Expose one function by HTTP
10 views
Skip to first unread message
simv...@gmail.com
May 7, 2016, 3:00:40 AM5/7/16
to privacyidea
Hello and good morning to all!
I have a small question to ask to you.
Well, I'm using privacyIDEA + Apache2 and the functioning/integration with the web server it's good and correct (SSLEngine, SSLCertificateFile, SSLCertificateKeyFile, etc...), with the faculty of change others settings as: SSLProtocol, SSLCipherSuite, etc..
But I need to "expose" (only internally) the validation function (example "/validate/check") in HTTP without SSL for two/three reasons.
In my case:
- here will transit only "user/token" (no critical or sensitive data),
- the connection from Application to privacyIDEA is in LAN/VLAN (local areas),
- in this case I can inspect packet (with IPS) for detect and block any intrusion attempts (for example if my exposed application will be compromised).
Is it possibile or I need to start a second instance? (something like this:)
<VirtualHost *:80>
ServerAdmin ..
DocumentRoot ..
ErrorLog ..
CustomLog ..
[..]
WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi
WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP} user=privacyidea
WSGIProcessGroup privacyidea
WSGIPassAuthorization On
</VirtualHost>
Thank you very much and have a nice weekend!
---
Sim
I have a small question to ask to you.
Well, I'm using privacyIDEA + Apache2 and the functioning/integration with the web server it's good and correct (SSLEngine, SSLCertificateFile, SSLCertificateKeyFile, etc...), with the faculty of change others settings as: SSLProtocol, SSLCipherSuite, etc..
But I need to "expose" (only internally) the validation function (example "/validate/check") in HTTP without SSL for two/three reasons.
In my case:
- here will transit only "user/token" (no critical or sensitive data),
- the connection from Application to privacyIDEA is in LAN/VLAN (local areas),
- in this case I can inspect packet (with IPS) for detect and block any intrusion attempts (for example if my exposed application will be compromised).
Is it possibile or I need to start a second instance? (something like this:)
<VirtualHost *:80>
ServerAdmin ..
DocumentRoot ..
ErrorLog ..
CustomLog ..
[..]
WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi
WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP} user=privacyidea
WSGIProcessGroup privacyidea
WSGIPassAuthorization On
</VirtualHost>
Thank you very much and have a nice weekend!
---
Sim
Cornelius Kölbel
May 7, 2016, 5:29:54 AM5/7/16
to priva...@googlegroups.com
Hello Sim,
as SSL or not SSL is handled by the Apache, there is no way to configure
something within privacyIDEA.
So yes, you need to start Virtualhost:80.
You might configure apache this way, that is block/disallows accessing
/token
/resolver
/...
on port 80.
What are you inspecting with your IPS?
These might be good ideas to improve privacyIDEA.
You may take a look at the policy auth_max_fail.
If more than a given number of failed authentication request for a user
arrive within a time frame, also a successful auth will not be possible.
This is a basic way to avoid brute force.
http://privacyidea.readthedocs.io/en/latest/policies/authorization.html#auth-max-success
Kind regards
Cornelius
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/b54699f4-f958-4076-979d-a53cae657ca7%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
as SSL or not SSL is handled by the Apache, there is no way to configure
something within privacyIDEA.
So yes, you need to start Virtualhost:80.
You might configure apache this way, that is block/disallows accessing
/token
/resolver
/...
on port 80.
What are you inspecting with your IPS?
These might be good ideas to improve privacyIDEA.
You may take a look at the policy auth_max_fail.
If more than a given number of failed authentication request for a user
arrive within a time frame, also a successful auth will not be possible.
This is a basic way to avoid brute force.
http://privacyidea.readthedocs.io/en/latest/policies/authorization.html#auth-max-success
Kind regards
Cornelius
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/b54699f4-f958-4076-979d-a53cae657ca7%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
simv...@gmail.com
May 9, 2016, 9:11:44 AM5/9/16
to privacyidea
Hello Cornelius,
at this time my request was just to monitor/inspect connections from Application server to OTP server.
The problem could be Apache or modules (in this case) and not directly to privacyIDEA ;-)
The function "authorization.html#auth-max-success" is interesting...
Thank you
---
Sim
at this time my request was just to monitor/inspect connections from Application server to OTP server.
The problem could be Apache or modules (in this case) and not directly to privacyIDEA ;-)
The function "authorization.html#auth-max-success" is interesting...
Thank you
---
Sim
Reply all
Reply to author
Forward
0 new messages