Puppet Class: easy_ipa::config::webui

Defined in:
manifests/config/webui.pp

Overview

Configures port and redirect overrides for the IPA server web UI.



2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
 
# File 'manifests/config/webui.pp', line 2

class easy_ipa::config::webui {

  if $easy_ipa::webui_enable_proxy {
    #ref: https://www.redhat.com/archives/freeipa-users/2016-June/msg00128.html
    $proxy_server_internal_fqdn = $easy_ipa::ipa_server_fqdn
    $proxy_server_external_fqdn = $easy_ipa::webui_proxy_external_fqdn
    $proxy_https_port = $easy_ipa::webui_proxy_https_port

    $proxy_server_external_fqdn_and_port = "${proxy_server_external_fqdn}:${proxy_https_port}"

    $proxy_internal_uri = "https://${proxy_server_internal_fqdn}"
    $proxy_external_uri = "https://${proxy_server_external_fqdn}:${proxy_https_port}"
    $proxy_server_name = "https://${easy_ipa::ipa_server_fqdn}:${proxy_https_port}"
    $proxy_referrer_regex = regsubst(
      $proxy_external_uri,
      '\.',
      '\.',
      'G',
    )

    exec { 'semanage-port-http_port_t':
        command => "semanage port -a -t http_port_t -p tcp ${proxy_https_port}",
        unless  => "semanage port -l|grep -E \"^http_port_t.*tcp.*${proxy_https_port}\"",
        path    => ['/bin','/sbin','/usr/bin','/usr/sbin'],
    }

    file_line { 'webui_additional_https_port_listener':
      ensure => present,
      path   => '/etc/httpd/conf.d/nss.conf',
      line   => "Listen ${proxy_https_port}",
      after  => 'Listen\ 443',
      notify => Service['httpd'],
    }

    file { '/etc/httpd/conf.d/ipa-rewrite.conf':
      ensure  => present,
      replace => true,
      content => template('easy_ipa/ipa-rewrite.conf.erb'),
      notify  => Service['httpd'],
    }

    file { '/etc/httpd/conf.d/ipa-webui-proxy.conf':
      ensure  => present,
      replace => true,
      content => template('easy_ipa/ipa-webui-proxy.conf.erb'),
      notify  => Service['httpd'],
      require => Exec['semanage-port-http_port_t'],
    }
  }

  if $easy_ipa::webui_disable_kerberos {
    file_line{'disable_kerberos_via_if_1':
      ensure => present,
      path   => '/etc/httpd/conf.d/ipa.conf',
      line   => "  <If \"%{HTTP_HOST} != '${proxy_server_external_fqdn_and_port}'\">",
      notify => Service['httpd'],
      after  => '^<Location\ "/ipa">',
    }

    file_line{'disable_kerberos_via_if_2':
      ensure => present,
      path   => '/etc/httpd/conf.d/ipa.conf',
      line   => '  </If>',
      notify => Service['httpd'],
      after  => 'ErrorDocument\ 401\ /ipa/errors/unauthorized.html',
    }
  }
}