Hello,
Is it supported to install mod_ssl on the same machine of FreeIPA? I’m asking this because FreeIPA ships by default mod_nss and this may lead to conflicting issues inside /etc/httpd/conf.d. For example:
[root@headnode conf.d]# grep -iR virtualhost nss.conf:<VirtualHost _default_:443> nss.conf:</VirtualHost> ssl.conf:<VirtualHost _default_:443> ssl.conf:</VirtualHost>
Both add a default virtual host to 443.
What’s the correct procedure? Don’t use mod_ssl at all?
Thanks,
Vinícius Ferrão via FreeIPA-users wrote:
Hello,
Is it supported to install mod_ssl on the same machine of FreeIPA? I’m asking this because FreeIPA ships by default mod_nss and this may lead to conflicting issues inside /etc/httpd/conf.d. For example:
[root@headnode conf.d]# grep -iR virtualhost nss.conf:<VirtualHost _default_:443> nss.conf:</VirtualHost> ssl.conf:<VirtualHost _default_:443> ssl.conf:</VirtualHost>
Both add a default virtual host to 443.
What’s the correct procedure? Don’t use mod_ssl at all?
They can co-exist but they can't share ports.
We do not recommend running other services on an IPA server.
rob
On 5 Dec 2019, at 15:22, Rob Crittenden rcritten@redhat.com wrote:
Vinícius Ferrão via FreeIPA-users wrote:
Hello,
Is it supported to install mod_ssl on the same machine of FreeIPA? I’m asking this because FreeIPA ships by default mod_nss and this may lead to conflicting issues inside /etc/httpd/conf.d. For example:
[root@headnode conf.d]# grep -iR virtualhost nss.conf:<VirtualHost _default_:443> nss.conf:</VirtualHost> ssl.conf:<VirtualHost _default_:443> ssl.conf:</VirtualHost>
Both add a default virtual host to 443.
What’s the correct procedure? Don’t use mod_ssl at all?
They can co-exist but they can't share ports.
We do not recommend running other services on an IPA server.
Thanks for rescuing out again Rob.
So I need to custom tailor the ssl.conf and keep the nss.conf as default right?
I can learn the right way and use nss.conf instead, I think it will keep the sanity of the configuration files.
Just for curiosity, it’s the web interface of a monitoring system. Just that.
rob
Vinícius Ferrão wrote:
On 5 Dec 2019, at 15:22, Rob Crittenden rcritten@redhat.com wrote:
Vinícius Ferrão via FreeIPA-users wrote:
Hello,
Is it supported to install mod_ssl on the same machine of FreeIPA? I’m asking this because FreeIPA ships by default mod_nss and this may lead to conflicting issues inside /etc/httpd/conf.d. For example:
[root@headnode conf.d]# grep -iR virtualhost nss.conf:<VirtualHost _default_:443> nss.conf:</VirtualHost> ssl.conf:<VirtualHost _default_:443> ssl.conf:</VirtualHost>
Both add a default virtual host to 443.
What’s the correct procedure? Don’t use mod_ssl at all?
They can co-exist but they can't share ports.
We do not recommend running other services on an IPA server.
Thanks for rescuing out again Rob.
So I need to custom tailor the ssl.conf and keep the nss.conf as default right?
I can learn the right way and use nss.conf instead, I think it will keep the sanity of the configuration files.
For many configuration options it is SSL<thing> -> NSS<thing> with the exception of the certs, but those are already configured so it may be pretty straightforward.
Just for curiosity, it’s the web interface of a monitoring system. Just that.
Ok.
rob
rob
On 05/12/2019 18.41, Vinícius Ferrão via FreeIPA-users wrote:
Hello,
Is it supported to install mod_ssl on the same machine of FreeIPA? I’m asking this because FreeIPA ships by default mod_nss and this may lead to conflicting issues inside /etc/httpd/conf.d. For example:
[root@headnode conf.d]# grep -iR virtualhost nss.conf:<VirtualHost _default_:443> nss.conf:</VirtualHost> ssl.conf:<VirtualHost _default_:443> ssl.conf:</VirtualHost>
Both add a default virtual host to 443.
What’s the correct procedure? Don’t use mod_ssl at all?
We switched from mod_nss to mod_ssl a couple of versions ago.
The correct procedure is: Don't install any additional services on a IPA server. For security reasons you shouldn't host other web sites, too. If the IPA server gets compromised, then all your users, computers, and services in your network are compromised, too.
Christian
Hi Christian
Sent from my iPhone
On 5 Dec 2019, at 15:59, Christian Heimes via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On 05/12/2019 18.41, Vinícius Ferrão via FreeIPA-users wrote: Hello,
Is it supported to install mod_ssl on the same machine of FreeIPA? I’m asking this because FreeIPA ships by default mod_nss and this may lead to conflicting issues inside /etc/httpd/conf.d. For example:
[root@headnode conf.d]# grep -iR virtualhost nss.conf:<VirtualHost _default_:443> nss.conf:</VirtualHost> ssl.conf:<VirtualHost _default_:443> ssl.conf:</VirtualHost>
Both add a default virtual host to 443.
What’s the correct procedure? Don’t use mod_ssl at all?
We switched from mod_nss to mod_ssl a couple of versions ago.
Oh, I can see the changes here: https://www.freeipa.org/page/Releases/4.7.0#mod_ssl
But I’m running EL 7.7, so I’m still on mod_nss.
On EL8 it’s already with mod_ssl, as I understood.
Well I’ll need to support both. Since EL8 support is on my roadmap.
Ok, things are much clearer now.
The correct procedure is: Don't install any additional services on a IPA server. For security reasons you shouldn't host other web sites, too. If the IPA server gets compromised, then all your users, computers, and services in your network are compromised, too.
Yes I’m aware of the security implications, but as I said on another thread with Rob, it’s an HPC system and I’m using FreeIPA/IdM as the default authentication realm. It’s not for keeping an enterprise with normal clients, so the security implications are different.
I’m trying to make the services coexist without breakage between them.
Thanks all for the help on this topic.
Christian
-- Christian Heimes Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Laurie Krebs, Michael O'Neill, Thomas Savage
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Christian Heimes -
Rob Crittenden -
Vinícius Ferrão