Proxy Authentication XFF Errors

I’m currently using Elasticsearch 5.1.2 with Search Guard 5.1.2-10. I’m trying to enable proxy authentication for use with SSO. Here is my current sg_config.yml:

searchguard:

dynamic:

http:

anonymous_auth_enabled: false

xff:

enabled: true

remoteIpHeader: ‘x-forwarded-for’

proxiesHeader: ‘x-forwarded-by’

trustedProxies: ‘.*’

internalProxies: ‘.*’

authc:

basic_internal_auth_domain:

enabled: true

order: 2

http_authenticator:

type: basic

challenge: true

authentication_backend:

type: intern

proxy_auth_domain:

enabled: true

order: 1

http_authenticator:

type: proxy

challenge: false

config:

user_header: “x-proxy-user”

roles_header: “x-proxy-roles”

authentication_backend:

type: noop

``

I do intend to modify this some to fit the particular SSO and lock it down, but I’m just testing. In any case, after uploading this with sgadmin, Elasticsearch immediately begins throwing this error quite a lot (something like 30 times a second):

[2017-02-03T23:19:38,626][INFO ][c.f.s.a.BackendRegistry ] ElasticsearchSecurityException[xff not done] extracting credentials from ElasticsearchSecurityException[xff not done]

``

And I am not able to authenticate with a user in x-proxy-user in the headers. Am I missing something here? Thanks.

did you send also the x-forwarded-for header?

···

Am 04.02.2017 um 00:21 schrieb David Achenbach <achenbach@gmail.com>:

I'm currently using Elasticsearch 5.1.2 with Search Guard 5.1.2-10. I'm trying to enable proxy authentication for use with SSO. Here is my current sg_config.yml:

searchguard:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: true
        remoteIpHeader: 'x-forwarded-for'
        proxiesHeader: 'x-forwarded-by'
        trustedProxies: '.*'
        internalProxies: '.*'
    authc:
      basic_internal_auth_domain:
        enabled: true
        order: 2
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern
      proxy_auth_domain:
        enabled: true
        order: 1
        http_authenticator:
          type: proxy
          challenge: false
          config:
            user_header: "x-proxy-user"
            roles_header: "x-proxy-roles"
        authentication_backend:
          type: noop

I do intend to modify this some to fit the particular SSO and lock it down, but I'm just testing. In any case, after uploading this with sgadmin, Elasticsearch immediately begins throwing this error quite a lot (something like 30 times a second):

[2017-02-03T23:19:38,626][INFO ][c.f.s.a.BackendRegistry ] ElasticsearchSecurityException[xff not done] extracting credentials from ElasticsearchSecurityException[xff not done]

And I am not able to authenticate with a user in x-proxy-user in the headers. Am I missing something here? Thanks.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ec0eda85-27da-4825-82a4-b47313c388b4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Yes, I did, but that seems secondary to the constantly repeating error messages that start immediately after enabling proxy authentication. I don’t think think I messed up anything in the config.

···

On Saturday, February 4, 2017 at 3:06:29 AM UTC-8, Search Guard wrote:

did you send also the x-forwarded-for header?

Am 04.02.2017 um 00:21 schrieb David Achenbach ache...@gmail.com:

I’m currently using Elasticsearch 5.1.2 with Search Guard 5.1.2-10. I’m trying to enable proxy authentication for use with SSO. Here is my current sg_config.yml:

searchguard:

dynamic:

http:
  anonymous_auth_enabled: false
  xff:
    enabled: true
    remoteIpHeader:  'x-forwarded-for'
    proxiesHeader:   'x-forwarded-by'
    trustedProxies: '.*'
    internalProxies: '.*'
authc:
  basic_internal_auth_domain:
    enabled: true
    order: 2
    http_authenticator:
      type: basic
      challenge: true
    authentication_backend:
      type: intern
  proxy_auth_domain:
    enabled: true
    order: 1
    http_authenticator:
      type: proxy
      challenge: false
      config:
        user_header: "x-proxy-user"
        roles_header: "x-proxy-roles"
    authentication_backend:
      type: noop

I do intend to modify this some to fit the particular SSO and lock it down, but I’m just testing. In any case, after uploading this with sgadmin, Elasticsearch immediately begins throwing this error quite a lot (something like 30 times a second):

[2017-02-03T23:19:38,626][INFO ][c.f.s.a.BackendRegistry ] ElasticsearchSecurityException[xff not done] extracting credentials from ElasticsearchSecurityException[xff not done]

And I am not able to authenticate with a user in x-proxy-user in the headers. Am I missing something here? Thanks.


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ec0eda85-27da-4825-82a4-b47313c388b4%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Hi David,

We also see this kind of message, and IMHO it’s because of the multiple configured authc methods. I think you’re seeing the message when other REST calls are made e.g. using basic auth.

So this was definitely partially my fault. I had a typo in my curl command to authenticate via the headers. That works just fine. That said, the 30+ warning messages/sec is making it hard to actually read anything in the Elasticsearch logs. If it is because of the dual authentication mechanisms, does this really need to be a warning?

can you open an issue for dealing with the log message?

···

On Monday, 6 February 2017 23:07:07 UTC+1, David Achenbach wrote:

So this was definitely partially my fault. I had a typo in my curl command to authenticate via the headers. That works just fine. That said, the 30+ warning messages/sec is making it hard to actually read anything in the Elasticsearch logs. If it is because of the dual authentication mechanisms, does this really need to be a warning?

Done.

https://github.com/floragunncom/search-guard/issues/292

···

On Tuesday, February 7, 2017 at 10:07:38 AM UTC-8, Search Guard wrote:

can you open an issue for dealing with the log message?

On Monday, 6 February 2017 23:07:07 UTC+1, David Achenbach wrote:

So this was definitely partially my fault. I had a typo in my curl command to authenticate via the headers. That works just fine. That said, the 30+ warning messages/sec is making it hard to actually read anything in the Elasticsearch logs. If it is because of the dual authentication mechanisms, does this really need to be a warning?