SSO is not working with 3.3.5

Hi Team,

I need a help with graylog-sso plugin configuration with nginx reverse proxy basic-auth. Has anyone achieved that?

Here is my nginx config

        listen 80  ;
        server_name  portal.graylog.test;
#        return 301 https://$server_name$request_uri;
        add_header X-Frame-Options "SAMEORIGIN";
       access_log /var/log/nginx/graylog/access.log;
       error_log /var/log/nginx/graylog/error.log;

location / {
        auth_basic "Login";
        auth_basic_user_file "/etc/nginx/.htpasswd";
        client_max_body_size    10m;
        client_body_buffer_size 128k;
        proxy_send_timeout   90;
        proxy_http_version 1.1;
        proxy_read_timeout   90;
        proxy_buffer_size    128k;
        proxy_buffers     4 256k;
        proxy_busy_buffers_size 256k;
        proxy_temp_file_write_size 256k;
        proxy_connect_timeout 30s;
        proxy_pass http://192.168.5.111:9000;
        proxy_set_header X-Graylog-Server-URL http://$server_name/;
        proxy_set_header   Host   $host;
        proxy_set_header Remote-User $remote_user;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header   X-Real-IP  $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Requested-By $remote_addr;
        }
location /api/ {
        proxy_pass      http://portal.graylog.test:9000/api/;
                }

}

And my Graylog config
Have downloaded SSO plugin
Installed in plugin directory
Single Sign on at first place

Username Header Remote-User
Trusted proxies defined 192.168.5.0/24

Am I missing anything?

Ok - I made some progress but still not able to use SSO

server {
        listen 80  ;
        server_name  portal.graylog.test;
#        return 301 https://$server_name$request_uri;
        add_header X-Frame-Options "SAMEORIGIN";
               auth_basic "Login";
        auth_basic_user_file "/etc/nginx/.htpasswd";
       access_log /var/log/nginx/graylog/access.log;
       error_log /var/log/nginx/graylog/error.log;

location / {
        client_max_body_size    10m;
        client_body_buffer_size 128k;
        proxy_send_timeout   90;
        proxy_http_version 1.1;
        proxy_read_timeout   90;
        proxy_buffer_size    128k;
        proxy_buffers     4 256k;
        proxy_busy_buffers_size 256k;
        proxy_temp_file_write_size 256k;
        proxy_connect_timeout 30s;
        proxy_pass http://192.168.5.111:9000;
        proxy_set_header X-Graylog-Server-URL http://$server_name/;
        proxy_set_header   Host   $host;
        proxy_set_header Remote-User $remote_user;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header   X-Real-IP  $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Requested-By $remote_addr;
        }
location /api/ {
        proxy_pass      http://192.168.5.111/api/;
        proxy_set_header X-Graylog-Server-URL http://$server_name/api/;
        proxy_set_header   Host   $host;
        proxy_set_header Remote-User $remote_user;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header   X-Real-IP  $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Requested-By $remote_addr;
                }
}

Now getting this error

Error message
    cannot GET http://portal.graylog.test/api/ (502)

Hi.

Were you able to use the plugin?
Can you help me?

Nah - I am still stuck.

Looking for assistance from community.

There is a comment from the dev on GitHub, that the plugin/Auth process in Graylog needs to be rewritten…

I switched to basic Ldaps via AD…

Thanks for clarifying.

I’m working on something similar, and was able to get a workaround by whitelisting the /api path in the auth proxy. I believe it is required since Graylog does its own calls to the API, which don’t have auth that satisfy the demands from Nginx.