Proxy auth doesn't work

Hello I have such config.yml

_meta:
type: “config”
config_version: 2

config:
  dynamic:
    do_not_fail_on_forbidden: true
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: true
        internalProxies: '.*' # regex pattern
        remoteIpHeader: 'x-forwarded-for'
    
authc:
  basic_internal_auth_domain:
    description: "Authenticate via HTTP Basic against internal users database"
    http_enabled: true
    transport_enabled: true
    order: 1
    http_authenticator:
      type: basic
      challenge: true
    authentication_backend:
      type: intern
  proxy_auth_domain:
    description: "Authenticate via proxy"
    http_enabled: true
    transport_enabled: false
    order: 0
    http_authenticator:
      type: proxy
      challenge: false
      config:
        user_header: "x-proxy-user"
        roles_header: "x-proxy-roles"
    authentication_backend:
      type: noop

I use such command to apply it
./securityadmin.sh -f config.yml -icl -nhnv -cert kirk.pem -cacert root-ca.pem -h -key kirk-key.pem -t config

In ES log I can see it -
[2020-12-10T19:11:00,309][DEBUG][c.a.o.s.c.ConfigurationLoaderSecurity7] [olimp_master] Received config for internalusers (of [INTERNALUSERS]) with current latch value=0
[2020-12-10T19:11:00,546][DEBUG][c.a.o.s.c.ConfigurationLoaderSecurity7] [olimp_master] Received config for internalusers (of [INTERNALUSERS]) with current latch value=0
[2020-12-10T19:11:00,685][DEBUG][c.a.o.s.d.r.a.RestApiPrivilegesEvaluator] [olimp_master] Checking admin access for endpoint CONFIG, path /_opendistro/_security/api/securityconfig and method GET
[2020-12-10T19:11:00,690][DEBUG][c.a.o.s.c.ConfigurationLoaderSecurity7] [olimp_master] Load config with version 2
[2020-12-10T19:11:00,693][DEBUG][c.a.o.s.c.ConfigurationLoaderSecurity7] [olimp_master] Received config for config (of [CONFIG]) with current latch value=0

But in kibana web interface proxy_auth is still disabled:


Need some help

According to the documentation seems like you should set transport_enabled: true within proxy_auth_domain configuration.

Hope this helps…