02. 07. 2019 Damiano Chini Log-SIEM, NetEye

Proxy Authentication with Grafana 6.2

Until now, authentication of NetEye users on Grafana was achieved by means of session cookies, which were provided by the Grafana server when authenticating in Icinga Web 2. However, with the upgrade of Grafana from version 5.2 to version 6.2, we can no longer employ this authentication procedure because Grafana has discontinued the use of session cookies for the various security issues that they have caused in recent years.

In particular, while Grafana 5.2 was in use, logging in to Grafana via NetEye happened through an authentication webhook, which forwarded the username of the authenticated Icinga Web 2 user to Grafana, which then returned a session cookie. And to keep the user authenticated in Grafana, the session cookie was simply included in every subsequent request to the Grafana server.

What happens now in Grafana 6.2 is that session cookies are no longer provided by the Grafana server, and so the Grafana session cannot be maintained anymore by using cookies.

After investigating the issue, we discovered that it is still possible to keep the user authenticated in Grafana by including in every request to Grafana the X-WEBAUTH-USER HTTP header, which in our case specifies who is the user authenticated on Icinga Web 2. To make this happen, it is necessary to capture every request sent by the browser and modify it in order to add the X-WEBAUTH-USER header.

With this information in hand, we managed to maintain user sessions with Grafana by introducing a PHP proxy that intercepts and processes all requests directed to the Grafana server, forwards the modified requests to the server, and outputs the reply coming from Grafana, as shown in the picture below.

In addition, as a security requirement, our PHP proxy removes any X-WEBAUTH-USER HTTP header specified in the original request coming from the user. This is done because we obviously do not want to grant access to Grafana to any user that specifies an X-WEBAUTH-USER header, but just those who have been authenticated by Icinga Web 2.

Damiano Chini

Damiano Chini


Damiano Chini

Leave a Reply

Your email address will not be published. Required fields are marked *