Trusted Header Authentication

Trusted header authentication allows user authentication to Graylog via a configured HTTP header. This feature, in conjunction with a proxy server, may be used to enable authentication providers not natively supported by Graylog, such as keycard systems, Kerberos, and others.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • You must access Graylog via a proxy (e.g. Apache, NGINX, HAProxy).

  • That proxy must send the Username header configured in Graylog.

  • The source IP address(es) of the proxy must be configured using the trusted_proxies property in Graylog’s server.conf configuration file with CIDR notation.

Enable and Configure Trusted Header Authentication

Trusted header authentication is disabled by default. To enable single sign-on via HTTP header:

  1. Navigate to System > Authentication > Authenticators.

  2. Click on the Edit Authenticators button.

  3. Check the Enable single sign-on via HTTP header check box.

  4. (Optional) Configure a Username header. The header defaults to Remote-User.

Hint: Take note of the Username header as you will need this to complete the configuration.
  1. Click on the Update Config button to complete.

Configure trusted_proxies via Graylog Configuration File

In order for Graylog to accept the Remote-User header from a proxy and allow successful authentication, the source IP address of the proxy or proxies must be configured using the trusted_proxies property in the Graylog server.conf configuration file.

This property accepts a comma-separated list of subnets using CIDR notation. For example, if you only trust the local machine (localhost), you would set:

Copy
trusted_proxies = 127.0.0.1/32

Note that any CIDR notation subnet using /32 specifies only a single IP address. The above will only allow 127.0.0.1. To allow from multiple IPs, use a comma-separated list:

Copy
trusted_proxies = 127.0.0.1/32, 192.168.0.2/32, 192.168.0.3/32

Set Up Proxy

Now, you will need to set up the proxy you will use to perform authentication. See the following example to illustrate how this process may look depending on your chosen proxy.

Apache Proxy Example

For this example, we are using Apache as the proxy and installing Apache on the same server as Graylog. This does not need to be the same server, but for simplicity, we use the same server here.

Warning: Graylog requires the cookies set during session creation to be persisted. The proxy must not remove or unset cookies.

  1. Install the Apache2 web server:

    Copy
    sudo apt update && sudo apt install apache2
  2. Enable specified modules (proxy, proxy_http, rewrite and headers) within Apache:

    Copy
    sudo a2enmod proxy proxy_http rewrite headers
  3. Create and update the flat-files used to store user names and passwords for basic authentication of HTTP users. This will prompt you to enter a password for the user:

    Hint: Replace admin with the username you want to add. -c creates a new .htpasswd and will overwrite the file if it already exists. To add passwords to an existing file, remove the `-c` argument.
    Copy
    sudo htpasswd -c /etc/apache2/.htpasswd <admin>
  4. Modify Apache configuration. Use this command to open the configuration file:

    Copy
    sudo nano /etc/apache2/sites-enabled/000-default.conf
  5. Add the following syntax to the bottom of the configuration file:

    Copy
    <Location />
        ProxyPass "http://127.0.0.1:9000/"
        ProxyPassReverse "http://127.0.0.1:9000/"

        AuthType Basic
        AuthName "Restricted Content"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user

        RewriteEngine On
        RewriteCond %{REMOTE_USER} (.*)
        RewriteRule .* - [E=X_REMOTE_USER:%1]
        # set Trusted Header, this will be the username that is logged into graylog
        RequestHeader set Remote-User %{X_REMOTE_USER}e
        # auth header must be removed so that we do not pass invalid auth to graylog
        RequestHeader unset Authorization
    </Location>
  6. Restart Apache to apply the changes made to the configuration file in the step above:

    Copy
    sudo systemctl restart apache2

At this point you should be able to authenticate to Graylog using the trusted header authentication.

Warning: It is important to note that the Graylog REST API no longer allows for user authentication via a trusted header. Additionally, deleting session cookies will immediately log out the user, which is by design.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: