DUO MFA behind a forwarding proxy

nikmag · December 1, 2023, 7:57am

Hello,

we have an installation of Passbolt CE, and we try to use DUO MFA. After saving configuration we get the error:
An internal error ocured. The server response could not be parsed.
The request to connect to DUO is going straight to the firewall which blocks the commuication. We need this request to go through forwaring proxy. How can we implement this?

Thanks for your time reading this.

antony · December 1, 2023, 8:08am

Hello @nikmag, welcome to our community

Depending on your installation, could you try to update /var/www/passbolt/config/passbolt.php if it is a from source installation otherwise that’d be /etc/passbolt/passbolt.php

Inside the passbolt array, you will need to implement security.proxies.trustedProxies:

'passbolt' => [
[...]
      'security' => [
          'proxies' => [
               'active' => true,
               'trustedProxies' => ['YOUR_PROXY_IP_WITHOUT_PORT']
               ],
        ],
[...]
]

Let us know if that works.

nikmag · December 1, 2023, 8:26am

Thank you very much for your reply,
The forwardig proxy is listening on port 80. No need to designate this somewhere?

antony · December 1, 2023, 8:29am

As I can see from CakePHP Request & Response Objects not specifying the port should be okay!

nikmag · December 1, 2023, 8:54am

i included it on the end of /etc/passbolt/passbolt.php but i get the same error

        ],
    ],
    'registration' => [
        'public' => false,
    ],
    'ssl' => [
        'force' => true,
    ]
],
    'security' => [
      'proxies' => [
           'active' => true,
           'trustedProxies' => ['xx.xx.xx.xx']
           ],
    ],

];

antony · December 1, 2023, 9:02am

If the indentation is correct, it looks like security is not inside the passbolt array. Can you ensure that it is correctly inside passbolt?

nikmag · December 1, 2023, 9:30am

you are right i had a mistake:
this is the running configuration know but still it doesnt work

‘passbolt’ => [
// GPG Configuration.
// The keyring must to be owned and accessible by the webserver user.
// Example: www-data user on Debian
‘gpg’ => [
// Main server key.
‘serverKey’ => [
// Server private key fingerprint.
‘fingerprint’ => ‘xxxxxxxxxxxxxxxxxxxxxxxxxx’,
‘public’ => CONFIG . DS . ‘gpg’ . DS . ‘xxxxxxxx.asc’,
‘private’ => CONFIG . DS . ‘gpg’ . DS . ‘xxxxxxxx_private.asc’,
],
],
‘registration’ => [
‘public’ => false,
],
‘ssl’ => [
‘force’ => true,
],
‘security’ => [
‘proxies’ => [
‘active’ => true,
‘trustedProxies’ => [‘x.x.x.x’]
],
]
],
];

nikmag · December 1, 2023, 10:49am

To be clear, i need the traffic from passbolt to DUO , to be forwarded through a forwarding proxy and not go straight to internet. So we need to define an outgoing proxy for internet requests, similarly as setting the /etc/environment of the OS