SSO works without trusted_proxies


Im trying to setup SSO on my graylog servers. I built a vanilla graylog lab for testing. I also have ldap enabled which i can log with.

Yes i have read the docs but no go :frowning:


Single Sign-On Configuration

Username Header 'X-Forwarded-User'
[] - Request must come from a trusted proxy (this is unchecked)
[x] - Automatically create users (this is checked)
(all other fields are blank or "Reader")
grep proxies /etc/graylog/server/server.conf 
trusted_proxies =, xxx:xxx:xx:xx::210/128

Graylog is behind nginx proxy /etc/nginx/nginx.conf:

	location /auth_verify {
		proxy_pass_request_body off;
		proxy_set_header  X-Original-URI $request_uri;
		proxy_set_header  X-Real-IP $remote_addr;
		proxy_set_header  Host $http_host;
		proxy_set_header  Content-Length "";


location /graylog {
	include test_authelia_params;
	access_log /var/log/nginx/back.log addHeaderlog ;

	proxy_set_header Host $http_host;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Server $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Graylog-Server-URL https://$server_name/graylog/api;


auth_request /auth_verify;
auth_request_set $redirect $upstream_http_redirect;
proxy_set_header Redirect $redirect;
auth_request_set $user $upstream_http_remote_user;
proxy_set_header X-Forwarded-User $user;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-Groups $groups;
error_page 401 =302$redirect;

The is the authority server which also has 2FA. Which is configured in trusted_proxies

The issue is that when i uncheck the request must come from a trusted proxy i can get it using the X-Forwarded-User header which my login server sets ( i can see it in the logs). When i check it i can never get in even if the X-Forwarded-User is set :frowning:

Any input is appreciated

BTW im using authelia as the auth server

thank you,

The trusted proxy in this case is the nginx proxy, which provides the HTTP headers to Graylog.

1 Like

Ohhh :open_mouth:

ok ok let me try!
thank you @jochen

That was it!!

trusted_proxies =, ::1/128

thanks again @jochen

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.