Trusted Header Authentication
Trusted header authentication allows user authentication to Graylog via a configured HTTP header. This feature, in conjunction with a proxy server, may be used to enable authentication providers not natively supported by Graylog, such as keycard systems, Kerberos, and others.
Prerequisites
Before proceeding, ensure that the following prerequisites are met:
-
Trusted Header Authentication must be enabled in Graylog.
-
You must access Graylog via a proxy (e.g. Apache, NGINX, HAProxy).
-
That proxy must send the Username header configured in Graylog.
-
The source IP address(es) of the proxy must be configured using the
trusted_proxiesproperty in Graylog’sserver.confconfiguration file with CIDR notation.
-
The user passed via trusted header authentication must exist in Graylog.
Enable and Configure Trusted Header Authentication
Trusted header authentication is disabled by default. To enable single sign-on via HTTP header:
-
Navigate to System > Authentication > Authenticators.
-
Click on the Edit Authenticators button.
-
Check the Enable single sign-on via HTTP header check box.
-
(Optional) Configure a Username header. The header defaults to Remote-User.
-
Click on the Update Config button to complete.
Configure trusted_proxies via Graylog Configuration File
In order for Graylog to accept the Remote-User header from a proxy and allow successful authentication, the source IP address of the proxy or proxies must be configured using the trusted_proxies property in the Graylog server.conf configuration file.
This property accepts a comma-separated list of subnets using CIDR notation. For example, if you only trust the local machine (localhost), you would set:
trusted_proxies = 127.0.0.1/32Note that any CIDR notation subnet using /32 specifies only a single IP address. The above will only allow 127.0.0.1. To allow from multiple IPs, use a comma-separated list:
trusted_proxies = 127.0.0.1/32, 192.168.0.2/32, 192.168.0.3/32Set Up Proxy
Now, you will need to set up the proxy you will use to perform authentication. See the following example to illustrate how this process may look depending on your chosen proxy.
Apache Proxy Example
For this example, we are using Apache as the proxy and installing Apache on the same server as Graylog. This does not need to be the same server, but for simplicity, we use the same server here.
-
Install the Apache2 web server:
Copysudo apt update && sudo apt install apache2 -
Enable specified modules (
proxy,proxy_http,rewriteandheaders) within Apache:Copysudo a2enmod proxy proxy_http rewrite headers -
Create and update the flat-files used to store user names and passwords for basic authentication of HTTP users. This will prompt you to enter a password for the user:
Hint: Replaceadminwith the username you want to add.-ccreates a new.htpasswdand will overwrite the file if it already exists. To add passwords to an existing file, remove the `-c` argument.Copysudo htpasswd -c /etc/apache2/.htpasswd <admin> -
Modify Apache configuration. Use this command to open the configuration file:
Copysudo nano /etc/apache2/sites-enabled/000-default.conf -
Add the following syntax to the bottom of the configuration file:
Copy<Location />
ProxyPass "http://127.0.0.1:9000/"
ProxyPassReverse "http://127.0.0.1:9000/"
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
RewriteEngine On
RewriteCond %{REMOTE_USER} (.*)
RewriteRule .* - [E=X_REMOTE_USER:%1]
# set Trusted Header, this will be the username that is logged into graylog
RequestHeader set Remote-User %{X_REMOTE_USER}e
# auth header must be removed so that we do not pass invalid auth to graylog
RequestHeader unset Authorization
</Location> -
Restart Apache to apply the changes made to the configuration file in the step above:
Copysudo systemctl restart apache2
At this point you should be able to authenticate to Graylog using the trusted header authentication.
Further Reading
Explore the following additional resources and recommended readings to expand your knowledge on related topics:
