Expose one function by HTTP

Hello and good morning to all!
I have a small question to ask to you.
Well, I’m using privacyIDEA + Apache2 and the functioning/integration with
the web server it’s good and correct (SSLEngine, SSLCertificateFile,
SSLCertificateKeyFile, etc…), with the faculty of change others settings
as: SSLProtocol, SSLCipherSuite, etc…
But I need to “expose” (only internally) the validation function (example
"/validate/check") in HTTP without SSL for two/three reasons.
In my case:

  • here will transit only “user/token” (no critical or sensitive data),
  • the connection from Application to privacyIDEA is in LAN/VLAN (local
    areas),
  • in this case I can inspect packet (with IPS) for detect and block any
    intrusion attempts (for example if my exposed application will be
    compromised).
    Is it possibile or I need to start a second instance? (something like this:)

<VirtualHost *:80>

ServerAdmin …
DocumentRoot …
ErrorLog …
CustomLog …
[…]
WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi
WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP}
user=privacyidea
WSGIProcessGroup privacyidea
WSGIPassAuthorization On

Thank you very much and have a nice weekend!—
Sim

Hello Sim,

as SSL or not SSL is handled by the Apache, there is no way to configure
something within privacyIDEA.

So yes, you need to start Virtualhost:80.

You might configure apache this way, that is block/disallows accessing

/token
/resolver
/…

on port 80.

What are you inspecting with your IPS?
These might be good ideas to improve privacyIDEA.

You may take a look at the policy auth_max_fail.
If more than a given number of failed authentication request for a user
arrive within a time frame, also a successful auth will not be possible.
This is a basic way to avoid brute force.
http://privacyidea.readthedocs.io/en/latest/policies/authorization.html#auth-max-success

Kind regards
CorneliusAm Samstag, den 07.05.2016, 00:00 -0700 schrieb simvirus@gmail.com:

Hello and good morning to all!
I have a small question to ask to you.
Well, I’m using privacyIDEA + Apache2 and the functioning/integration
with the web server it’s good and correct (SSLEngine,
SSLCertificateFile, SSLCertificateKeyFile, etc…), with the faculty
of change others settings as: SSLProtocol, SSLCipherSuite, etc…
But I need to “expose” (only internally) the validation function
(example “/validate/check”) in HTTP without SSL for two/three reasons.
In my case:

  • here will transit only “user/token” (no critical or sensitive
    data),
  • the connection from Application to privacyIDEA is in LAN/VLAN (local
    areas),
  • in this case I can inspect packet (with IPS) for detect and block
    any intrusion attempts (for example if my exposed application will be
    compromised).
    Is it possibile or I need to start a second instance? (something like
    this:)

<VirtualHost *:80>

ServerAdmin …
DocumentRoot …
ErrorLog …
CustomLog …
[…]
WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi
WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=
%{GROUP} user=privacyidea
WSGIProcessGroup privacyidea
WSGIPassAuthorization On

Thank you very much and have a nice weekend!


Sim


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/b54699f4-f958-4076-979d-a53cae657ca7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hello Cornelius,
at this time my request was just to monitor/inspect connections from
Application server to OTP server.

The problem could be Apache or modules (in this case) and not directly to
privacyIDEA :wink:

The function “authorization.html#auth-max-success” is interesting…

Thank you—
Sim

On Saturday, May 7, 2016 at 11:29:54 AM UTC+2, Cornelius Kölbel wrote:

Hello Sim,

as SSL or not SSL is handled by the Apache, there is no way to configure
something within privacyIDEA.

So yes, you need to start Virtualhost:80.

You might configure apache this way, that is block/disallows accessing

/token
/resolver
/…

on port 80.

What are you inspecting with your IPS?
These might be good ideas to improve privacyIDEA.

You may take a look at the policy auth_max_fail.
If more than a given number of failed authentication request for a user
arrive within a time frame, also a successful auth will not be possible.
This is a basic way to avoid brute force.

http://privacyidea.readthedocs.io/en/latest/policies/authorization.html#auth-max-success

Kind regards
Cornelius

Am Samstag, den 07.05.2016, 00:00 -0700 schrieb simv...@gmail.com
<javascript:>:

Hello and good morning to all!
I have a small question to ask to you.
Well, I’m using privacyIDEA + Apache2 and the functioning/integration
with the web server it’s good and correct (SSLEngine,
SSLCertificateFile, SSLCertificateKeyFile, etc…), with the faculty
of change others settings as: SSLProtocol, SSLCipherSuite, etc…
But I need to “expose” (only internally) the validation function
(example “/validate/check”) in HTTP without SSL for two/three reasons.
In my case:

  • here will transit only “user/token” (no critical or sensitive
    data),
  • the connection from Application to privacyIDEA is in LAN/VLAN (local
    areas),
  • in this case I can inspect packet (with IPS) for detect and block
    any intrusion attempts (for example if my exposed application will be
    compromised).
    Is it possibile or I need to start a second instance? (something like
    this:)

<VirtualHost *:80>

ServerAdmin …
DocumentRoot …
ErrorLog …
CustomLog …
[…]
WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi
WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=
%{GROUP} user=privacyidea
WSGIProcessGroup privacyidea
WSGIPassAuthorization On

Thank you very much and have a nice weekend!


Sim


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/b54699f4-f958-4076-979d-a53cae657ca7%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel