Proxy auth with mod_cas and mod_proxy -> no login -> Solved

denny · March 30, 2017, 1:20pm

Hello,

we installed the latest stable version from Grafana on a Debian Jessie host, which runs without problem via Apache mod_proxy.
Now we want to get SSO via mod_cas (via http://www.apereo.org/cas) working, but it fails for a unknown reason.

Apache config:

tried two config version:

  ## Proxy rules
  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / http://127.0.0.1:3000/
  ProxyPassReverse / http://127.0.0.1:3000/

  <Location />
     Authtype CAS
     AuthName "Authentication with CAS"
     CASAuthNHeader REMOTE_USER
     Require valid-user
     RequestHeader set X-WEBAUTH-USER %{REMOTE_USER}s
  </Location>

and

  <Location />
  Authtype CAS
  AuthName "Authentication with CAS"
  CASAuthNHeader REMOTE_USER
  Require valid-user
  RewriteEngine On
  RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
  RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
  RequestHeader set X-REMOTE-USER %{REMOTE_USER}s
  </Location>

With the grafana.ini

[auth.proxy]
enable = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = true

[auth.basic]
enabled=false

[users]
auto_assign_org = true
auto_assign_org_role = Editor

The SSO itself is working and I can see the following with tcpdump:

Host: graph.example.com
Accept: */*
Cookie: MOD_AUTH_CAS_S=8199ede0db93bdfe399a895d5cca5729; grafana_sess=bf4c5e11b8c9c67e; redirect_to=%252F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.4.8 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8
Accept-Language: de-de
Referer: https://graph.example.com/login
Accept-Encoding: gzip, deflate
REMOTE_USER: foobar
X-WEBAUTH-USER: foobar
X-REMOTE-USER: foobar
Via: 1.1 graph.example.com
X-Forwarded-For: 192.168.4.10
X-Forwarded-Host: graph.example.com
X-Forwarded-Server: graph.example.com
Connection: Keep-Alive

After the redirect from the SSO page, I have the Login page from Grafana. We have no idea, why it fails.

What is also may a problem:

curl -H “X-WEBAUTH-USER: admin” http://grafana.staged-by-discourse.com/api/users
{“message”:“Unauthorized”}

Any suggestions?

torkel · March 30, 2017, 6:05pm

You seem to call grafana directly instead of via your apache server

denny · March 30, 2017, 8:14pm

hi,

because:

curl -H "X-WEBAUTH-USER: admin"  https://graph.example.com/api/users
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://ssologin.foobar.local/cas/login?service=https%3a%2f%2fgraph.example.com%2fapi%2fusers">here</a>.</p>
</body></html>

On that host. We tried the same like for Graylog and it works there.

torkel · March 31, 2017, 5:44am

Sorry, was confused. This is correct your faking what the reverse proxy is doing.

With the same settings you have I get this:
❯ curl -H “X-WEBAUTH-USER: admin” http://grafana.staged-by-discourse.com/api/users
[{“id”:1,“name”:“”,“login”:“admin”,“email”:“admin@localhost”,“isAdmin”:true}]%

Are you sure you have a user named admin that has grafana server admin permissions?

denny · March 31, 2017, 6:08am

Hello,

yes, the admin user is still the default Grafana user from the installation.

cu denny

torkel · March 31, 2017, 6:29am

Are you sure your config changes are in effect? did you restart grafana server after making the change?

denny · March 31, 2017, 6:31am

Hello,

good news, I found the problem. There was a “d” from enableD = true ([auth.proxy]) missing. So wasted a lot of time because of a “syntax” error

great