Hello,
we installed the latest stable version from Grafana on a Debian Jessie host, which runs without problem via Apache mod_proxy.
Now we want to get SSO via mod_cas (via http://www.apereo.org/cas) working, but it fails for a unknown reason.
Apache config:
tried two config version:
## Proxy rules
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:3000/
ProxyPassReverse / http://127.0.0.1:3000/
<Location />
Authtype CAS
AuthName "Authentication with CAS"
CASAuthNHeader REMOTE_USER
Require valid-user
RequestHeader set X-WEBAUTH-USER %{REMOTE_USER}s
</Location>
and
<Location />
Authtype CAS
AuthName "Authentication with CAS"
CASAuthNHeader REMOTE_USER
Require valid-user
RewriteEngine On
RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
RequestHeader set X-REMOTE-USER %{REMOTE_USER}s
</Location>
With the grafana.ini
[auth.proxy]
enable = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = true
[auth.basic]
enabled=false
[users]
auto_assign_org = true
auto_assign_org_role = Editor
The SSO itself is working and I can see the following with tcpdump:
Host: graph.example.com
Accept: */*
Cookie: MOD_AUTH_CAS_S=8199ede0db93bdfe399a895d5cca5729; grafana_sess=bf4c5e11b8c9c67e; redirect_to=%252F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.4.8 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8
Accept-Language: de-de
Referer: https://graph.example.com/login
Accept-Encoding: gzip, deflate
REMOTE_USER: foobar
X-WEBAUTH-USER: foobar
X-REMOTE-USER: foobar
Via: 1.1 graph.example.com
X-Forwarded-For: 192.168.4.10
X-Forwarded-Host: graph.example.com
X-Forwarded-Server: graph.example.com
Connection: Keep-Alive
After the redirect from the SSO page, I have the Login page from Grafana. We have no idea, why it fails.
What is also may a problem:
curl -H “X-WEBAUTH-USER: admin” http://grafana.staged-by-discourse.com/api/users
{“message”:“Unauthorized”}
Any suggestions?