Authentication in zabbix with Keycloak-proxy

Question

I'm trying to set up entry in zabbix using Keycloack. My setup is the following:

1. Zabbix start in apache host1:62200
2. Keycloak start in host2:63665
3. Nginx is the entry point on host1:62236: it handles the "virtual host", forwarding the requests to keycloak-proxy(localhost:4180).
4. I install nginx proxy on zabbix host1:62237 because I could not pass the way host1:62200/zabbix

keycloak-gatekeeper is configured with client_id, client_secret, etc. to authenticate the users to Keycloak; Zabbix dashboard on Apache, default setup: I enable the HTTP authentication.

It config gatekeeper

client-id: zabbix_tst
client-secret: f2d8a52c-ebca-4fdb-85b7-36b203a75h54

discovery-url: http://host2:63665/auth/realms/demo
enable-default-deny: true
enable-logout-redirect: true
enable-logging: true



listen: 0.0.0.0:4180
redirection-url: http://host1:62236
upstream-url: http://127.0.0.1:62237
secure-cookie: false
enable-authorization-header: true
#enable-refresh-tokens: true
enable-session-cookies: true

scopes:
  - data
  - email

add-claims:
- name
- email
- given_name

Nginx config for gatekeeper

server {
    listen 62236;

    root / ;
    access_log /var/log/nginx/kc.access.log;
    server_name keycloak;

    index index.html;

    location / {
        proxy_pass  http://127.0.0.1:4180;

        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto http;
        proxy_set_header X-Forwarded-Scheme http;
        proxy_set_header X-Scheme http;
        #proxy_redirect off;
    }

    location /oauth/callback {
        proxy_pass     http://127.0.0.1:4180;
        #proxy_set_header    X-Auth-Name  $email;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto http;
        proxy_set_header X-Forwarded-Scheme http;
        proxy_set_header X-Scheme http;
    }

    location /oauth/authorize {
        proxy_pass     http://127.0.0.1:4180;
        proxy_set_header    X-Auth-Name  $request_uri;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto http;
        proxy_set_header X-Forwarded-Scheme http;
        proxy_set_header X-Scheme https;
    }
}

I get authorize form and redirect to zabbix, but always in error that i am not authorized in zabbix.

What am I doing wrong?

Answer 1

You have to pass PHP_AUTH_USER (or REMOTE_USER or AUTH_USER) request header variable to Zabbix. IMHO the best option for that is Apache - Zabbix HTTP authentication with Keycloak-proxy