Restrict privacyIDEA Endpoints to certain IP addresses

cornelinux · October 23, 2019, 10:49am

In certain cases you might not want to serve all endpoints to all IPs. E.g. you might only want to expose /validate/check or /ttype/push to the public.

With the Apache2 you can achieve it like this:

    <Location />
            Order Allow,Deny
            Allow from 192.168.0.0/24
    </Location>

    <Location /validate/check>
            Order Allow,Deny
            Allow from all
    </Location>

    <Location /ttype/push>
            Order Allow,Deny
            Allow from all
    </Location>

Always stay secure!

rwel · October 23, 2019, 2:23pm

Hello Conelinux,

Where do i put this in the config file in the default installation of PI

cornelinux · October 23, 2019, 3:12pm

…whatever default is.
You need to put it into your Apache site config file, which is located under /etc/apache2/sites-enabled — at least on debian based systems.
On RHEL based systems it is somewhere under /etc/httpd/…

raymond.utsi · September 11, 2020, 8:37am

Thanks for this post, this is realy useful.
I’m working on my first PrivacyIdea setup and have a lot to learn. This post was answering some of my needs.