Graylog 2.4 ProxiedResource api unauthorized

I have a graylog 2.4 service behind a reverse and forward proxy (both apache). I am trying to deploy SSO using the plugin. I added keycloak gatekeeper as a proxy (github louketo proxy - gatekeeper 0.10.0 branch ) and now get the subject error when accessing the API.
marketplace.graylog.org->addons->eeeb0704-d50a-4df0-a789-eee29b1bb11d

My apache config is

<VirtualHost *:443>
  ServerName mygraylog.example.com
  ... SSL settings here ...
  RequestHeader set X-Graylog-Server-URL "https : //mygraylog.example.com/api"
  RequestHeaser set X-Forwarded-Host $host
  RequestHeader set X-Forwarded-Server $host
  RequestHeader set X-Forwarded-For $proxy_add_x_forwarded_for
  ProxyPass / https : //graylog.internal:443/ Keepalive=on connectiontimeout=600 timeout=600
  ProxyPassReverse / https://graylog.internal:443
</VirtualHost>

Graylog Server config

rest_enable_tls = True
rest_listen_uri = https : //0.0.0.0:9000/api/
rest_transport_uri = https : //localhost:9000/api/
rest_tls_cert_file = /etc/pki/certs/cert.pem
rest_tls_key_file = /etc/pki/certs/pkcs8-encrypted.pem
rest_tlk_key_password = examplesecret
# increase header size to alow for large JWT
rest_max_header_size = 40000
....
web_enable_tls = True
web_listen_uri = https : //0.0.0.0:9000/
web_tls_cert_file = /etc/pki/certs/cert.pem
web_tls_key_file = /etc/pki/certs/pkcs8-encrypted.pem
web_tls_key_password = examplesecret
# increase header size for large 
....

Gatekeeper config.yml

discovery-url: https : //myidam.example.com/auth/realms/master
skip-open-id-provider-tls-verify: true
client-id: myoidc
client-secret: XXXXXXX
listen: ":443"
enable-refresh-tokens: true
tls-cert: /etc/pki/certs/cert.pem
tls-private-key: /etc/pki/pkcs8-plain.pem
redirection-url:  https://mygraylog.example.com
encryption-key: XXXXXX
upstream-url: https : //localhost:9000
upstream-kepalives: True
skip-upstream-tls-verify: True
headers:
  Host:  mygraylog.example.com
add-claims:
  -  user-name

Removing the gatekeeper and resetting apache to point directly to the graylog server on port 9000 removed the error message.

The error I receive is
[ProxiedResource] Unable to call https : //localhost:9000/api/system/metrics/multiple on node , result: Unauthroized

I followed the instructions in the HTTPS section to regenerate the self signed cert, and it is in the keystore file.

I’ve tried terminating TLS at the gatekeeper and still get the same error.
[ProxiedResource] Unable to call http : //localhost:9000/api/system/metrics/multiple on node , result: Unauthroized

I have not enabled the trusted proxies in the SSO app security nor configured it in the graylog server.conf file.

Tried adding trusted proxy of
trusted_proxies = 0.0.0.0/0

And the result is the same.

@mschneider
Hello,
Was your HTTPS working prior to using SSO? Or did you do all these configurations at the same time (i.e., reverse, forward proxy, etc…)?
I noticed some white spaces in your configuration not sure if that was an error posting or not.

rest_listen_uri = https : //0.0.0.0:9000/api/
rest_transport_uri = https : //localhost:9000/api/
web_listen_uri = https : //0.0.0.0:9000/

When I used Graylog 2 my configuration looked like this.
Edit /etc/graylog/server/server.conf

rest_listen_uri = http://dns.name.of.server:9000/api/
rest_enable_tls = true
rest_tls_cert_file = /etc/graylog/graylog-certificate.pem
rest_tls_key_file = /etc/graylog/graylog-key.pem
rest_tls_key_password = secret
web_enable_tls = true
web_listen_uri = http://dns.name.of.server:9000/
web_tls_cert_file = /etc/graylog/graylog-certificate.pem
web_tls_key_file = /etc/graylog/graylog-key.pem
web_tls_key_password = secret

I used this documentation, it work for my environment.

Hope that helps.

HTTPS was working prior to adding SSO.
The spaces were typed in as it wouldn’t let me post more than 2 URLs. And I was trying to track down which URLs were the issue.
Is it correct that the rest and web listen uri are HTTP even though you are using TLS?

@mschneider

I do belive so, Its been like 4 years ago and I had to look up my documention for this.

Hope that helps

I removed the gatekeeper config as a test and it works without error Chaning my Apache RP config to (spaces in the URL never really existed so I removed them from the code below)

<VirtualHost *:443>
  ServerName mygraylog.example.com
  ... SSL settings here ...
  RequestHeader set X-Graylog-Server-URL "https://mygraylog.example.com/api"
  RequestHeaser set X-Forwarded-Host $host
  RequestHeader set X-Forwarded-Server $host
  RequestHeader set X-Forwarded-For $proxy_add_x_forwarded_for
  ProxyPass / https://graylog.internal:9000/ Keepalive=on connectiontimeout=600 timeout=600
  ProxyPassReverse / https://graylog.internal:9000
</VirtualHost>

All else remains the same and the error goes away but now I am back to using usernames and passwords.