lan/ipa/ui/", "name": "RefererError" }, "id": null, "principal": "UNKNOWN", "result": null, "version": "4.7.2" }
The request to fetch this particular file is built as the following: Host: freeipa.home.lan User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://freeipa.home.lan/ipa/ui/ Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 60 DNT: 1 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Now, when calling the same with Referer: https://freeipa.home.lan/ipa/ui/ (please not the "s" of https), I get what I suppose is the correct response, a json of size 13.68KB with different texts inside.
QUESTION: Why is the loading of all components of the page with Referer: http://freeipa.home.lan/ipa/ui/ works correctly except for /ipa/i18n_messages ?
/ipa/i18n_messages endpoint is an RPC backed by Python code. The rest is a set of static files that can be loaded without proper referrer.
The question I would have to you is why you are trying to access web UI via HTTP, not HTTPS? In a default configuration we do have redirect from HTTP to HTTPS, so that web UI is never accessed over insecure HTTP port. The only reason that port is open and required is OSCP responder.
I have a number of applications running on my home lan (Gitlab, Jenkins, Sonarqube, Nexus, Nextcloud, Wordpress, Bind. reverse proxy etc ...) that were previous running as Virtual machines (virtualbox). I got tired managing the OS of each individual virtual machine and switched everything to docker a couple of years ago. Recently, I have decided to explore how to manage users centrally. I have tried OpenLDAP and OpenDJ, with FusionDirectory (as docker containers) Both are missing the attribute MemberOf This is where I found FreeIPA with an integrated LDAP with support of attribute memberof and a web UI. The last step might be one day to share the access to some of the docker containers to a very limited group of people, but I don't know yet if it will be via HTTPS or via VPN (in which case HTTP is enough) It will be a steep learning curve if I need to enable HTTPS for FreeIPA taking into consideration the docker platform and a reverse proxy. (Sorry for the long story).
On ti, 23 huhti 2019, Manuki San via FreeIPA-users wrote:
I have a number of applications running on my home lan (Gitlab, Jenkins, Sonarqube, Nexus, Nextcloud, Wordpress, Bind. reverse proxy etc ...) that were previous running as Virtual machines (virtualbox). I got tired managing the OS of each individual virtual machine and switched everything to docker a couple of years ago. Recently, I have decided to explore how to manage users centrally. I have tried OpenLDAP and OpenDJ, with FusionDirectory (as docker containers) Both are missing the attribute MemberOf This is where I found FreeIPA with an integrated LDAP with support of attribute memberof and a web UI. The last step might be one day to share the access to some of the docker containers to a very limited group of people, but I don't know yet if it will be via HTTPS or via VPN (in which case HTTP is enough) It will be a steep learning curve if I need to enable HTTPS for FreeIPA taking into consideration the docker platform and a reverse proxy. (Sorry for the long story).
FreeIPA requires HTTPS for its API and Web UI (which is really a javascript client utilizing IPA API over HTTPS). Also, mod_auth_gssapi will refuse clients not using HTTPS.
If you need to access Web UI, make it directly accessible for yourself over HTTPS, it is automatic with integrated CA.
You might want to research tutorials by Jan at https://www.adelton.com/
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Manuki San