This single sign-on service offers
- mod_auth_pubtkt support
- SAML2 identity provider for Google Apps (and others, with additional configuration)
- OpenID identity provider
- Two-factor authentication with Google Authenticator and SMS (bring your own gateway).
For licensing, see separate file.
- Install packages: for Ubuntu/Debian:
sudo apt-get install python-pip python-virtualenv swig python-ldap python-dev libssl-dev python-geoip libldap2-dev libsasl2-dev python-m2crypto python-mysqldb redis-server libmysqlclient-dev zlib1g libjpeg-dev
- Install requirements:
pip install -r requirements.txt
- Configure your local settings:
mv sso_frontend/local_settings.py.sample sso_frontend/local_settings.py; vim sso_frontend/local_settings.py
- Implement your own SMS gateway: see
login_frontend/send_sms.py.sample
. - Find and replace branding:
grep -i futurice * -R
- Configure WSGI server to apache2
Using virtualenv
is highly recommended.
sudo apt-get install libpcap-dev supervisor
wget http://lcamtuf.coredump.cx/p0f3/releases/p0f-3.06b.tgz
tar -xvzf p0f-3.06b.tgz
cd p0f-3.06b
./build.sh
sudo adduser --system p0f
sudo mkdir /var/local/p0f
Create file /etc/supervisor/conf.d/p0f.conf
with contents
[program:p0f]
user=root # p0f forks to p0f user
command=/path/to/p0f-3.06b/p0f -i eth0 -f /path/to/p0f-3.06b/p0f.fp -s /var/local/p0f/p0f.sock -o /var/local/p0f/p0f_out.txt -u p0f "port 80 or port 443"
stderr_logfile = /var/log/p0f-err.log
stdout_logfile = /var/log/p0f-stdout.log
Set P0FSOCKET=/var/local/p0f/p0f.sock
in local_settings.py.
Browser.C_BID = "v2browserid"
- unique, strictly private browser IDBrowser.C_BID_PUBLIC = "v2public-browserid"
- public browser ID - sharing this is not an issue. Should be used in logging / on error messages / when asking for browser identity.Browser.C_BID_SESSION = "v2sessionbid"
- unique per-session browser ID. This cookie is used to reliably (?) detect browser restarts.auth_pubtkt
- session based pubtkt cookiecsrftoken
- Django CSRF token
Recommended set of HTTP headers:
Content-Security-Policy: default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self'; font-src 'self'
X-Content-Security-Policy: default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self'; font-src 'self'
X-WebKit-CSP: default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self'; font-src 'self'
cache-control: no-cache, no-store, max-age=0, must-revalidate
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-frame-options: DENY
strict-transport-security: max-age=86400000; includeSubDomains
And for /static
:
cache-control: "public, max-age=86400"
With x-content-type-options: nosniff
content-types are not automatically detected. For apache2, add
AddType application/x-font-ttf .ttf
AddType application/font-woff .woff
AddType application/x-font-opentype .otf
AddType application/vnd.ms-fontobject .eot
to configuration file and reload apache.