SSO works without trusted_proxies


(Dave) #1

Hello,

Im trying to setup SSO on my graylog servers. I built a vanilla graylog lab for testing. I also have ldap enabled which i can log with.

Yes i have read the docs but no go :frowning: http://docs.graylog.org/en/2.4/pages/users_and_roles/external_auth.html?highlight=sso#single-sign-on

Enviroment:
graylog-2.4-repository-1-5.noarch
graylog-plugin-auth-sso-2.4.2-1.noarch
graylog-server-2.4.3-1.noarch

Single Sign-On Configuration

Username Header 'X-Forwarded-User'
[] - Request must come from a trusted proxy (this is unchecked)
[x] - Automatically create users (this is checked)
(all other fields are blank or "Reader")
grep proxies /etc/graylog/server/server.conf 
trusted_proxies = 10.xxx.xx.210/32, xxx:xxx:xx:xx::210/128

Graylog is behind nginx proxy /etc/nginx/nginx.conf:

	resolver 127.0.0.1;
	location /auth_verify {
		internal;
		proxy_pass_request_body off;
		proxy_set_header  X-Original-URI $request_uri;
		proxy_set_header  X-Real-IP $remote_addr;
		proxy_set_header  Host $http_host;
		proxy_set_header  Content-Length "";

		proxy_pass  https://login.nwk.jwm2.net/api/verify;
	}
    }

location /graylog {
	include test_authelia_params;
	access_log /var/log/nginx/back.log addHeaderlog ;

	proxy_set_header Host $http_host;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Server $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Graylog-Server-URL https://$server_name/graylog/api;
	proxy_pass       http://127.0.0.1:9000/graylog;
}

/etc/nginx/test_authelia_params

auth_request /auth_verify;
auth_request_set $redirect $upstream_http_redirect;
proxy_set_header Redirect $redirect;
auth_request_set $user $upstream_http_remote_user;
proxy_set_header X-Forwarded-User $user;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-Groups $groups;
error_page 401 =302 https://login.nwk.jwm2.net?redirect=$redirect;

The login.nwk.jwm2.net is the authority server which also has 2FA. Which is configured in trusted_proxies

The issue is that when i uncheck the request must come from a trusted proxy i can get it using the X-Forwarded-User header which my login server sets ( i can see it in the logs). When i check it i can never get in even if the X-Forwarded-User is set :frowning:

Any input is appreciated

BTW im using authelia as the auth server

thank you,
dave


(Jochen) #2

The trusted proxy in this case is the nginx proxy, which provides the HTTP headers to Graylog.


(Dave) #3

Ohhh :open_mouth:

ok ok let me try!
thank you @jochen


(Dave) #4

That was it!!

trusted_proxies = 127.0.0.1/32, ::1/128

thanks again @jochen


(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.