I have a graylog 2.4 service behind a reverse and forward proxy (both apache). I am trying to deploy SSO using the plugin. I added keycloak gatekeeper as a proxy (github louketo proxy - gatekeeper 0.10.0 branch ) and now get the subject error when accessing the API.
marketplace.graylog.org->addons->eeeb0704-d50a-4df0-a789-eee29b1bb11d
My apache config is
<VirtualHost *:443>
ServerName mygraylog.example.com
... SSL settings here ...
RequestHeader set X-Graylog-Server-URL "https : //mygraylog.example.com/api"
RequestHeaser set X-Forwarded-Host $host
RequestHeader set X-Forwarded-Server $host
RequestHeader set X-Forwarded-For $proxy_add_x_forwarded_for
ProxyPass / https : //graylog.internal:443/ Keepalive=on connectiontimeout=600 timeout=600
ProxyPassReverse / https://graylog.internal:443
</VirtualHost>
Graylog Server config
rest_enable_tls = True
rest_listen_uri = https : //0.0.0.0:9000/api/
rest_transport_uri = https : //localhost:9000/api/
rest_tls_cert_file = /etc/pki/certs/cert.pem
rest_tls_key_file = /etc/pki/certs/pkcs8-encrypted.pem
rest_tlk_key_password = examplesecret
# increase header size to alow for large JWT
rest_max_header_size = 40000
....
web_enable_tls = True
web_listen_uri = https : //0.0.0.0:9000/
web_tls_cert_file = /etc/pki/certs/cert.pem
web_tls_key_file = /etc/pki/certs/pkcs8-encrypted.pem
web_tls_key_password = examplesecret
# increase header size for large
....
Gatekeeper config.yml
discovery-url: https : //myidam.example.com/auth/realms/master
skip-open-id-provider-tls-verify: true
client-id: myoidc
client-secret: XXXXXXX
listen: ":443"
enable-refresh-tokens: true
tls-cert: /etc/pki/certs/cert.pem
tls-private-key: /etc/pki/pkcs8-plain.pem
redirection-url: https://mygraylog.example.com
encryption-key: XXXXXX
upstream-url: https : //localhost:9000
upstream-kepalives: True
skip-upstream-tls-verify: True
headers:
Host: mygraylog.example.com
add-claims:
- user-name
Removing the gatekeeper and resetting apache to point directly to the graylog server on port 9000 removed the error message.
The error I receive is
[ProxiedResource] Unable to call https : //localhost:9000/api/system/metrics/multiple on node , result: Unauthroized
I followed the instructions in the HTTPS section to regenerate the self signed cert, and it is in the keystore file.
I’ve tried terminating TLS at the gatekeeper and still get the same error.
[ProxiedResource] Unable to call http : //localhost:9000/api/system/metrics/multiple on node , result: Unauthroized
I have not enabled the trusted proxies in the SSO app security nor configured it in the graylog server.conf file.