Expose one function by HTTP

10 Aufrufe
Direkt zur ersten ungelesenen Nachricht


07.05.2016, 03:00:4007.05.16
an privacyidea
Hello and good morning to all!
I have a small question to ask to you.
Well, I'm using privacyIDEA + Apache2 and the functioning/integration with the web server it's good and correct (SSLEngine, SSLCertificateFile, SSLCertificateKeyFile, etc...), with the faculty of change others settings as: SSLProtocol, SSLCipherSuite, etc..
But I need to "expose" (only internally) the validation function (example "/validate/check") in HTTP without SSL for two/three reasons.
In my case:
- here will transit only "user/token" (no critical or sensitive data),
- the connection from Application to privacyIDEA is in LAN/VLAN (local areas),
- in this case I can inspect packet (with IPS) for detect and block any intrusion attempts (for example if my exposed application will be compromised).
Is it possibile or I need to start a second instance? (something like this:)

<VirtualHost *:80>

 ServerAdmin ..
 DocumentRoot ..
 ErrorLog ..
 CustomLog ..
 WSGIScriptAlias /      /etc/privacyidea/privacyideaapp.wsgi
 WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP} user=privacyidea
 WSGIProcessGroup privacyidea
 WSGIPassAuthorization On


Thank you very much and have a nice weekend!


Cornelius Kölbel

07.05.2016, 05:29:5407.05.16
an priva...@googlegroups.com
Hello Sim,

as SSL or not SSL is handled by the Apache, there is no way to configure
something within privacyIDEA.

So yes, you need to start Virtualhost:80.

You might configure apache this way, that is block/disallows accessing


on port 80.

What are you inspecting with your IPS?
These might be good ideas to improve privacyIDEA.

You may take a look at the policy auth_max_fail.
If more than a given number of failed authentication request for a user
arrive within a time frame, also a successful auth will not be possible.
This is a basic way to avoid brute force.

Kind regards
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/b54699f4-f958-4076-979d-a53cae657ca7%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Cornelius Kölbel
+49 151 2960 1417

NetKnights GmbH
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel



09.05.2016, 09:11:4409.05.16
an privacyidea
Hello Cornelius,
at this time my request was just to monitor/inspect connections from Application server to OTP server.

The problem could be Apache or modules (in this case) and not directly to privacyIDEA ;-)

The function "authorization.html#auth-max-success" is interesting...

Thank you

Allen antworten
Antwort an Autor
0 neue Nachrichten