coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3764ea03ed2bc9eb644cdee8de9aaf22ea7f41bf
net-kingdom/sso-mfa/k8s/privacyidea/middleware.yaml
Bernd Worsch c0e330ee4e fix(privacyidea): disable response signing + raise rate limit to unblock login 
PI_NO_RESPONSE_SIGN=True works around Werkzeug 3.x crash where request.json
raises BadRequest on GET requests with empty bodies (sign_response path).

Rate limit raised from 20/5 to 200/100 req/min to allow the AngularJS UI's
burst of ~50 parallel static asset requests on each page load without being
throttled by Traefik. TODO: split tight /auth+/validate vs loose /static limits.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-25 11:49:26 +00:00

57 lines
2.1 KiB
YAML
Raw Blame History

# Traefik Middlewares for privacyIDEA (namespace: mfa)
#
# Middleware names follow the pattern referenced in ingress.yaml annotations:
# mfa-privacyidea-rate-limit@kubernetescrd
# mfa-privacyidea-admin-allowlist@kubernetescrd
#
# Traefik API version:
# Traefik v3 (K3s >= 1.30): traefik.io/v1alpha1
# Traefik v2 (K3s < 1.30): traefik.containo.us/v1alpha1
# Check: kubectl get middleware -n mfa -o yaml | grep apiVersion
# Update both documents below if you need the v2 apiVersion.
# ── Rate limit — all PI endpoints ────────────────────────────────────────────
# Applies globally to pink.coulomb.social.
# Primary protection for /validate/check (OTP verification) and /auth.
# 200 requests/minute average; burst of 100 to allow the ~50 parallel static
# asset requests the AngularJS UI fires on every page load.
# TODO: split into a tight limit for /auth+/validate and a loose one for /static.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: privacyidea-rate-limit
namespace: mfa
labels:
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: mfa
spec:
rateLimit:
average: 200
period: 1m
burst: 100
---
# ── Admin path allowlist — restrict WebUI to internal/VPN IPs ────────────────
# Applied to the /admin/* Ingress (see ingress.yaml — separate Ingress for /admin/).
#
# ADJUST sourceRange to your actual VPN / office CIDR(s) before going live.
# Leaving RFC-1918 ranges here is only a dev/staging default.
#
# Traefik v2 uses ipWhiteList; Traefik v3 uses ipAllowList.
# This cluster runs Traefik 2.10 (K3s 1.30 bundle) — ipWhiteList required.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: privacyidea-admin-allowlist
namespace: mfa
labels:
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: mfa
spec:
ipWhiteList:
# EDIT: replace with your VPN/office CIDRs (see CONFIG.md for the pattern).
# Example VPN: "10.8.0.0/24"
sourceRange:
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
Reference in New Issue View Git Blame Copy Permalink