Install PrivacyIDEA in a sub location aka domain.com/privacyidea/ reverse proxy

barrydegraaff · January 31, 2019, 10:54am

I would like to use PrivacyIDEA on a domain that I already use, but has nginx installed.

Aka instead of installing PI in
https://domain.com/

I would like to have it in:
https://domain.com/privacyidea

Unfortunately the PI UI parts all point to / so just reverse proxying it, does not work.

How can I set the privacyIdea site url in the configuration so I can reverse proxy

cornelinux · January 31, 2019, 10:16pm

This should not be correct. The UI recognizes if it is called from a subpath - At least with Apache2 and mod_wsgi: 2.7. The WSGI Script — privacyIDEA 3.8 documentation

I am not sure if it will work the same with NginX and uwsgi. I am afraid, that uwsgi does not recognize which subpath in NginX was called. So if this is true, it would indeed not work with NGinX.

barrydegraaff · February 1, 2019, 6:30am

Okay, I was using an nginx http proxy. I will move it over to apache and wsgi then.

Thanks for pointing out the correct docs.

dhellstern · March 27, 2023, 5:50am

Sorry to revive an old thread, but I’ve been trying to set up privacyIDEA under Nginx with a subpath as it’s my main web server stack and I’m trying to put it on the same domain as my Keycloak instance. I seem to be pretty close to it working under the subpath, but the current issue is that the client is making requests which contain a double slash after the subpath. For example, the web UI is issuing a request to https://example.com/mfa//resolver/deflocal when accepting the setup prompt to create a realm. This request fails because of the double slashes, but I can’t figure out why they’re being added.

My current Nginx config, which is pretty close to working:

    location /mfa {
        uwsgi_pass      unix:/run/privacyidea.sock;
        include         uwsgi_params;
        uwsgi_param     UWSGI_SCHEME $scheme;
        uwsgi_param     SERVER_SOFTWARE nginx/$nginx_version;
#        uwsgi_param     SCRIPT_NAME mfa;
    }

The SCRIPT_NAME param seems to have no influence on whether the interface works for some reason, hence why it’s commented out, and I’ve tried setting it to /mfa and /mfa/ as well. Similarly, I’ve tried changing the Nginx location block to /mfa/, but with no change.

I’m not too familiar with uWSGI but this is what my configuration is currently. I’ve commented out a couple other things I’ve tried without success:

[uwsgi]
master = true
cheap = true
idle = 600
die-on-idle = true
processes = 8
harakiri = 3600
reload-mercy = 8
max-request = 2000
limit-as = 512
reload-on-as = 256
reload-on-rss = 192
no-orphans = true
plugins = python3,logfile
vacuum = true
virtualenv = /opt/privacyidea/
#route-run = fixpathinfo:
#wsgi-file = /opt/privacyidea/privacyideaapp.wsgi
mount = /mfa=/opt/privacyidea/privacyideaapp.wsgi
logger = file:/opt/privacyidea/uwsgi/error.log
req-logger = file:/opt/privacyidea/uwsgi/request.log
manage-script-name = true