Graylog v2.4.4: Proxy Basic auth problem #4788

schindlerd · 2018-05-12T09:34:18Z

The newly introduced proxy server authentication #4758 seems not to work with BlueCoat proxies.

Expected Behavior

When defining the correct http_proxy_uri = http://username:password@proxy.example.com:8080 in server.confit should be possible to access https://api.graylog.com/report via proxy.

Current Behavior

Proxy authentication fails with java IO exception although the proxy is using BASIC authentication:

2018-05-10T00:17:22.167+02:00 WARN  [OkHttpClientProvider$ProxyAuthenticator] Graylog only supports the "Basic" authentication sche
me but the proxy server asks for one of the following: [BASIC]
2018-05-10T00:17:22.167+02:00 WARN  [OkHttpClientProvider] Unable to connect to proxy:
java.io.IOException: Failed to authenticate with proxy
        at okhttp3.internal.connection.RealConnection.createTunnel(RealConnection.java:380) ~[graylog.jar:?]
        at okhttp3.internal.connection.RealConnection.connectTunnel(RealConnection.java:211) ~[graylog.jar:?]
        at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:152) ~[graylog.jar:?]
        at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:256) ~[graylog.jar:?]
        at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:134) ~[graylog.jar:?]
        at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:113) ~[graylog.jar:?]
        at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) ~[graylog.jar:?]
        at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) ~[graylog.jar:?]
        at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
        at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:125) [graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) [graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) [graylog.jar:?]
        at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:200) [graylog.jar:?]
        at okhttp3.RealCall.execute(RealCall.java:77) [graylog.jar:?]
		at org.graylog.plugins.license.LicenseReportPeriodical.doRun(LicenseReportPeriodical.java:139) [graylog-plugin-license-2.4.4.jar:?]
        at org.graylog2.plugin.periodical.Periodical.run(Periodical.java:77) [graylog.jar:?]
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_171]
        at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [?:1.8.0_171]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) [?:1.8.0_171]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) [?:1.8.0_171]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_171]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_171]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_171]
2018-05-10T00:17:22.169+02:00 WARN  [LicenseReportPeriodical] Unable to connect to license server: Failed to authenticate with proxy.

Possible Solution

Is it a problem that the proxy seems to return "BASIC" (all capital) instead of may be expected "Basic"?

Steps to Reproduce (for bugs)

Edit server.conf and add http_proxy_uri = http://username:password@proxy.example.com:8080
Restart graylog-server
Check server log for errors

Context

This is a lcensing issue. We are trying to access https://api.graylog.com/report via proxy.

Your Environment

Graylog Version: 2.4.4
Elasticsearch Version: 5.6.7
MongoDB Version: 3.2
Operating System: Oracle Linux 7.5
Browser version: Firefox Quantum 60

The text was updated successfully, but these errors were encountered:

The original implementation of the `ProxyAuthenticator` in `OkHttpClientProvider` matched the authentication scheme in a case-sensitive way, which doesn't work with all HTTP proxy servers in the wild. Fixes #4788 Reference: RFC 7235, section 2.1 > Authentication parameters are name=value pairs, where the name token > is matched case-insensitively, and each parameter name MUST only > occur once per challenge. https://tools.ietf.org/html/rfc7235#section-2.1 RFC 2617, section 1.2 > It [the authentication mechanism] uses an extensible, > case-insensitive token to identify the authentication scheme, > followed by a comma-separated list of attribute-value pairs which > carry the parameters necessary for achieving authentication via that > scheme. https://tools.ietf.org/html/rfc2617#section-1.2

joschi · 2018-05-13T16:30:25Z

@schindlerd Please check out, if the graylog.jar artifact in the tar-ball from http://graylog2public.s3.amazonaws.com/graylog-2.4.5-rc.1%2Bissue-4788-20180513160753-graylog-server-tarball.tar.gz solves your problem.
It's a build of Graylog 2.4.4 with the changes from #4790.

schindlerd · 2018-05-13T20:38:36Z

@joschi That did the trick! Thanks a lot for your efforts.

joschi · 2018-05-15T06:32:05Z

@schindlerd Please keep the issue open until the PRs have been merged. 😉

…4789) The original implementation of the `ProxyAuthenticator` in `OkHttpClientProvider` matched the authentication scheme in a case-sensitive way, which doesn't work with all HTTP proxy servers in the wild. Fixes #4788 Reference: RFC 7235, section 2.1 > Authentication parameters are name=value pairs, where the name token > is matched case-insensitively, and each parameter name MUST only > occur once per challenge. https://tools.ietf.org/html/rfc7235#section-2.1 RFC 2617, section 1.2 > It [the authentication mechanism] uses an extensible, > case-insensitive token to identify the authentication scheme, > followed by a comma-separated list of attribute-value pairs which > carry the parameters necessary for achieving authentication via that > scheme. https://tools.ietf.org/html/rfc2617#section-1.2

…4790) The original implementation of the `ProxyAuthenticator` in `OkHttpClientProvider` matched the authentication scheme in a case-sensitive way, which doesn't work with all HTTP proxy servers in the wild. Fixes #4788 Reference: RFC 7235, section 2.1 > Authentication parameters are name=value pairs, where the name token > is matched case-insensitively, and each parameter name MUST only > occur once per challenge. https://tools.ietf.org/html/rfc7235#section-2.1 RFC 2617, section 1.2 > It [the authentication mechanism] uses an extensible, > case-insensitive token to identify the authentication scheme, > followed by a comma-separated list of attribute-value pairs which > carry the parameters necessary for achieving authentication via that > scheme. https://tools.ietf.org/html/rfc2617#section-1.2

bernd · 2018-06-06T10:56:11Z

@schindlerd This should be fixed in Graylog 2.4.5.

schindlerd · 2018-06-07T15:38:12Z

@bernd it is working like a charm 👍

bernd · 2018-06-07T15:39:59Z

@schindlerd

it is working like a charm

Great! Thanks for the feedback! 👍

schindlerd mentioned this issue May 12, 2018

Graylog/JVM proxy settings not working when proxy basic auth is needed #4594

Closed

joschi mentioned this issue May 13, 2018

Support case-insensitive auth-scheme token in proxy authentication #4789

Merged

joschi added the bug label May 13, 2018

joschi self-assigned this May 13, 2018

joschi mentioned this issue May 13, 2018

Support case-insensitive auth-scheme token in proxy authentication #4790

Merged

schindlerd closed this as completed May 15, 2018

joschi reopened this May 15, 2018

dennisoelkers closed this as completed in #4789 May 16, 2018

joschi added this to the 3.0.0 milestone Jun 6, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Graylog v2.4.4: Proxy Basic auth problem #4788

Graylog v2.4.4: Proxy Basic auth problem #4788

schindlerd commented May 12, 2018

joschi commented May 13, 2018

schindlerd commented May 13, 2018

joschi commented May 15, 2018

bernd commented Jun 6, 2018

schindlerd commented Jun 7, 2018

bernd commented Jun 7, 2018

Graylog v2.4.4: Proxy Basic auth problem #4788

Graylog v2.4.4: Proxy Basic auth problem #4788

Comments

schindlerd commented May 12, 2018

Expected Behavior

Current Behavior

Possible Solution

Steps to Reproduce (for bugs)

Context

Your Environment

joschi commented May 13, 2018

schindlerd commented May 13, 2018

joschi commented May 15, 2018

bernd commented Jun 6, 2018

schindlerd commented Jun 7, 2018

bernd commented Jun 7, 2018