search

Graylog2 / graylog2-server

Free and open log management
https://www.graylog.org
Other
7.3k stars 1.05k forks source link

Graylog/JVM proxy settings not working when proxy basic auth is needed #4594

Closed schindlerd closed 6 years ago

schindlerd commented 6 years ago

My test installation is complaining about “Graylog Enterprise License Violation” and I have to use a proxy to access https://api.graylog.com/report.

Expected Behavior

Access to https://api.graylog.com/report should be possible when proxy with basic-auth is configured.

Current Behavior

The BlueCoat proxy uses basic auth and I didn’t get it working via the http_proxy_uri in the server.conf. Is there a special format to use when proxy-basic-auth is required? My yum.conf for example is successfully using the proxy configuration.

I added the following to the default java options for the JVM: GRAYLOG_SERVER_JAVA_OPTS="... -Djdk.http.auth.tunneling.disabledSchemes= -Dhttp.proxyUser=user -Dhttp.proxyPassword=password -Dhttp.proxyHost=myproxy -Dhttp.proxyPort=8080 -Dhttps.proxyUser=user -Dhttps.proxyPassword=password -Dhttps.proxyHost=myproxy -Dhttps.proxyPort=8080"

I already added -Djdk.http.auth.tunneling.disabledSchemes= since Java 8u111 basic auth has been disabled by default (http://www.oracle.com/technetwork/java/javase/8u111-relnotes-3124969.html).

But I still keep getting HTTP-407: 2018-02-13T21:38:56.046+01:00 WARN [LicenseReportPeriodical] Unable to connect to license server: Failed to authenticate with proxy. 2018-02-13T21:43:55.889+01:00 WARN [LicenseChecker] License violation - Failed to report license status to Graylog, Inc. - consecutive failures: 85, limit: 72

Possible Solution

Steps to Reproduce (for bugs)

  1. Configure proxy with basic auth in server.conf or via JVM options
  2. Restart graylog-server

Context

Your Environment

joschi commented 6 years ago

@schindlerd What was the value of http_proxy_uri when you tried using the JVM proxy settings (http.proxyHost etc.)?

schindlerd commented 6 years ago

I used the fully qualified domain name for both options. I tried http_proxy_uri = http://user:password@proxy-fqdn:8080 (environment variable style) and for the Java option I used http.proxyHost=proxy-fqdn.

joschi commented 6 years ago

@schindlerd Please try again with an empty http_proxy_uri setting and the JVM proxy settings filled.

My guess is that http_proxy_uri would overwrite the JVM settings for the HTTP client being used by Graylog to communicate with the license service, but since it doesn't support proxy credentials right now, it fails to authenticate with the proxy.

schindlerd commented 6 years ago

@joschi That is exactly my current setup :) I'm using only the JVM options and http_proxy_uriis empty.

schindlerd commented 6 years ago

@joschi Any other idea regarding this issue?

Thanks in advance.

joschi commented 6 years ago

@schindlerd There's currently no workaround.

bernd commented 6 years ago

@schindlerd Proxy authentication using basic auth now works. This fix will be in the upcoming 2.4.4 release.

schindlerd commented 6 years ago

Thank you guys! 😀

schindlerd commented 6 years ago

Hi guys! I don't get it working in our environment. Please see #4788