Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Graylog/JVM proxy settings not working when proxy basic auth is needed #4594

Closed
schindlerd opened this issue Feb 17, 2018 · 9 comments
Closed

Graylog/JVM proxy settings not working when proxy basic auth is needed #4594

schindlerd opened this issue Feb 17, 2018 · 9 comments
Assignees
@bernd
Labels
bug triaged
Milestone
3.0.0

Comments

@schindlerd
Copy link

My test installation is complaining about “Graylog Enterprise License Violation” and I have to use a proxy to access https://api.graylog.com/report.

Expected Behavior

Access to https://api.graylog.com/report should be possible when proxy with basic-auth is configured.

Current Behavior

The BlueCoat proxy uses basic auth and I didn’t get it working via the http_proxy_uri in the server.conf. Is there a special format to use when proxy-basic-auth is required? My yum.conf for example is successfully using the proxy configuration.

I added the following to the default java options for the JVM:
GRAYLOG_SERVER_JAVA_OPTS="... -Djdk.http.auth.tunneling.disabledSchemes= -Dhttp.proxyUser=user -Dhttp.proxyPassword=password -Dhttp.proxyHost=myproxy -Dhttp.proxyPort=8080 -Dhttps.proxyUser=user -Dhttps.proxyPassword=password -Dhttps.proxyHost=myproxy -Dhttps.proxyPort=8080"

I already added -Djdk.http.auth.tunneling.disabledSchemes= since Java 8u111 basic auth has been disabled by default (http://www.oracle.com/technetwork/java/javase/8u111-relnotes-3124969.html).

But I still keep getting HTTP-407:
2018-02-13T21:38:56.046+01:00 WARN [LicenseReportPeriodical] Unable to connect to license server: Failed to authenticate with proxy.
2018-02-13T21:43:55.889+01:00 WARN [LicenseChecker] License violation - Failed to report license status to Graylog, Inc. - consecutive failures: 85, limit: 72

Possible Solution

Steps to Reproduce (for bugs)

  1. Configure proxy with basic auth in server.conf or via JVM options
  2. Restart graylog-server

Context

Your Environment

  • Graylog Version: 2.4.3
  • Elasticsearch Version: 5.6.7
  • MongoDB Version: 3.2
  • Operating System: Oracle Linux 7.4
  • Browser version: Firefox Quantum 58.0.2
@joschi
Copy link
Contributor

joschi commented Feb 18, 2018

@schindlerd What was the value of http_proxy_uri when you tried using the JVM proxy settings (http.proxyHost etc.)?

@schindlerd
Copy link
Author

I used the fully qualified domain name for both options. I tried http_proxy_uri = http://user:password@proxy-fqdn:8080 (environment variable style) and for the Java option I used http.proxyHost=proxy-fqdn.

@joschi
Copy link
Contributor

joschi commented Feb 19, 2018

@schindlerd Please try again with an empty http_proxy_uri setting and the JVM proxy settings filled.

My guess is that http_proxy_uri would overwrite the JVM settings for the HTTP client being used by Graylog to communicate with the license service, but since it doesn't support proxy credentials right now, it fails to authenticate with the proxy.

@schindlerd
Copy link
Author

@joschi That is exactly my current setup :) I'm using only the JVM options and http_proxy_uriis empty.

@schindlerd
Copy link
Author

@joschi Any other idea regarding this issue?

Thanks in advance.

@joschi
Copy link
Contributor

joschi commented Mar 2, 2018

@schindlerd There's currently no workaround.

@joschi joschi added the bug label Mar 2, 2018
@joschi joschi added this to the 3.0.0 milestone Mar 2, 2018
bernd added a commit that referenced this issue Apr 20, 2018
@bernd
Implement HTTP proxy server authentication in OkHttpClientProvider
3c266b6 
Fixes #4594
@bernd bernd mentioned this issue Apr 23, 2018
Merged
joschi pushed a commit that referenced this issue Apr 24, 2018
@bernd @joschi
Implement HTTP proxy server authentication in OkHttpClientProvider (#…
eec520f 
…4750)

Fixes #4594
@bernd
Copy link
Member

bernd commented Apr 24, 2018

@schindlerd Proxy authentication using basic auth now works. This fix will be in the upcoming 2.4.4 release.

bernd added a commit that referenced this issue Apr 24, 2018
@bernd
Implement HTTP proxy server authentication in OkHttpClientProvider (#…
ee27f7b 
…4750)

Fixes #4594

(cherry picked from commit eec520f)
@bernd bernd mentioned this issue Apr 24, 2018
Merged
joschi pushed a commit that referenced this issue Apr 24, 2018
@bernd @joschi
Implement HTTP proxy server authentication in OkHttpClientProvider (#…
fab38d1 
…4758)

Fixes #4594
Refs #4750
(cherry picked from commit eec520f)
@schindlerd
Copy link
Author

Thank you guys! 😀

@schindlerd
Copy link
Author

Hi guys! I don't get it working in our environment. Please see #4788

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bernd bernd

Labels
bug triaged
Projects
None yet
Milestone
3.0.0
Development

No branches or pull requests
4 participants
@bernd @dennisoelkers @joschi @schindlerd