from u2fval import app as application
The Yubico U2F Validation Server is designed as a WSGI module, and should run under any WSGI capable web server. This document describes one possible setup for running it under the Apache2 Web Server, using mod_wsgi.
Before starting, it is assumed that you have installed u2fval and configured it
with a compatible SQL database (see Installation and
Database Setup). It is assumed that u2fval is
installed in a virtualenv located at /home/someuser/u2fval/venv. Change the
path in accordance to your setup.
Refer to the Apache Web Server documentation for instructions on setting up the Apache Web Server on your platform. This document assumes you are running Ubuntu 14.04 or later, and some of the commands might be slightly different on other platforms. To install Apache and mod_wsgi (as well as some utilities that we will be using) on Ubuntu, run the following command:
apt-get install apache2 apache2-utils libapache2-mod-wsgi
This should automatically enable mod_wsgi, which you can confirm bu running:
a2query -m wsgi
…which should print something along the lines of:
wsgi (enabled by maintainer script)
You will also need to enable mod_auth_digest, as we will be using HTTP Digest authentication. To enable it, run:
a2enmod auth_digest
Create the file /home/someuser/u2fval/u2fval.wsgi and add the following content:
from u2fval import app as application
Create the file: /etc/apache2/conf-available/u2fval.conf and add the following
content to it:
<IfModule mod_wsgi.c>
WSGIDaemonProcess u2fval python-home=/home/someuser/u2fval/venv
WSGIApplicationGroup %{GLOBAL}
WSGIScriptAlias /wsapi/u2fval /home/someuser/u2fval/u2fval.wsgi process-group=u2fval
<Directory /home/someuser/u2fval/>
Options None
AllowOverride None
AuthType Digest
AuthName "u2fval"
AuthUserFile /home/someuser/u2fval/clients.htdigest
Require valid-user
</Directory>
</IfModule>
The above configuration points out an AuthUserFile which does not yet exist. This is where client credentials will be stored, so let’s create the file and add our first client now:
htdigest -c /home/someuser/u2fval/clients.htdigest "u2fval" testclient
You will now be prompted for a password for the client. Once entered, the client can be authenticated using the testclient username, with the password you just assigned. To add more users just run the same command as above, but without the -c argument (which is only needed to create the file).
For each created user you also need to create the corresponding client in the u2fval database. This is done by using the u2fval command line tool:
u2fval client create testclient http://example.com
The client name testclient above needs to match the name used for the htdigest command. The -a argument defines the application ID of the client, and the -f argument sets the valid facets for the client (for multiple facets, separate them with spaces). For more information about these parameters, click here. If you need to change these settings later you can use the u2fval tool (run "u2fval -h" for usage).
Now all that remains is to activate the Apache configuration:
a2enconf u2fval service apache2 reload
You should now be all set! You can verify that the server works by running a request against it as the client you just created:
curl --digest -u'testclient:password' http://localhost/wsapi/u2fval/
Alter the above command to match the username and password you set for the client. If successful the output should contain some information about the client, such as the application ID and valid facets.
You can customize logging by modifying the u2fval.wsgi file above. See
Logging for more details. Any changes to the file will
require reloading the Apache configuration:
service apache2 reload