Trusted Header Authentication
Trusted header authentication allows user authentication to Graylog via a configured HTTP header. This feature, in conjunction with a proxy server, may be used to enable authentication providers not natively supported by Graylog, such as keycard systems, Kerberos, and others.
Prerequisites
In order to use this feature:
-
Trusted Header Authentication must be enabled in Graylog.
-
You must access Graylog via a proxy (e.g. Apache, NGINX, HAProxy).
-
That proxy must send the Username header configured in Graylog.
-
The source IP address(es) of the proxy must be configured using the
trusted_proxiesproperty in Graylog’sserver.confconfiguration file with CIDR notation.
-
The user passed via trusted header authentication must exist in Graylog.
Enable and Configure Trusted Header Authentication
To enable single sign-on via HTTP header:
-
Navigate to System > Authentication > Authenticators.
-
Click on the Edit Authenticators button.
-
Check the Enable single sign-on via HTTP header check box.
-
(Optional) Configure a Username header. The header defaults to Remote-User.
-
Click on the Update Config button to complete.
Configure trusted_proxies via Graylog Configuration File
In order for Graylog to accept the Remote-User header from a proxy and allow successful authentication, the source IP address of the proxy or proxies must be configured using the trusted_proxies property in the Graylog server.conf configuration file.
This property accepts a comma-separated list of subnets using CIDR notation.
Example:
-
Allow localhost/127.0.0.1
-
trusted_proxies = 127.0.0.1/32
-
Note that any CIDR notation subnet using /32 specifies only a single IP address. The above will only allow 127.0.0.1.
-
Allow from multiple IPs, use a comma-separated list:
-
trusted_proxies = 127.0.0.1/32, 192.168.0.2/32, 192.168.0.3/32
-
Proxy Example
For this example, we are using Apache as the proxy and installing Apache on the same server as Graylog. This does not need to be the same server, but for simplicity, we use the same server here.
-
Install the Apache2 web server.
Copysudo apt update && sudo apt install apache2 -
Enable specified modules (
proxy,proxy_http,rewriteandheaders) within Apache.Copysudo a2enmod proxy proxy_http rewrite headers -
Create and update the flat-files used to store usernames and password for basic authentication of HTTP users. This will prompt you to enter a password for the user.
Hint: Replaceadminwith the username you want to add.-ccreates a new.htpasswdand will overwrite the file if it already exists. To add passwords to an existing file, remove the `-c` argument.Copysudo htpasswd -c /etc/apache2/.htpasswd <admin> -
Modify Apache configuration. Use this command to open the configuration file:
Copysudo nano /etc/apache2/sites-enabled/000-default.conf -
Add the following syntax to the bottom of the configuration file:
Copy<Location />
ProxyPass "http://127.0.0.1:9000/"
ProxyPassReverse "http://127.0.0.1:9000/"
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
RewriteEngine On
RewriteCond %{REMOTE_USER} (.*)
RewriteRule .* - [E=X_REMOTE_USER:%1]
# set Trusted Header, this will be the username that is logged into graylog
RequestHeader set Remote-User %{X_REMOTE_USER}e
# auth header must be removed so that we do not pass invalid auth to graylog
RequestHeader unset Authorization
</Location> -
Restart Apache to apply the changes made to the configuration file in the step above.
Copysudo systemctl restart apache2
At this point you should be able to authenticate to Graylog using the trusted header authentication.
