Jump to content
albatorsk

Conditional 2FA behind reverse proxy

Recommended Posts

Hi,

 

I'm a happy home user of Passwordstate (PWS), and so far the experience has been very nice. I've exposed my PWS to the internet through the use of an Apache reverse proxy, and that works great. Before I did that, I of course made sure I had 2FA enabled for my user, as only using username and password seemed far too dangerous. This has worked perfectly, but, I've been a bit annoyed by the fact that I needed to use 2FA even when I access my PWS from home.

 

So, reading a bit about it lead me to the Administration -> System Settings -> allowed ip ranges -> Web Site Allowed IP Ranges setting, where I've added my internal network range, and set Authentication Option to Forms and Google Authenticator

I've also made sure to specify my Apache reverse proxy IP in Administration -> System Settings -> proxy & syslog servers -> X-Forwarded-For Support.

My user account is set to use Use the System Wide Authentication Settings under Web Authentication Option.

 

The Apache reverse proxy is set up to use RemoteIPHeader X-Forwarded-For in the configuration for my PWS site. I can also see my real, remote client IP in the IIS logs after adding the X-Forwarded-For column to the logging options in IIS, so I know it gets through.

 

Signing in to PWS from home works fine, with just username and password now. However, signing in from remote still only requires username and password. I'd like remote sign in to require 2FA.

 

I'm sure I'm missing something, but I can't really see what.

 

Any help would be greatly appreciated. Thank you!

Share this post


Link to post
Share on other sites

Hi Albatorsk,

It sounds like you've done everything correctly, so we're not sure what the issue could be at this stage.

 

If you go to the screen Administration -> Auditing, what IP Address is it recording when you do the authentication from outside your home network?

I assume you also are using forms-based authentication, and not AD Integrated? If so, do you see the 2FA screen after you perform the Username and Password authentication?

Finally, is it possible to exclude the use of your reverse proxy as a test, to see if this is somehow causing the issue?

Regards

Click Studios

Share this post


Link to post
Share on other sites

Thank you so much for your help! After checking Auditing, I noticed that all requests seemed to be coming from the reverse proxy. So, I took another look at X-Forwarded-For Support under proxy & syslog servers. The mistake I had made was that I had supplied my default gateway IP there, and not my reverse proxy IP. I must have been tired when I set it up, as I didn't even notice it when I wrote the initial message. After changing it to the reverse proxy IP, it works perfectly! All client IPs are logged correctly, and 2FA is now required when signing in from outside of my network.

 

Best regards,

Albatorsk

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...