How to configure Self Service and MFA Admin to allow internal network access only
This document is written for PhenixID Server.
The reader should have some basic knowledge about PhenixID Server.
This document describes how to configure PhenixID Server, exposed to the internet, to allow Self Service and MFA Admin access from an internal network only.
Prerequisites
- Self Service and/or MFA Admin configured with custom listener (http / 8080)
- Reverse proxy, such as Apache http, sits in front of PhenixID Server. See this document for details. Reverse proxy must be configured with proxy rules specified in this document.
- OneTouch configured with custom listener (http / 8080) and an external URL-> https://<reverse_proxy>. For details, read this document.
Proxy rules
Change the proxy rules following the steps below. Change backend ip to suite your environment.
Self service
Remove the /selfservice rule
#ProxyPass /selfservice/ http://127.0.0.1:8080/selfservice/
#ProxyPassReverse /selfservice/ http://127.0.0.1:8080/selfservice/Add these rules.
#Only needed if OneTouch is used
ProxyPass /selfservice/selfservice/pki/provision http://127.0.0.1:8080/selfservice/selfservice/pki/provision
ProxyPassReverse /selfservice/selfservice/pki/provision http://127.0.0.1:8080/selfservice/selfservice/pki/provision
#Only needed if Pocket Pass is used
ProxyPass /selfservice/selfservice/provision/otpauth http://127.0.0.1:8080/selfservice/selfservice/provision/otpauth
ProxyPassReverse /selfservice/selfservice/provision/otpauth http://127.0.0.1:8080/selfservice/selfservice/provision/otpauthMFA Admin
Remove the /mfaadmin rule
#ProxyPass /mfaadmin/ http://127.0.0.1:8080/selfservice/
#ProxyPassReverse /mfaadmin/ http://127.0.0.1:8080/selfservice/Add these rules.
#Only needed if OneTouch is used
ProxyPass /mfaadmin/otpadmin/onetouch/provision http://127.0.0.1:8080/mfaadmin/otpadmin/onetouch/provision ProxyPassReverse /mfaadmin/otpadmin/onetouch/provision http://127.0.0.1:8080/mfaadmin/otpadmin/onetouch/provision #Only needed if Pocket Pass is used
ProxyPass /mfaadmin/otpadmin/provision/otpauth http://127.0.0.1:8080/mfaadmin/otpadmin/provision/otpauth ProxyPassReverse /mfaadmin/otpadmin/provision/otpauth http://127.0.0.1:8080/mfaadmin/otpadmin/provision/otpauth
Test
Self service
1. From a client on the internal network, browse to http://<phenixid_server>:8080/selfservice
2. Authenticate
3. Activate OneTouch
4. Activate Pocket Pass
1. From a client on an external network, try to browse to https://<reverse_proxy>/selfservice/
2. Proxy should not allow access to the URL.
MFA Admin
Perform the same tests as Self Service, just change the uri to /mfaadmin/