Hello Sim,
as SSL or not SSL is handled by the Apache, there is no way to configure
something within privacyIDEA.
So yes, you need to start Virtualhost:80.
You might configure apache this way, that is block/disallows accessing
/token
/resolver
/…
on port 80.
What are you inspecting with your IPS?
These might be good ideas to improve privacyIDEA.
You may take a look at the policy auth_max_fail.
If more than a given number of failed authentication request for a user
arrive within a time frame, also a successful auth will not be possible.
This is a basic way to avoid brute force.
http://privacyidea.readthedocs.io/en/latest/policies/authorization.html#auth-max-success
Kind regards
CorneliusAm Samstag, den 07.05.2016, 00:00 -0700 schrieb simvirus@gmail.com:
Hello and good morning to all!
I have a small question to ask to you.
Well, I’m using privacyIDEA + Apache2 and the functioning/integration
with the web server it’s good and correct (SSLEngine,
SSLCertificateFile, SSLCertificateKeyFile, etc…), with the faculty
of change others settings as: SSLProtocol, SSLCipherSuite, etc…
But I need to “expose” (only internally) the validation function
(example “/validate/check”) in HTTP without SSL for two/three reasons.
In my case:
- here will transit only “user/token” (no critical or sensitive
data),
- the connection from Application to privacyIDEA is in LAN/VLAN (local
areas),
- in this case I can inspect packet (with IPS) for detect and block
any intrusion attempts (for example if my exposed application will be
compromised).
Is it possibile or I need to start a second instance? (something like
this:)
<VirtualHost *:80>
ServerAdmin …
DocumentRoot …
ErrorLog …
CustomLog …
[…]
WSGIScriptAlias / /etc/privacyidea/privacyideaapp.wsgi
WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=
%{GROUP} user=privacyidea
WSGIProcessGroup privacyidea
WSGIPassAuthorization On
Thank you very much and have a nice weekend!
Sim
–
Please read the blog post about getting help
Getting help – privacyID3A.
For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/b54699f4-f958-4076-979d-a53cae657ca7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)