Unable to pass Auth header

[hc4]

It seems that it filtered out and sso realm didn't see it. I have CORS enabled both for web and rest.

[hc4]

I've added logging of headers SSO Realm sees:

Got header: connection
Got header: accept
Got header: origin
Got header: x-requested-with
Got header: user-agent
Got header: authorization
Got header: content-type
Got header: referer
Got header: accept-encoding
Got header: accept-language

[kroepke]

@hc4 Which Graylog version are you running this against? The plugin needs certain changes in the server to work correctly (which is why we haven't released it yet) beta.2 or master is fine, beta.1 is not

[hc4]

I am using beta 1 :) So the problem not only in ability to check trusted proxy list (I disabled this check to be able to build plugin)

[kroepke]

Specifically it needs https://github.com/Graylog2/graylog2-server/commit/662866cc6c5319ce02de42eb92573ac0bb7da8fb

Grab beta.2, we've just built it, should be published shortly (or use one of the most recent 2.1.0 snapshot builds at http://packages.graylog2.org/_/snapshots?q=2.1.0 )

[kroepke]

I hope to upload the plugin to the marketplace shortly for early testing.

[hc4]

same problem with 2.1.0-beta.2-SNAPSHOT+581eb1f,

[hc4]

It seems this auth headers not resended during rest request

[kroepke]

Then I need a more specific description of your setup:

• what header are you setting?
• what IPs, proxies are involved?
• what is the configuration of the plugin?

Thanks!

[hc4]

{
  "username_header": "Remote-User",
  "fullname_header": null,
  "email_header": null,
  "default_group": null,
  "auto_create_user": true,
  "require_trusted_proxies": false,
  "trusted_proxies": "127.0.0.1/32, 0:0:0:0:0:0:0:1/128"
}

I have graylog at 127.0.0.1 and squid3 at public IP on same port The same configured squid works fine for Grafana in similar setup

[hc4]

hm... i think I get the problem. Squid works only for web port, but not for REST

[kroepke]

If you use beta.2 you can also set them to the same port (web and rest). Be sure to include a path for the web interface portion (e.g. /console)

[hc4]

where should i add /consol excatly?

[hc4]

got it working with sso auth.

rest_listen_uri = http://127.0.0.1:80/ rest_transport_uri = http://graylog:80/ web_listen_uri = http://127.0.0.1:80/console web_endpoint_uri not set

• squid on public ip port 80

The problem was, that I use kerberos, which requires fqdn access

[hc4]

the only problem left - if I open http://graylog/ - it will redirect to http://127.0.0.1/console :)

[hc4]

And second problem. if i set rest_transport_uri = http://graylog:80/, then I can't access graylog at http://graylog.domain.name/ And if I set rest_transport_uri = http://graylog.domain.name:80/ - it won't work at http://graylog/

[hc4]

no. It s not fully functional in this setup :(

There is errors in logs: [ProxiedResource] Unable to call http://graylog/system/metrics/multiple on node <*GUID*>, caught exception: Failed to connect to graylog/127.0.1.1:80 (class java.net.ConnectException)

[hc4]

in browser errors 500 returned sometimes. For example for http://graylog/cluster/_GUID_/jvm returned: {"type":"ApiError","message":"Failed to connect to graylog/127.0.1.1:12900"}

[hc4]

Is it posible to get auth header from web request and leave rest on 12900 with only sessionid auth?

[hc4]

Finally got it working!

My graylog config:

rest_listen_uri = http://127.0.0.1:80/
rest_transport_uri = http://127.0.0.1:80/
web_listen_uri = http://127.0.0.1:80/web
web_endpoint_uri =

And also i've removed originserver from cache_peer in squid config:

http_port [pub_ip]:80 accel
cache_peer 127.0.0.1 parent 80 0 no-query proxy-only

[hc4]

And also added acl to squid, to pass users with session: without kerberos auth

acl with_session req_header Authorization -i ^Basic .*OnNlc3Npb24=$
http_access allow with_session

Without this after some time some rest requests will fail and password window will popup in browser

[kroepke]

So this is working in principle but difficult to get right from the settings? If so I'd close this here.

[hc4]

yes, the header itself passed correctly