302 errors becomes 502 error inside kubernetes

Ross_Lutsch · September 10, 2019, 10:11am

I'm using the same working images for elasticsearch/kibana/searchguard/jwtparams and can't access kibana front end, both services seem to be running but it has some sort of routing issue

{"type":"log","@timestamp":"2019-09-10T09:38:23Z","tags":["status","plugin:console@6.5.4","info"],"pid":1,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2019-09-10T09:38:23Z","tags":["status","plugin:metrics@6.5.4","info"],"pid":1,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2019-09-10T09:38:23Z","tags":["status","plugin:elasticsearch@6.5.4","info"],"pid":1,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
{"type":"log","@timestamp":"2019-09-10T09:38:23Z","tags":["info","Sentinl","init"],"pid":1,"message":"initializing ..."}
{"type":"log","@timestamp":"2019-09-10T09:38:24Z","tags":["info","Sentinl","init"],"pid":1,"message":"Chrome bin found at: /usr/share/kibana/plugins/sentinl/node_modules/puppeteer/.local-chromium/linux-609904/chrome-linux/chrome"}
{"type":"log","@timestamp":"2019-09-10T09:38:24Z","tags":["info","Sentinl","init_indices"],"pid":1,"message":"checking watcher_alarms-2019.09.10 index ..."}
{"type":"log","@timestamp":"2019-09-10T09:38:24Z","tags":["listening","info"],"pid":1,"message":"Server running at http://0.0.0.0:5601"}
{"type":"response","@timestamp":"2019-09-10T09:38:53Z","tags":[],"pid":1,"method":"get","statusCode":302,"req":{"url":"/","method":"get","headers":{"host":"a504a8b40c89511e9afc00a6dba3af0d-1018407050.eu-central-1.elb.amazonaws.com","x-request-id":"596c4f635268062233292941ef1fb948","x-real-ip":"10.0.102.194","x-forwarded-for":"10.0.102.194","x-forwarded-host":"a504a8b40c89511e9afc00a6dba3af0d-1018407050.eu-central-1.elb.amazonaws.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-original-uri":"/foo/kibana","x-scheme":"https","cache-control":"max-age=0","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 OPR/63.0.3368.66","sec-fetch-mode":"navigate","sec-fetch-user":"?1","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8","sec-fetch-site":"none","accept-encoding":"gzip, deflate, br","accept-language":"en-GB,en-US;q=0.9,en;q=0.8"},"remoteAddress":"10.0.102.66","userAgent":"10.0.102.66"},"res":{"statusCode":302,"responseTime":16,"contentLength":9},"message":"GET / 302 16ms - 9.0B"}
{"type":"response","@timestamp":"2019-09-10T09:38:53Z","tags":[],"pid":1,"method":"get","statusCode":302,"req":{"url":"//login?nextUrl=%2F","method":"get","headers":{"host":"a504a8b40c89511e9afc00a6dba3af0d-1018407050.eu-central-1.elb.amazonaws.com","x-request-id":"8ff43b4b6e90bf16168fb5106b16c809","x-real-ip":"10.0.102.194","x-forwarded-for":"10.0.102.194","x-forwarded-host":"a504a8b40c89511e9afc00a6dba3af0d-1018407050.eu-central-1.elb.amazonaws.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-original-uri":"/foo/kibana/login?nextUrl=%2F","x-scheme":"https","cache-control":"max-age=0","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 OPR/63.0.3368.66","sec-fetch-mode":"navigate","sec-fetch-user":"?1","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8","sec-fetch-site":"none","accept-encoding":"gzip, deflate, br","accept-language":"en-GB,en-US;q=0.9,en;q=0.8"},"remoteAddress":"10.0.102.66","userAgent":"10.0.102.66"},"res":{"statusCode":302,"responseTime":2,"contentLength":9},"message":"GET //login?nextUrl=%2F 302 2ms - 9.0B"}
{"type":"response","@timestamp":"2019-09-10T09:38:54Z","tags":[],"pid":1,"method":"get","statusCode":302,"req":{"url":"//login?nextUrl=%2F%2Flogin%3FnextUrl%3D%252F","method":"get","headers":{"host":"a504a8b40c89511e9afc00a6dba3af0d-1018407050.eu-central-1.elb.amazonaws.com","x-request-id":"b8a4a89ce095627fca8bd74a6d98f699","x-real-ip":"10.0.102.194","x-forwarded-for":"10.0.102.194","x-forwarded-host":"a504a8b40c89511e9afc00a6dba3af0d-1018407050.eu-central-1.elb.amazonaws.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-original-uri":"/foo/kibana/login?nextUrl=%2F%2Flogin%3FnextUrl%3D%252F","x-scheme":"https","cache-control":"max-age=0","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 OPR/63.0.3368.66","sec-fetch-mode":"navigate","sec-fetch-user":"?1","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8","sec-fetch-site":"none","accept-encoding":"gzip, deflate, br","accept-language":"en-GB,en-US;q=0.9,en;q=0.8"},"remoteAddress":"10.0.102.66","userAgent":"10.0.102.66"},"res":{"statusCode":302,"responseTime":1,"contentLength":9},"message":"GET //login?nextUrl=%2F%2Flogin%3FnextUrl%3D%252F 302 1ms - 9.0B"}

here is my kibana.yaml

# Default Kibana configuration from kibana-docker.

server.name: kibana
server.host: 0.0.0.0
elasticsearch.url: http://foo-elasticsearch-loadbalancer:9200

#server.port: "80"
#server.host: foo-elasticsearch-loadbalancer
elasticsearch.ssl.certificateAuthorities: /root-ca.pem
elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
elasticsearch.ssl.verificationMode: none
elasticsearch.requestHeadersWhitelist: ["Authorization", "sgtenant"]

server.ssl.enabled: false
server.ssl.key: /kirk-key.pem
server.ssl.certificate: /kirk.pem

searchguard.basicauth.enabled: true
searchguard.jwt.enabled: true
searchguard.auth.type: "basicauth"
# xpack.security.enabled: false
# If the token is not passed as HTTP header, but as request parameter,
# configure the parameter name here
searchguard.jwt.url_param: jwtparam
searchguard.cookie.secure: true
#logging.verbose: true
#server.defaultRoute: ""
server.basePath: /foo/kibana
server.rewriteBasePath: false

#xpack.security.enabled: false
#xpack.security.secureCookies: true

sentinl:
  settings:
    email:
      active: true
      host: 'smtp.gmail.com'
      user: 'no-reply@gotbot.co.za'
      password: '<secretly secret secret>'
      port: 465
      # domain: 'gmail.com'
      ssl: true
      # tls: true
      # authentication: ['PLAIN', 'LOGIN', 'CRAM-MD5', 'XOAUTH2']
      # timeout: 10000  # mail server connection timeout
      # cert:
        # key: '/full/sys/path/to/key/file'
        # cert: '/full/sys/path/to/cert/file'
        # ca: '/full/sys/path/to/ca/file'
    report:
      active: true
      engine: puppeteer
`

azasypkin · September 10, 2019, 11:10am

Hi @Ross_Lutsch,

Looks like you have a malformed redirect during authentication and I'm afraid it's made by SearchGuard plugin that we neither develop nor support. So it's really hard to tell what could go wrong and how to fix that.

By the way, I see you use HTTP Basic Authentication. Not sure if you've heard, but it's also available for free in Elastic/Kibana own security plugin if you wish to try it out.

Best,
Oleg

Ross_Lutsch · September 10, 2019, 1:37pm

Thanks so much I'll give it a try

system · October 8, 2019, 1:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.