How to disable API key check for ingestion port

[geirih]

Hi. We need to be able to ingest logs on port 5341 without requiring an API key, while still having normal security on the UI (port 80). Is this supported, and if so, how should I configure SEQ to achieve this ?

[KodrAus]

Hi @geirih. Unfortunately it's not possible to configure the ingestion port with different API key requirements to the regular API port. Something you may be able to do is set up a reverse proxy like NGINX that adds the X-Seq-ApiKey header using an API key that's effectively your unauthenticated ingestion traffic.

[geirih]

Thank you for your response.
I'm trying to set up a scriptet setup of SEQ, fluent bit and our pods, and need to install SEQ, install fluent bit and make sure logs are received by SEQ without human intervention in the setup process.

If I must have the same security on both ports, then I have to disable all security and handle gui security by a nginx instance before SEQ apparently.

I have checked if there is a way to automatically generate an api key from SEQ in my scripts, but I do not have access to the password from my k8s scripts, and I do not want to hardcode it there. If I was able to fetch the password from the install process somehow, I could probably use curl to generate an API key.

Do you have any examples of achieving this, or how I turn off all security for my first alternative ?

[liammclennan]

Hi @geirih

I think the getting started example does what you want. It starts Seq with authentication enabled for the UI on port 80 and open ingestion on port 5341.

[geirih]

Hi, and thank you for the response. I read through the getting started doc quickly, but didn't see any mention of what you say. Could you please point it out for me ? And, @KodrAus above said it was not possible, so I'm a bit confused about the conflicting answers.

[liammclennan]

The instructions under 'Running Seq in a Docker container' starts Seq with authentication enabled for the UI on port 80 and open ingestion on port 5341. Is that what you are attempting?

[geirih]

Yes, this is what I'm trying to do, but as far as I can tell the documentation you point to does not show this. I've done a text search for "authentication" on that page, and the 4 hits I get talks about enabling authentication. Basically all it says on this issue is:
Enabling authentication
If you specified an initial password for the admin account on the docker run command-line, authentication will already be enabled.

If not, your next step should be visiting Settings > Users and enabling authentication.

Are we looking at the same document (https://docs.datalust.co/docs/getting-started-with-docker) ? Or am I partly blind ? :-)

[liammclennan]

Hi @geirih

Your initial request was "We need to be able to ingest logs on port 5341 without requiring an API key, while still having normal security on the UI (port 80)."

If you follow the instructions on that page:

PH=$(echo '<password>' | docker run --rm -i datalust/seq config hash)

mkdir -p <local path to store data>

docker run \
  --name seq \
  -d \
  --restart unless-stopped \
  -e ACCEPT_EULA=Y \
  -e SEQ_FIRSTRUN_ADMINPASSWORDHASH="$PH" \
  -v <local path to store data>:/data \
  -p 5341:80 \
  datalust/seq

then you should be able to ingest logs on port 5341 without requiring an API key, while still having normal security on the UI (port 80). Have you tried it and seen something different?