Jump to content

Conditional 2FA behind reverse proxy


albatorsk

Recommended Posts

Hi,

 

I'm a happy home user of Passwordstate (PWS), and so far the experience has been very nice. I've exposed my PWS to the internet through the use of an Apache reverse proxy, and that works great. Before I did that, I of course made sure I had 2FA enabled for my user, as only using username and password seemed far too dangerous. This has worked perfectly, but, I've been a bit annoyed by the fact that I needed to use 2FA even when I access my PWS from home.

 

So, reading a bit about it lead me to the Administration -> System Settings -> allowed ip ranges -> Web Site Allowed IP Ranges setting, where I've added my internal network range, and set Authentication Option to Forms and Google Authenticator

I've also made sure to specify my Apache reverse proxy IP in Administration -> System Settings -> proxy & syslog servers -> X-Forwarded-For Support.

My user account is set to use Use the System Wide Authentication Settings under Web Authentication Option.

 

The Apache reverse proxy is set up to use RemoteIPHeader X-Forwarded-For in the configuration for my PWS site. I can also see my real, remote client IP in the IIS logs after adding the X-Forwarded-For column to the logging options in IIS, so I know it gets through.

 

Signing in to PWS from home works fine, with just username and password now. However, signing in from remote still only requires username and password. I'd like remote sign in to require 2FA.

 

I'm sure I'm missing something, but I can't really see what.

 

Any help would be greatly appreciated. Thank you!

Link to comment
Share on other sites

Hi Albatorsk,

It sounds like you've done everything correctly, so we're not sure what the issue could be at this stage.

 

If you go to the screen Administration -> Auditing, what IP Address is it recording when you do the authentication from outside your home network?

I assume you also are using forms-based authentication, and not AD Integrated? If so, do you see the 2FA screen after you perform the Username and Password authentication?

Finally, is it possible to exclude the use of your reverse proxy as a test, to see if this is somehow causing the issue?

Regards

Click Studios

Link to comment
Share on other sites

Thank you so much for your help! After checking Auditing, I noticed that all requests seemed to be coming from the reverse proxy. So, I took another look at X-Forwarded-For Support under proxy & syslog servers. The mistake I had made was that I had supplied my default gateway IP there, and not my reverse proxy IP. I must have been tired when I set it up, as I didn't even notice it when I wrote the initial message. After changing it to the reverse proxy IP, it works perfectly! All client IPs are logged correctly, and 2FA is now required when signing in from outside of my network.

 

Best regards,

Albatorsk

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...