Wazuh — Authentik edge SSO (proxy auth)¶
Wazuh Dashboard uses OpenSearch Security login by default. When the stack is deployed, configure proxy authentication so Traefik forward-auth headers satisfy the dashboard.
URL: https://wazuh.infra.realemail.app
Stack: services/wazuh/ (not always running — apply when deployed)
Prerequisites¶
- Wazuh stack up:
docker compose --env-file compose.env up -d - Traefik
authentik@fileon the Wazuh router (already in compose) - Authentik outpost passes
X-authentik-username(seeservices/traefik/config/dynamic/authentik.yml)
Repo configuration¶
| File | Purpose |
|---|---|
services/wazuh/config/wazuh_dashboard/opensearch_dashboards.yml |
auth.type: proxy + proxycache headers (not proxycache — unsupported on Wazuh 4.11) |
services/wazuh/config/wazuh_indexer/config.yml |
Indexer proxy auth domain + internal proxy CIDRs |
services/wazuh/config/wazuh_indexer/roles_mapping.yml |
Map Authentik admins group → OpenSearch roles |
compose.yml mounts the dashboard config. Indexer needs config.yml (proxy auth
domain + trusted proxy CIDRs) and roles_mapping.yml (map Authentik admins
group). Apply after deploy:
bash scripts/apply-security-config.sh
docker compose --env-file compose.env up -d --force-recreate wazuh-dashboard
Verify¶
Incognito → https://wazuh.infra.realemail.app → Authentik → Wazuh home (no OpenSearch login).
Troubleshooting¶
| Symptom | Check |
|---|---|
| OpenSearch login still shown | Dashboard config not mounted — docker exec wazuh-dashboard grep auth.type |
| 401 after Authentik | Indexer config.yml proxy domain; indexer logs |
| Dashboard won't start | SSL settings — server.ssl.enabled must be false behind Traefik |