I’m currently using Elasticsearch 5.1.2 with Search Guard 5.1.2-10. I’m trying to enable proxy authentication for use with SSO. Here is my current sg_config.yml:
searchguard:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: true
remoteIpHeader: ‘x-forwarded-for’
proxiesHeader: ‘x-forwarded-by’
trustedProxies: ‘.*’
internalProxies: ‘.*’
authc:
basic_internal_auth_domain:
enabled: true
order: 2
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
proxy_auth_domain:
enabled: true
order: 1
http_authenticator:
type: proxy
challenge: false
config:
user_header: “x-proxy-user”
roles_header: “x-proxy-roles”
authentication_backend:
type: noop
``
I do intend to modify this some to fit the particular SSO and lock it down, but I’m just testing. In any case, after uploading this with sgadmin, Elasticsearch immediately begins throwing this error quite a lot (something like 30 times a second):
[2017-02-03T23:19:38,626][INFO ][c.f.s.a.BackendRegistry ] ElasticsearchSecurityException[xff not done] extracting credentials from ElasticsearchSecurityException[xff not done]
``
And I am not able to authenticate with a user in x-proxy-user in the headers. Am I missing something here? Thanks.
did you send also the x-forwarded-for header?
···
Am 04.02.2017 um 00:21 schrieb David Achenbach <achenbach@gmail.com>:
I'm currently using Elasticsearch 5.1.2 with Search Guard 5.1.2-10. I'm trying to enable proxy authentication for use with SSO. Here is my current sg_config.yml:
searchguard:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: true
remoteIpHeader: 'x-forwarded-for'
proxiesHeader: 'x-forwarded-by'
trustedProxies: '.*'
internalProxies: '.*'
authc:
basic_internal_auth_domain:
enabled: true
order: 2
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
proxy_auth_domain:
enabled: true
order: 1
http_authenticator:
type: proxy
challenge: false
config:
user_header: "x-proxy-user"
roles_header: "x-proxy-roles"
authentication_backend:
type: noop
I do intend to modify this some to fit the particular SSO and lock it down, but I'm just testing. In any case, after uploading this with sgadmin, Elasticsearch immediately begins throwing this error quite a lot (something like 30 times a second):
[2017-02-03T23:19:38,626][INFO ][c.f.s.a.BackendRegistry ] ElasticsearchSecurityException[xff not done] extracting credentials from ElasticsearchSecurityException[xff not done]
And I am not able to authenticate with a user in x-proxy-user in the headers. Am I missing something here? Thanks.
--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ec0eda85-27da-4825-82a4-b47313c388b4%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.
Yes, I did, but that seems secondary to the constantly repeating error messages that start immediately after enabling proxy authentication. I don’t think think I messed up anything in the config.
···
On Saturday, February 4, 2017 at 3:06:29 AM UTC-8, Search Guard wrote:
did you send also the x-forwarded-for header?
Am 04.02.2017 um 00:21 schrieb David Achenbach ache...@gmail.com:
I’m currently using Elasticsearch 5.1.2 with Search Guard 5.1.2-10. I’m trying to enable proxy authentication for use with SSO. Here is my current sg_config.yml:
searchguard:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: true
remoteIpHeader: 'x-forwarded-for'
proxiesHeader: 'x-forwarded-by'
trustedProxies: '.*'
internalProxies: '.*'
authc:
basic_internal_auth_domain:
enabled: true
order: 2
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
proxy_auth_domain:
enabled: true
order: 1
http_authenticator:
type: proxy
challenge: false
config:
user_header: "x-proxy-user"
roles_header: "x-proxy-roles"
authentication_backend:
type: noop
I do intend to modify this some to fit the particular SSO and lock it down, but I’m just testing. In any case, after uploading this with sgadmin, Elasticsearch immediately begins throwing this error quite a lot (something like 30 times a second):
[2017-02-03T23:19:38,626][INFO ][c.f.s.a.BackendRegistry ] ElasticsearchSecurityException[xff not done] extracting credentials from ElasticsearchSecurityException[xff not done]
And I am not able to authenticate with a user in x-proxy-user in the headers. Am I missing something here? Thanks.
–
You received this message because you are subscribed to the Google Groups “Search Guard” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ec0eda85-27da-4825-82a4-b47313c388b4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Hi David,
We also see this kind of message, and IMHO it’s because of the multiple configured authc methods. I think you’re seeing the message when other REST calls are made e.g. using basic auth.
So this was definitely partially my fault. I had a typo in my curl command to authenticate via the headers. That works just fine. That said, the 30+ warning messages/sec is making it hard to actually read anything in the Elasticsearch logs. If it is because of the dual authentication mechanisms, does this really need to be a warning?
can you open an issue for dealing with the log message?
···
On Monday, 6 February 2017 23:07:07 UTC+1, David Achenbach wrote:
So this was definitely partially my fault. I had a typo in my curl command to authenticate via the headers. That works just fine. That said, the 30+ warning messages/sec is making it hard to actually read anything in the Elasticsearch logs. If it is because of the dual authentication mechanisms, does this really need to be a warning?
Done.
https://github.com/floragunncom/search-guard/issues/292
···
On Tuesday, February 7, 2017 at 10:07:38 AM UTC-8, Search Guard wrote:
can you open an issue for dealing with the log message?
On Monday, 6 February 2017 23:07:07 UTC+1, David Achenbach wrote:
So this was definitely partially my fault. I had a typo in my curl command to authenticate via the headers. That works just fine. That said, the 30+ warning messages/sec is making it hard to actually read anything in the Elasticsearch logs. If it is because of the dual authentication mechanisms, does this really need to be a warning?