How can I configure that the authentication via Yubico OTP can be done through a proxy in an on-premise installation? For this type of authentication the server needs access to the following URLs:
api.yubico.com
apiX.yubico.com
These resolutions are constantly changing, so I would have to constantly exception them in the firewall… Is there any option to resolve these connections through a proxy?
Best regards.
@kero99 Welcome to the forum! What firewall are you running? And is the proxy service part of the firewall app?
Not sure of your security model but also: yubikey-val
Hola garrett,
We use a proxy server with squid (not firewall) and the firewall is a pfsense but the solution of open FQDNs as alias in a rule is not working well.
Actually i need to resolve manually api.yubico.com every day from server and add this ip to firewall :(.
Is possible to configure a http proxy in passbolt server to resolve yubico urls?
Best regards
@kero99 I also use pfsense.
It should work since you are not attempting a wildcard: Firewall — Aliases | pfSense Documentation
But it says the FQDN must exist in the DNS servers used by the firewall.
It also says If the DNS query for a hostname returns multiple IP addresses, all of the IP addresses returned in the result are added to the alias.
So maybe the firewall itself is not set up to resolve an alias?
I don’t have my DNS Resolver (Services menu) set up. I imagine doing so would be needed and only offering it to the firewall itself?
Yep, actually i use alias, but not working well because and i need to resolve manually sometimes. A http proxy option could solve my problem.
@kero99 And you have the DNS Resolver active?
I think it is worth investigating why it’s not working in pfsense.
Explain more how your http proxy option idea would work.
Hi Garret, ty for your resposes =),
The idea is:
On corporate environment (like mine), the direct access to internet from server it´s no possible, you need to use a corporate http proxy for resolve app requests.
Usually the apps take proxy configuration from system variables (HTTP_PROXY, HTTPS_PROXY) or from config file fields like:
CURL_PROXY=<proxy.ip>:<proxy.port>
CURL_PROXYUSERPWD=<proxyauth.username>:<proxy.password>
or
stream_context_set_default(['http'=>['proxy'=>'proxy-host:proxy-port']]);
The passbolt server would comunicate with this proxy server for external http request like OTP.
Best regards.
How are you running passbolt? Docker? VM?
Docker has proxy configurations Configure Docker to use a proxy server
Depending on your setup, I think I would be looking at a OS-level/container-level setting vs app-level.
So sorry, busy week.
We are running passbolt on Ubuntu 22.04 VM without docker.
Best regards.