Duo Auth API
The dark mode beta is finally here. Change your preferences any time. Stack Overflow for Teams is a private, secure spot for you and your coworkers to find and share information. I am trying to setup nginx as a reverse rpoxy server in front off several IIS web servers who are authenticating using Basic authentication.
This exact situation took me forever to figure out, but OSS is like that I guess.Duo Security demonstrates Two-Factor Authentication
This post is a year old so maybe the original poster figured it out, or gave up? I have a service secured under basic authentication, and nginx as a reverse proxy between the clients and the server. The requirement was that nginx would passthrough the authorization. First request to the server did pass through the Authorization header.
Second request simply blocked this header, which meant the client was only able to make one request per session. This was somehow related to cookies. If I cleared the browser cookies, then the cycle repeated. The client was able to authenticate but just for the first request.
Closing the browser had the same effect. Learn more. Nginx reverse proxy - passthrough basic authenication Ask Question. Asked 7 years, 2 months ago. Active 2 years, 9 months ago. Viewed 26k times. Ryan Ryan 22k 22 22 gold badges 79 79 silver badges bronze badges. Active Oldest Votes. Using the headers-more module clears the old headers, and adds whatever you tell it to.
After this, I was able to finally push Sharepoint through Nginx. Thanks stackoverflow. Martin 5, 6 6 gold badges 41 41 silver badges 72 72 bronze badges. Matt Matt 66 1 1 silver badge 2 2 bronze badges. Maybe this could be helpful: serverfault. Leonardo Fernandes Leonardo Fernandes 1 1 1 bronze badge.
Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. The Overflow Blog. The Overflow How many jobs can be done at home? Featured on Meta. Community and Moderator guidelines for escalating issues via new response…. Feedback on Q2 Community Roadmap.Duo Security is now a part of Cisco.
About Cisco. Answers to frequently asked questions and troubleshooting tips for Duo Security's Authentication Proxy. You can specify multiple server sections in the configuration file. Each will have a different ikey and skey. If the server sections are the same type, append a number to the section name — e.
In addition, multiple applications can share the same client section for primary authentication. For example, here is a config file that powers three applications. No, password and secret encryption is a Windows only feature. If you do not already have a [main] section in your config file then create one. It should look like this:. Uninstalling the Authentication Proxy deletes your authproxy.
The sample authproxy. Notepad may not correctly show line-breaks so we recommend editing the config file with WordPad or a third-party text editor that can display UNIX encoding. Open your file in a text editor other than Notepad, verify that the configuration is correct, save the file, and try starting the Duo Security Authentication Proxy service again. If it still fails to start, make sure to check the Application log in the Windows Event Viewer for an error message from the source "DuoAuthProxy".
The error traceback usually indicates which line of the authproxy. This configuration does not support appending a Duo factor name or passcode to the password. Duo monitors the health and availability of our cloud services. You can also monitor your Authentication Proxy server to ensure that the service is running and listening for incoming requests on port or whichever port you specified when configuring your RADIUS or LDAP authentication server.
The dark mode beta is finally here. Change your preferences any time. Stack Overflow for Teams is a private, secure spot for you and your coworkers to find and share information. I'm using nginx as reverse proxy to protect my server's HTTP endpoints.
I want to use Azure AD as authentication provider. How do I make nginx check credentials against Azure AD? Should I use Oauth? Learn more. How to setup nginx to authenticate users through Azure AD? Ask Question. Asked 4 years, 10 months ago. Active 4 years, 10 months ago. Viewed 4k times. Igor Gatis Igor Gatis 3, 8 8 gold badges 32 32 silver badges 51 51 bronze badges.
Active Oldest Votes. I'd like to avoid building nginx if possible. Sounds like github. Am I missing something? Almost similar stackoverflow. Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. The Overflow Blog. The Overflow How many jobs can be done at home?In this post I will describe one interesting customer request we had previously dealt with.
This is an older project, but I think the problem is still relevant. The customer has an existing web application that is hosted in a dedicated datacenter along with the entire HW infrastructure, which includes Citrix NetScaler - a load balancer and reverse proxy appliance with few extra features.
One such feature is an authentication gateway, i. NetScaler only allows access to backend applications to authenticated users. All the applications are hosted in the same data center and share the same domain users, i. Within each application, each domain user is mapped to an application user.
The situation is schematically illustrated in the following figure.
How to set up nginx as a 2-factor authentication portal that becomes transparent once auth'd?
The problem with such setup is its testability. The customer has several staging environments and introducing NetScaler into these environments would be overkill not counting the domain management for all the environments. It had to look and behave as if NetScaler was there. The first solution that came to our minds was to use the excellent HAProxy load balancer because we have several backends and place a custom authentication proxy before it.
This would mean that each HTTP request would be processed by two reverse proxies. Surely, there must be a more straightforward and simpler solution.
The documentation for this module says, it implements client authorization based on the result of a subrequest. What exactly does this mean? If the result of the subrequest is HTTP oraccess to the backend server is denied. By configuring NGINX, you can redirect those s or s to a login page where the user is authenticated and then redirected to the original destination. The entire authorization subrequest process is then repeated, but because the user is now authenticated the subrequest returns HTTP and the original HTTP request is proxied to the backend server.
Naturally, NGINX only provides a mechanism to achieve this - the authorization server must be custom build for specific use case. In our case, FakeNetscaler is the authorization server - I will get to that later. At first glance, this seems to be even more complex than the original NetScaler authentication process, but the truth is that I just described it using white box approach, where in case of NetScaler it was described as a black box especially the points 3.
NGINX configuration file for authorization server domain fakenetscaler. If a user has entered the correct login and password, the cookie establishes that the user is authenticated and redirects it to the original destination based on the information stored in the Cookie. If the user did not enter the correct login information, the login page with the error description will be displayed again.
In case the user is logged in the HTTP response code isotherwise. If the user has entered a valid username and password, a login cookie is created and the browser is redirected to original destination. If the user did not enter valid username or password the login page with error message is displayed. This should be a really simple service and we are going to implement it using the Go programming language.
Go has a rich standard library including a very capable HTTP server. There is no need for a third party server runtime e. After compiling the Go code, a statically linked binary with no other runtime dependencies is created.
When you run it you will get an HTTP server listening on port Using the Go programming language, we have implemented our own authorization server, which we used together with NGINX.Duo Security is now a part of Cisco. About Cisco. Click Protect to the far-right to configure the application and get your integration keysecret keyand API hostname.
You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options. The security of your Duo application is tied to the security of your secret key skey.
Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances! Adding Duo requires some understanding of your application's language and authentication process.
Documented properties will not be removed within a stable version of the API. Once a given API endpoint is documented to return a given property, a property with that name will always appear although certain properties may only appear under certain conditions, like if the customer is using a specific edition.
Properties that enumerate choices may gain new values at any time, e. Duo will update our API documentation with new values in a timely fashion. New, undocumented properties may also appear at any time.
For instance, Duo may make available a beta feature involving extra information returned by an API endpoint. Until the property is documented here its format may change or it may even be entirely removed from our API.
Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability.
Unlike the other endpoints, this one does not have to be signed with the Authorization header. This endpoint is also suitable for use with Duo's Web SDK to verify that Duo's service is responding before initializing frame authentication. This endpoint is also suitable for use with Duo's Web SDK to verify integration information before initializing frame authentication. It creates the user in Duo and returns a code as a QR code that Duo Mobile can scan with its built-in camera.
Scanning the QR code adds the user's account to the app so that they receive and respond to Duo Push login requests. Human-readable message describing the result. This string is intended for display to the user. This field will only be present if result is "auth". List of strings, each a factor that can be used with the device.
Note that hardware tokens do not have any associated capabilities. Single-character string containing the starting number of the next acceptable passcode previously SMSed to the user, if any. This field will only be present if the device has the "sms" capability and has previously received passcodes.
If result is "enroll" a unique, enrollment portal URL is returned. The enrollment URL is valid for five minutes after generation. This field will only be present if result is "enroll".How to set up nginx as a 2-factor authentication portal that becomes transparent once auth'd? Previous Message Next Message. Anonymous User. Hi, I just started with a small company that's got a bunch of web apps being served up from a bunch of different web servers.
Some are 'appliances', most are Apache. It's a mess of an infrastrucutre -- slow and. My long term plan is to convert to one lighter weight platform with commercial support available. In the short term -- like the boss wants it yesterday! In principle, I think I can solve this in one nginx instance. Setting nginx up to listen on one IP, and serve up separate SSL certificates for each web app is brilliantly easy in nginx!
Works perfectly. SO that part's basically done. The auth piece has me scratching my head -- and I hope somebody here can provide some guidance. But once they do, the 'authentication site' should become trabsparent and not interfere at all with the session, etc. I'm not sure how to: 1 implement Google AUthenticator integration in Nginx. I've looked for something built-in, or some plugin, which would be fantastic.
But I've haven't found anything reliable yet. Is this proxying? I'm pretty sure I need to pass some sort of variables, but is there some setting that bundles up everything so it's fully transparent? Are there any built-in ways -- and better yet, good tutorials! I doubt I've thought up anything new here, so I'm hoping someone's already posted some know-how. THanks a bunch for any help! Sorry, only registered users may post in this forum. Click here to login.
Online Users Guests: Record Number of Users: 6 on February 13, Record Number of Guests: on December 02, This forum is powered by Phorum. Anonymous User April 12, PM. Re: How to set up nginx as a 2-factor authentication portal that becomes transparent once auth'd?Explore other articles on this topic. Use Cases. Public Knowledge. Search for articles Search Close Search for articles. Search for articles. All Systems Operational. Toggle SideBar.
Articles Best practices for setting up the Duo Authentication Proxy for high availability and disaster recovery Explore other articles on this topic. Information How To. Summary To maintain continuous access to Duo-protected appliances and applications, we recommend using at least two Duo Authentication Proxy servers. This guide contains considerations that should be taken into account when deploying a high availability solution.
The proxy can be installed on a physical or virtual host. Peak authentication volume matters more than total number of enrolled Duo users. Duo recommends monitoring the virtual machine VM the proxy is running on, and adding resources such as CPU, memory, or bandwidth if needed.
Duo recommends running a dedicated VM for the Authentication Proxy. If you are planning to host the proxy on a VM hosting other services or applications, ensure that VM has enough vCPUs and memory for all processes. CPU and memory reservation pools are another VM best practice to ensure resources are not exhausted during high load. Separate proxy VMs across multiple physical hosts when possible. Any environment-specific parameters IP or hostname attributes, shared secrets, port numbers, etc need to be updated to reflect the values of the new environment.
In order to duplicate. Host considerations If encrypting passwords or shared secrets, these are specific to the server where they were encrypted and will not work if copied to a different machine.
Load balancing distributes authentications between proxies, while a simple failover pool puts all load on one proxy while the others are not utilized unless the first is no longer available. Note that for these integrated load-balancing applications, traffic will still be coming to the proxy from the real server IPs rather than the VIP.
The basic configuration for HA load balancing Authentication Proxies is shown here:.