Allow url with embed=true and deny for other

Sam12 · March 12, 2018, 4:46pm

I have setup website that uses embedded iframes embed=true in url by modifying kibana config file:

http://kibana_url:8005/app/kibana#/dashboard/My-Dashboard#?embed=true

But nowI don't want any users to figure out that removing "embed=true" from the querystring will take them directly into the Kibana page with all the admin options enabled I want any requests that does not contain "embed=true" to be denied from the nginx proxy server or Kibana settings. I'm hoping this would be possible in NGINX configuration file. But I cannot figure out how. Because "embed=true" is part of querystring but not route. Or is this possible in Kibana settings somehow?

So for requests like below I want to return 403 Forbidden.

http://kibana_url:8005/app/kibana#/dashboard/My-Dashboard
http://kibana_url:8005/app/kibana#/discover?_g=()
http://kibana_url8005/app/kibana#/management?_g=()
etc.

Thanks
Sam

Brandon_Kobel · March 12, 2018, 5:17pm

@sam12 exactly what you want isn't possible in Kibana. However, if you have X-pack with Security you should look into https://www.elastic.co/blog/kibana-dashboard-only-mode

Sam12 · March 12, 2018, 5:19pm

Hi @Brandon_Kobel, thank you for your quick reply. Isnt it possible through nginx too? Because i am using nginx for proxy passing.

Thanks
Sam

Brandon_Kobel · March 12, 2018, 5:36pm

Using NGINX to enforce this type of security isn't recommended, and we make no guarantees that it will work. It's possible for the user to execute HTTP requests against the Kibana API and cause modifications if all you are doing is blocking requests that don't contain that querystring parameter.

Sam12 · March 12, 2018, 5:45pm

Hi @Brandon_Kobel

Thank you for your recommendation. So right now i have blocked post request through nginx so even if user is able to see the admin menus by removing embed=true but they wont be able to edit or change the dashboard. But i want to just get rid of this loop hole to by making sure just url with embed= true are allowed. Now I am using proxy pass by rewriting url and passing on to kibana where in config file i have made changes to include embed=true now i am trying to figure out after doing an proxy pass how can i check if request made is having embed=true in url before loading the dashboard

Thanks,
Sam

Brandon_Kobel · March 12, 2018, 7:02pm

@Sam12 using NGINX to enforce this type of security is incredibly brittle and will likely break between different versions of Kibana. I'm not sure how you're getting away with blocking all POST as we're using a POST for the _msearch call on the Dashboard.

With all this being said, feel free to proceed at your own risk, but I'd like to reiterate that this is not a supported approach.

system · April 9, 2018, 7:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Force Kibana url to be embedded always - deny if NOT embed=true Kibana	3	2055	April 20, 2017
Embed Kibana Dashboard via IFrame / csp config Kibana	4	1462	January 13, 2022
Set kibana.defaultAppID to allow ?embed=true Kibana	2	862	September 28, 2017
Kibana 7.4.0 embed=true not working as expected Kibana	5	978	December 8, 2019
Any progress in embedded url? (?embed=true to hide headers in canvas workpad) Kibana canvas	2	145	May 2, 2024

Allow url with embed=true and deny for other

Related topics