SSO is not working with 3.3.5

Hi Team,

I need a help with graylog-sso plugin configuration with nginx reverse proxy basic-auth. Has anyone achieved that?

Here is my nginx config

        listen 80  ;
        server_name  portal.graylog.test;
#        return 301 https://$server_name$request_uri;
        add_header X-Frame-Options "SAMEORIGIN";
       access_log /var/log/nginx/graylog/access.log;
       error_log /var/log/nginx/graylog/error.log;

location / {
        auth_basic "Login";
        auth_basic_user_file "/etc/nginx/.htpasswd";
        client_max_body_size    10m;
        client_body_buffer_size 128k;
        proxy_send_timeout   90;
        proxy_http_version 1.1;
        proxy_read_timeout   90;
        proxy_buffer_size    128k;
        proxy_buffers     4 256k;
        proxy_busy_buffers_size 256k;
        proxy_temp_file_write_size 256k;
        proxy_connect_timeout 30s;
        proxy_pass http://192.168.5.111:9000;
        proxy_set_header X-Graylog-Server-URL http://$server_name/;
        proxy_set_header   Host   $host;
        proxy_set_header Remote-User $remote_user;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header   X-Real-IP  $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Requested-By $remote_addr;
        }
location /api/ {
        proxy_pass      http://portal.graylog.test:9000/api/;
                }

}

And my Graylog config
Have downloaded SSO plugin
Installed in plugin directory
Single Sign on at first place

Username Header Remote-User
Trusted proxies defined 192.168.5.0/24

Am I missing anything?

Ok - I made some progress but still not able to use SSO

server {
        listen 80  ;
        server_name  portal.graylog.test;
#        return 301 https://$server_name$request_uri;
        add_header X-Frame-Options "SAMEORIGIN";
               auth_basic "Login";
        auth_basic_user_file "/etc/nginx/.htpasswd";
       access_log /var/log/nginx/graylog/access.log;
       error_log /var/log/nginx/graylog/error.log;

location / {
        client_max_body_size    10m;
        client_body_buffer_size 128k;
        proxy_send_timeout   90;
        proxy_http_version 1.1;
        proxy_read_timeout   90;
        proxy_buffer_size    128k;
        proxy_buffers     4 256k;
        proxy_busy_buffers_size 256k;
        proxy_temp_file_write_size 256k;
        proxy_connect_timeout 30s;
        proxy_pass http://192.168.5.111:9000;
        proxy_set_header X-Graylog-Server-URL http://$server_name/;
        proxy_set_header   Host   $host;
        proxy_set_header Remote-User $remote_user;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header   X-Real-IP  $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Requested-By $remote_addr;
        }
location /api/ {
        proxy_pass      http://192.168.5.111/api/;
        proxy_set_header X-Graylog-Server-URL http://$server_name/api/;
        proxy_set_header   Host   $host;
        proxy_set_header Remote-User $remote_user;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header   X-Real-IP  $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Requested-By $remote_addr;
                }
}

Now getting this error

Error message
    cannot GET http://portal.graylog.test/api/ (502)

Hi.

Were you able to use the plugin?
Can you help me?

Nah - I am still stuck.

Looking for assistance from community.

There is a comment from the dev on GitHub, that the plugin/Auth process in Graylog needs to be rewritten…

I switched to basic Ldaps via AD…

Thanks for clarifying.

I’m working on something similar, and was able to get a workaround by whitelisting the /api path in the auth proxy. I believe it is required since Graylog does its own calls to the API, which don’t have auth that satisfy the demands from Nginx.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.