0

EDIT: Something similar to Authy would work too, if that service was i) hosted/SaaS and ii) able to send SMS messages.

  • Most examples advocate RADIUS for two-factor authentication but I'm already using OpenLDAP for centralized authentication and would rather not add another local service to administer (but I'm happy calling out to Authy).
  • The app itself that I want to two-factor authenticate is a Tomcat app which has it's own internal form-based authentication, which will serve as the second type of authentication (see below).
    • Apache httpd* is used to reverse proxy the app (as we do for all our Tomcat apps) so I can protect the resource at that point (as I've done occasionally w/LDAP). Once httpd grants access, the Tomcat authentication will proceed.
    • I didn't see any mod_auth_authy or the like on their developer site https://www.authy.com/developers -- just mostly libraries for languages, so I'm not sure how best to implement this.

(*Apache httpd may be replaced by NGINX at some point, so ideally the solution suggested would carry over, but please don't refrain from suggesting Apache httpd-only solutions!)

Patrick
  • 121
  • 1
  • 6
  • This is an old post but for future reference, here are detailed instructions and code that enables Emin's answer in practice: https://github.com/itemir/apache_2fa – Ilker May 22 '17 at 03:08

1 Answers1

0

Authentication sequence and requirements still not clear to me, but other than that should be easy with apache. I have implemented a similar setup using cookies.

You need to have 2 locations under the same domain (to allow access to the same cookies) - one protected , another not protected (used to display the login page and create a cookie upon successful login)

httpd config of the protected location will look like below:

<Location /content>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/
RewriteCond %{HTTP_COOKIE} ^.*2FAToken=([^;]+)
RewriteCond /home/securefolder/sessions/%1 -f
RewriteRule ^.*$ - [P,S=1]
RewriteRule /(.*) https://URL-of-login-page/login?url=%{REQUEST_FILENAME} [L]
</Location>

The second location should contain your login page, that will handle the login and create a cookie named 2FAToken with a random session ID; it should also create a text file under /home/securefolder/sessions/ with the file name same as the session ID

Apache will read the cookie, make sure the file with the same name exists in /home/securefolder/sessions/ and allow access to your app.

But, question, why don't you do it directly with your app?

Emin
  • 101
  • Forgot to mention, I am working for a two-factor authentication provider as well (https://token2.com), but for your purposes, any API would work exactly the same. – Emin Jun 24 '15 at 09:55