Graylog v4.0.1 oauth2

Graylog Central (peer support)
1

Hi there.
Could somebody explain how does " Trusted Header Authentication" should be configured to works properly?
I want to be able to auth into Graylog with my google account.
For now, I use GitHub - bitly/oauth2_proxy: A reverse proxy that provides authentication with Google, Github or other provider for authentication into my ELK and it works pretty well.

2

Does nobody use oauth for Graylog? :pensive:

3

For somebody who will face with the same question.
A simple example - add into the nginx vhost config
proxy_set_header Graylog-User testuser;
where:

  • Graylog-User - a header that I set up in the Trusted Header Authentication menu.
  • testuser - Graylog user which will be authenticated in the web interface. It can’t be local admin user!

My full nginx config:

server {
    listen 443 ssl;
    server_name graylog.domain.net;

    ssl_certificate /etc/nginx/ssl/domain.net.pem;
    ssl_certificate_key /etc/nginx/ssl/domain.net.key;

    location / {
        proxy_pass http://127.0.0.1:4180;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 15;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
}

# Authorized proxy for Graylog
server {
    listen 8080;
    server_name 127.0.0.1;

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Graylog-Server-URL https://$server_name/;
        proxy_set_header Graylog-User testuser;
        proxy_pass http://127.0.0.1:9000;
        proxy_connect_timeout 60;
        proxy_send_timeout    60;
        proxy_read_timeout    60;
        send_timeout          60;
    }
}

/etc/oauth2_proxy.cfg :

# based on https://github.com/bitly/oauth2_proxy/blob/master/contrib/oauth2_proxy.cfg.example
email_domains = [
    "domain.corp",
    "domain2.corp"
]

upstreams = [
    "http://127.0.0.1:8080/"
]

pass_basic_auth = false

redirect_url = "https://graylog.domain.net/oauth2/callback"

cookie_name = "_oauth2_proxy"
cookie_secret = "secret_key"
cookie_secure = true

client_id = "id.apps.googleusercontent.com"
client_secret = "secret_key"
2 Likes
4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.