Proxy auth with mod_cas and mod_proxy -> no login -> Solved

Hello,

we installed the latest stable version from Grafana on a Debian Jessie host, which runs without problem via Apache mod_proxy.
Now we want to get SSO via mod_cas (via http://www.apereo.org/cas) working, but it fails for a unknown reason.

Apache config:

tried two config version:

  ## Proxy rules
  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / http://127.0.0.1:3000/
  ProxyPassReverse / http://127.0.0.1:3000/

  <Location />
     Authtype CAS
     AuthName "Authentication with CAS"
     CASAuthNHeader REMOTE_USER
     Require valid-user
     RequestHeader set X-WEBAUTH-USER %{REMOTE_USER}s
  </Location>

and

  <Location />
  Authtype CAS
  AuthName "Authentication with CAS"
  CASAuthNHeader REMOTE_USER
  Require valid-user
  RewriteEngine On
  RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
  RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
  RequestHeader set X-REMOTE-USER %{REMOTE_USER}s
  </Location>

With the grafana.ini

[auth.proxy]
enable = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = true

[auth.basic]
enabled=false

[users]
auto_assign_org = true
auto_assign_org_role = Editor

The SSO itself is working and I can see the following with tcpdump:

Host: graph.example.com
Accept: */*
Cookie: MOD_AUTH_CAS_S=8199ede0db93bdfe399a895d5cca5729; grafana_sess=bf4c5e11b8c9c67e; redirect_to=%252F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.4.8 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8
Accept-Language: de-de
Referer: https://graph.example.com/login
Accept-Encoding: gzip, deflate
REMOTE_USER: foobar
X-WEBAUTH-USER: foobar
X-REMOTE-USER: foobar
Via: 1.1 graph.example.com
X-Forwarded-For: 192.168.4.10
X-Forwarded-Host: graph.example.com
X-Forwarded-Server: graph.example.com
Connection: Keep-Alive

After the redirect from the SSO page, I have the Login page from Grafana. We have no idea, why it fails.

What is also may a problem:

curl -H “X-WEBAUTH-USER: admin” http://localhost:3000/api/users
{“message”:“Unauthorized”}

Any suggestions?

You seem to call grafana directly instead of via your apache server

hi,

because:

curl -H "X-WEBAUTH-USER: admin"  https://graph.example.com/api/users
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://ssologin.foobar.local/cas/login?service=https%3a%2f%2fgraph.example.com%2fapi%2fusers">here</a>.</p>
</body></html>

On that host. We tried the same like for Graylog and it works there.

Sorry, was confused. This is correct your faking what the reverse proxy is doing.

With the same settings you have I get this:
❯ curl -H “X-WEBAUTH-USER: admin” http://localhost:3000/api/users
[{“id”:1,“name”:"",“login”:“admin”,“email”:“admin@localhost”,“isAdmin”:true}]%

Are you sure you have a user named admin that has grafana server admin permissions?

Hello,

yes, the admin user is still the default Grafana user from the installation.

cu denny

Are you sure your config changes are in effect? did you restart grafana server after making the change?

Hello,

good news, I found the problem. There was a “d” from enableD = true ([auth.proxy]) missing. So wasted a lot of time because of a “syntax” error :slight_smile:

great :slight_smile: