How to configure Self Service and MFA Admin to allow internal network access only

This document is written for PhenixID Server.

The reader should have some basic knowledge about PhenixID Server.

This document describes how to configure PhenixID Server, exposed to the internet, to allow Self Service and MFA Admin access from an internal network only.

Prerequisites

- Self Service and/or MFA Admin configured with custom listener (http / 8080)

- Reverse proxy, such as Apache http, sits in front of PhenixID Server. See this document for details. Reverse proxy must be configured with proxy rules specified in this document.

- OneTouch configured with custom listener (http / 8080) and an external URL-> https://<reverse_proxy>. For details, read this document.

Proxy rules

Change the proxy rules following the steps below. Change backend ip to suite your environment.

Self service

Remove the /selfservice rule

#ProxyPass /selfservice/ http://127.0.0.1:8080/selfservice/
#ProxyPassReverse /selfservice/ http://127.0.0.1:8080/selfservice/

Add these rules.

  #Only needed if OneTouch is used
               ProxyPass /selfservice/selfservice/pki/provision http://127.0.0.1:8080/selfservice/selfservice/pki/provision
               ProxyPassReverse /selfservice/selfservice/pki/provision http://127.0.0.1:8080/selfservice/selfservice/pki/provision
			   #Only needed if Pocket Pass is used
               ProxyPass /selfservice/selfservice/provision/otpauth http://127.0.0.1:8080/selfservice/selfservice/provision/otpauth
               ProxyPassReverse /selfservice/selfservice/provision/otpauth http://127.0.0.1:8080/selfservice/selfservice/provision/otpauth

MFA Admin

Remove the /mfaadmin rule

#ProxyPass /mfaadmin/ http://127.0.0.1:8080/selfservice/
#ProxyPassReverse /mfaadmin/ http://127.0.0.1:8080/selfservice/

Add these rules.

			    #Only needed if OneTouch is used
               ProxyPass /mfaadmin/otpadmin/onetouch/provision http://127.0.0.1:8080/mfaadmin/otpadmin/onetouch/provision               ProxyPassReverse /mfaadmin/otpadmin/onetouch/provision http://127.0.0.1:8080/mfaadmin/otpadmin/onetouch/provision			   #Only needed if Pocket Pass is used
               ProxyPass /mfaadmin/otpadmin/provision/otpauth http://127.0.0.1:8080/mfaadmin/otpadmin/provision/otpauth               ProxyPassReverse /mfaadmin/otpadmin/provision/otpauth http://127.0.0.1:8080/mfaadmin/otpadmin/provision/otpauth

 

 

 

Test

Self service

1. From a client on the internal network, browse to http://<phenixid_server>:8080/selfservice

2. Authenticate

3. Activate OneTouch

4. Activate Pocket Pass

 

1. From a client on an external network, try to browse to https://<reverse_proxy>/selfservice/

2. Proxy should not allow access to the URL.

 

MFA Admin

Perform the same tests as Self Service, just change the uri to /mfaadmin/