SSO works without trusted_proxies

(Dave) #1


Im trying to setup SSO on my graylog servers. I built a vanilla graylog lab for testing. I also have ldap enabled which i can log with.

Yes i have read the docs but no go :frowning:


Single Sign-On Configuration

Username Header 'X-Forwarded-User'
[] - Request must come from a trusted proxy (this is unchecked)
[x] - Automatically create users (this is checked)
(all other fields are blank or "Reader")
grep proxies /etc/graylog/server/server.conf 
trusted_proxies =, xxx:xxx:xx:xx::210/128

Graylog is behind nginx proxy /etc/nginx/nginx.conf:

	location /auth_verify {
		proxy_pass_request_body off;
		proxy_set_header  X-Original-URI $request_uri;
		proxy_set_header  X-Real-IP $remote_addr;
		proxy_set_header  Host $http_host;
		proxy_set_header  Content-Length "";


location /graylog {
	include test_authelia_params;
	access_log /var/log/nginx/back.log addHeaderlog ;

	proxy_set_header Host $http_host;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Server $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Graylog-Server-URL https://$server_name/graylog/api;


auth_request /auth_verify;
auth_request_set $redirect $upstream_http_redirect;
proxy_set_header Redirect $redirect;
auth_request_set $user $upstream_http_remote_user;
proxy_set_header X-Forwarded-User $user;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-Groups $groups;
error_page 401 =302$redirect;

The is the authority server which also has 2FA. Which is configured in trusted_proxies

The issue is that when i uncheck the request must come from a trusted proxy i can get it using the X-Forwarded-User header which my login server sets ( i can see it in the logs). When i check it i can never get in even if the X-Forwarded-User is set :frowning:

Any input is appreciated

BTW im using authelia as the auth server

thank you,

(Jochen) #2

The trusted proxy in this case is the nginx proxy, which provides the HTTP headers to Graylog.

(Dave) #3

Ohhh :open_mouth:

ok ok let me try!
thank you @jochen

(Dave) #4

That was it!!

trusted_proxies =, ::1/128

thanks again @jochen

(system) closed #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.