Proxy Authentication XFF Errors
177 views
Skip to first unread message
David Achenbach
Feb 3, 2017, 6:21:59 PM2/3/17
to Search Guard
I'm currently using Elasticsearch 5.1.2 with Search Guard 5.1.2-10. I'm trying to enable proxy authentication for use with SSO. Here is my current sg_config.yml:
I do intend to modify this some to fit the particular SSO and lock it down, but I'm just testing. In any case, after uploading this with sgadmin, Elasticsearch immediately begins throwing this error quite a lot (something like 30 times a second):
And I am not able to authenticate with a user in x-proxy-user in the headers. Am I missing something here? Thanks.
searchguard: dynamic: http: anonymous_auth_enabled: false xff: enabled: true remoteIpHeader: 'x-forwarded-for' proxiesHeader: 'x-forwarded-by' trustedProxies: '.*' internalProxies: '.*' authc: basic_internal_auth_domain: enabled: true order: 2 http_authenticator: type: basic challenge: true authentication_backend: type: intern proxy_auth_domain: enabled: true order: 1 http_authenticator: type: proxy challenge: false config: user_header: "x-proxy-user" roles_header: "x-proxy-roles" authentication_backend: type: noop
I do intend to modify this some to fit the particular SSO and lock it down, but I'm just testing. In any case, after uploading this with sgadmin, Elasticsearch immediately begins throwing this error quite a lot (something like 30 times a second):
[2017-02-03T23:19:38,626][INFO ][c.f.s.a.BackendRegistry ] ElasticsearchSecurityException[xff not done] extracting credentials from ElasticsearchSecurityException[xff not done]
And I am not able to authenticate with a user in x-proxy-user in the headers. Am I missing something here? Thanks.
SG
Feb 4, 2017, 6:06:29 AM2/4/17
to search...@googlegroups.com
did you send also the x-forwarded-for header?
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ec0eda85-27da-4825-82a4-b47313c388b4%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ec0eda85-27da-4825-82a4-b47313c388b4%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
David Achenbach
Feb 4, 2017, 11:23:52 AM2/4/17
to Search Guard
Yes, I did, but that seems secondary to the constantly repeating error messages that start immediately after enabling proxy authentication. I don't think think I messed up anything in the config.
Fabien Wernli
Feb 6, 2017, 3:32:57 AM2/6/17
to Search Guard
Hi David,
We also see this kind of message, and IMHO it's because of the multiple configured authc methods. I think you're seeing the message when other REST calls are made e.g. using basic auth.
We also see this kind of message, and IMHO it's because of the multiple configured authc methods. I think you're seeing the message when other REST calls are made e.g. using basic auth.
David Achenbach
Feb 6, 2017, 5:07:07 PM2/6/17
to Search Guard
So this was definitely partially my fault. I had a typo in my curl command to authenticate via the headers. That works just fine. That said, the 30+ warning messages/sec is making it hard to actually read anything in the Elasticsearch logs. If it is because of the dual authentication mechanisms, does this really need to be a warning?
Search Guard
Feb 7, 2017, 1:07:38 PM2/7/17
to Search Guard
can you open an issue for dealing with the log message?
David Achenbach
Feb 7, 2017, 3:43:00 PM2/7/17
to Search Guard
Reply all
Reply to author
Forward
0 new messages