Bug 44524 - hardcoded FQDN in univention-proxy.conf site prohibits access in DMZ
hardcoded FQDN in univention-proxy.conf site prohibits access in DMZ
Status: CLOSED INVALID
Product: UCS
Classification: Unclassified
Component: Portal
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-1-errata
Assigned To: Florian Best
UMC maintainers
:
Depends on:
Blocks: 40172
  Show dependency treegraph
 
Reported: 2017-05-03 09:51 CEST by Ingo Steuwer
Modified: 2017-08-18 16:18 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.343
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ingo Steuwer univentionstaff 2017-05-03 09:51:30 CEST
The ucr template for /etc/apache2/sites-available/univention-proxy.conf defines the FQDN for the server based on $hostname and $domainnane. In many use cases both are valid only for an internal network (like "server.domain.local").

A typical scenario for the Univention Portal is to allow access to web based applications from the internet. This is typically done by a UCS system in a DMZ with external access by port forwardings or reverse proxies. As the univention-proxy.conf apache site redirects all requests to the internal FQDN external access is impossible.

Currently there is no way to configure the FQDN.
Comment 1 Florian Best univentionstaff 2017-05-03 10:40:50 CEST
Sounds like Bug #44124.
Comment 2 Florian Best univentionstaff 2017-05-03 11:33:48 CEST
Since Bug #44124 the FQDN of univention-proxy.conf is only(!) used for redirections when accessing path's of ucs-sso.$domainname which don't belong to simplesamlphp. This affects therefore only the login process but has nothing to do with the portal or regular UMC use.

I cannot reproduce any problems regarding this. I configured a reverse proxy as well as port forwarding via ssh (ssh -L 0.0.0.0:91:xen3:80 xen3 && firefox http://localhost:91/).
Comment 3 Alexander Kläser univentionstaff 2017-05-17 10:38:09 CEST
@Ingo, to me, this sounds like Bug 44371? But then the problem is not really related to the proxy, but more generic in its nature.
Comment 4 Ingo Steuwer univentionstaff 2017-05-17 11:02:25 CEST
(In reply to Alexander Kläser from comment #3)
> @Ingo, to me, this sounds like Bug 44371? But then the problem is not really
> related to the proxy, but more generic in its nature.

No, this is not about the links on the portal (I didn't even get to that point in my setup).

I have to re-test based on Florians feedback, but I suspect a difference in the use case. A typical network has several internal servers and only one external IP. The external IP has to be used to exposed several internally hosted services, typically based on a reverse proxy. Let's say we have three internal hosts:

* host A: webmail/groupware
* host B: SAML / SSO
* host C: Univention Portal, etherpad, dudle

So a reverse proxy needs to offer all these services, for example:

* /portal -> <Host C>/univention/portal
* /sso -> <Host B>/univention/login
* /dudle -> <Host C>/dudle
* ...

In my tests this failed, both for the portal itself and for SAML.
Comment 5 Florian Best univentionstaff 2017-06-16 13:00:34 CEST
@Ingo: We released the errata updates yesterday. Can you please check if this error still happens on your machine. If it does, let's have a look together.
Comment 6 Ingo Steuwer univentionstaff 2017-08-18 16:15:02 CEST
The main issue in my setup was the fact that I tried to use an UCS instance to be both the apache reverse proxy for the portal running on an internal server and other UCS apps. Seems like Apache tried to deliver a mix of the local portal and the proxified one. So no issue related to the fixed address.
Comment 7 Florian Best univentionstaff 2017-08-18 16:18:01 CEST
Thanks!