problem SSO with graylog and mozilla firefox #39
Description
Problem description
hello
I have a problem when i try to have a SSO between nginx 1.10.3 and graylog 2.5.0
this is my configuration for nginx: /etc/nginx/sites-available/reverseProxy
location / {
auth_basic “Restricted Access”;
auth_basic_user_file “/etc/nginx/.htpasswd”;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
}
location /graylog {
auth_basic "Restricted Access";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header Remote-User $remote_user;
#proxy_set_header X-Forwarded-User $remote_user;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL http://1.0.0.10/graylog/api;
proxy_set_header X-Requested-By $remote_addr;
proxy_pass http://1.15.15.15:9001/graylog;
}
and my configuration for grafana : /etc/graylog/server/server.conf
rest_listen_uri = http://1.15.15.15:9001/graylog/api
web_listen_uri = http://1.15.15.15:9001/graylog
the problem is, when i log on with internet explorer the SSO work perfectly, but when i try to log on with mozilla firefox or chrome, I am authenticated with the user “undefined” and i don’t know why ??
please help me…
thank very much for your help
Steps to reproduce the problem
install nginx 1.10.3, graylog 2.5.0, elasticsearch: 6.5.3, MongoDB Version 4.0.4 on a debian 9.6 host, please put the configuration below for nginx and graylog. :
for elasticsearch please change the node name in /etc/elasticsearch/elasticsearch.yml to graylog-node1 and cluster.name to: graylog.
Download the sso plugin for graylog 2.5.0 and place the .jar file in /usr/share/elasticsearch/plugins/
enabe and start all this service ( systemctl enable [services] and systemctl start [services])
for the configuration of graylog in the file /etc/graylog/server/server.conf please follow this intructions:
// You MUST specify a hash password for the root user (which you only need to initially set up the
//system and in case you lose connectivity to your authentication backend)
// This password cannot be changed using the API or via the web interface. If you need to change it,
//modify it in this file.
// Create one by using for example: echo -n yourpassword | shasum -a 256
// and put the resulting hash value into the following line
root_password_sha2 =
and
// You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters.
//Generate one by using for example: pwgen -N 1 -s 96
password_secret =
then create in the folder /etc/nginx the file .htpasswd with the command
htpasswd -db /etc/nginx/.htpasswd [user] [password]
(create two account, the first for admin and the second for you)
use mozilla 64.4.0.2 and put the URL 1.0.0.10, log on the web server.
after the log in put on mozilla the url 1.0.0.10/graylog and log on with the admin account and the password you choose.
then system > authentification > SSO :
username header --> Remote-User
don't select "request must come from a trusted proxy"
don't select "automatically create"
don't select "Synchronize the roles of the user from the specified HTTP header"
then save the configuration.
then system > authentification > configure provider order:
edit put the list like this:
- SSO
- admin user
- Sessions
- passwords
- LDAP
6 API tokens
and save
clear the cache and the history et and quit mozilla.
restart graylog, nginx , elasticsearch...
the open mozilla again, log on a the reverse proxy and go to /graylog. and you will see the error with the SSO, username "undefined".
But if you do the same with IE it work.
I don't understand the problem, I think I try everything (capture of the paquet between nginx and graylog for the to browser, change the configuration...)
pleaseeeeeeeee help me.
thank you for your time
Environment
- Graylog Version: 2.5.0
- Plugin Version: 2.5.0
- Nginx: 1.10.3
- Elasticsearch: 6.5.3
- MongoDB Version: 4.0.4
- Operating System: debian 9.6
- Browser version: mozilla 64.4.0.2