Hello Sim,
as SSL or not SSL is handled by the Apache, there is no way to configure
something within privacyIDEA.
So yes, you need to start Virtualhost:80.
You might configure apache this way, that is block/disallows accessing
/token
/resolver
/…
on port 80.
What are you inspecting with your IPS?
These might be good ideas to improve privacyIDEA.
You may take a look at the policy auth_max_fail.
If more than a given number of failed authentication request for a user
arrive within a time frame, also a successful auth will not be possible.
This is a basic way to avoid brute force.
http://privacyidea.readthedocs.io/en/latest/policies/authorization.html#auth-max-success
Kind regards
CorneliusAm Samstag, den 07.05.2016, 00:00 -0700 schrieb simvirus@gmail.com:
Hello and good morning to all!
I have a small question to ask to you.
Well, I’m using privacyIDEA + Apache2 and the functioning/integration
with the web server it’s good and correct (SSLEngine,
SSLCertificateFile, SSLCertificateKeyFile, etc…), with the faculty
of change others settings as: SSLProtocol, SSLCipherSuite, etc…
But I need to “expose” (only internally) the validation function
(example “/validate/check”) in HTTP without SSL for two/three reasons.
In my case:
- here will transit only “user/token” (no critical or sensitive
data),
- the connection from Application to privacyIDEA is in LAN/VLAN (local
areas),
- in this case I can inspect packet (with IPS) for detect and block
any intrusion attempts (for example if my exposed application will be
compromised).
Is it possibile or I need to start a second instance? (something like
this:)
<VirtualHost *:80>
ServerAdmin …
DocumentRoot …
ErrorLog …
CustomLog …
[…]
WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi
WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=
%{GROUP} user=privacyidea
WSGIProcessGroup privacyidea
WSGIPassAuthorization On
Thank you very much and have a nice weekend!
Sim
–
Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.
For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/b54699f4-f958-4076-979d-a53cae657ca7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)