SSO is not working with 3.3.5

blason · September 28, 2020, 2:54am

Hi Team,

I need a help with graylog-sso plugin configuration with nginx reverse proxy basic-auth. Has anyone achieved that?

Here is my nginx config

        listen 80  ;
        server_name  portal.graylog.test;
#        return 301 https://$server_name$request_uri;
        add_header X-Frame-Options "SAMEORIGIN";
       access_log /var/log/nginx/graylog/access.log;
       error_log /var/log/nginx/graylog/error.log;

location / {
        auth_basic "Login";
        auth_basic_user_file "/etc/nginx/.htpasswd";
        client_max_body_size    10m;
        client_body_buffer_size 128k;
        proxy_send_timeout   90;
        proxy_http_version 1.1;
        proxy_read_timeout   90;
        proxy_buffer_size    128k;
        proxy_buffers     4 256k;
        proxy_busy_buffers_size 256k;
        proxy_temp_file_write_size 256k;
        proxy_connect_timeout 30s;
        proxy_pass http://192.168.5.111:9000;
        proxy_set_header X-Graylog-Server-URL http://$server_name/;
        proxy_set_header   Host   $host;
        proxy_set_header Remote-User $remote_user;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header   X-Real-IP  $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Requested-By $remote_addr;
        }
location /api/ {
        proxy_pass      http://portal.graylog.test:9000/api/;
                }

}

And my Graylog config
Have downloaded SSO plugin
Installed in plugin directory
Single Sign on at first place

Username Header Remote-User
Trusted proxies defined 192.168.5.0/24

Am I missing anything?

blason · September 28, 2020, 3:39am

Ok - I made some progress but still not able to use SSO

server {
        listen 80  ;
        server_name  portal.graylog.test;
#        return 301 https://$server_name$request_uri;
        add_header X-Frame-Options "SAMEORIGIN";
               auth_basic "Login";
        auth_basic_user_file "/etc/nginx/.htpasswd";
       access_log /var/log/nginx/graylog/access.log;
       error_log /var/log/nginx/graylog/error.log;

location / {
        client_max_body_size    10m;
        client_body_buffer_size 128k;
        proxy_send_timeout   90;
        proxy_http_version 1.1;
        proxy_read_timeout   90;
        proxy_buffer_size    128k;
        proxy_buffers     4 256k;
        proxy_busy_buffers_size 256k;
        proxy_temp_file_write_size 256k;
        proxy_connect_timeout 30s;
        proxy_pass http://192.168.5.111:9000;
        proxy_set_header X-Graylog-Server-URL http://$server_name/;
        proxy_set_header   Host   $host;
        proxy_set_header Remote-User $remote_user;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header   X-Real-IP  $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Requested-By $remote_addr;
        }
location /api/ {
        proxy_pass      http://192.168.5.111/api/;
        proxy_set_header X-Graylog-Server-URL http://$server_name/api/;
        proxy_set_header   Host   $host;
        proxy_set_header Remote-User $remote_user;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header   X-Real-IP  $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Requested-By $remote_addr;
                }
}

Now getting this error

Error message
    cannot GET http://portal.graylog.test/api/ (502)

emerchalegre · September 29, 2020, 8:23pm

Hi.

Were you able to use the plugin?
Can you help me?

blason · October 1, 2020, 4:14am

Nah - I am still stuck.

Looking for assistance from community.

riskersen · October 2, 2020, 4:33am

There is a comment from the dev on GitHub, that the plugin/Auth process in Graylog needs to be rewritten…

I switched to basic Ldaps via AD…

blason · October 2, 2020, 1:47pm

Thanks for clarifying.

oscarlo · October 14, 2020, 8:12am

I’m working on something similar, and was able to get a workaround by whitelisting the /api path in the auth proxy. I believe it is required since Graylog does its own calls to the API, which don’t have auth that satisfy the demands from Nginx.

system · October 28, 2020, 8:12am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog nginx subdirectory SSO Graylog Central (peer support)	3	485	February 16, 2019
SSO graylog nginx Graylog Central (peer support)	3	920	January 20, 2019
SSO works without trusted_proxies Graylog Central (peer support)	4	3459	March 5, 2018
Help to Configure SSO plugin Graylog Central (peer support)	1	360	October 13, 2020
Apache SSO Configuration does not work Graylog Add-ons	4	2322	March 30, 2018

SSO is not working with 3.3.5

Related topics