Hi,
I'm try to automatically authenticate in kibana 7.9 using nginx but it's not working.
I'm using native default users define in elasticsearch.
This is my nginx configuration running in docker, kibana is also deployed on doker, same network:
server {
listen 80;
client_max_body_size 4G;
keepalive_timeout 10;
server_tokens off;
# this is the internal Docker DNS
resolver 127.0.0.11;
proxy_ignore_client_abort on;
set $proxy_pass_url http://elk_kibana:5601;
# default access to kibana, just serve on standard port
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_pass_request_headers on;
proxy_pass_header Authorization;
proxy_pass $proxy_pass_url;
proxy_redirect $proxy_pass_url /;
}
#special case if I want to autologin to kibana from other apps
location /kibana {
rewrite ^/kibana(.*) /$1? break;
set $aut "Basic $arg_auth";
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization, Origin, Host, X-Requested-With, Content-Type, Accept';
proxy_set_header Host $proxy_pass_url;
proxy_set_header X-Real-IP $remote_addr;
proxy_http_version 1.1;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Proxy-Connection "Keep-Alive";
proxy_set_header Authorization $aut;
proxy_pass $proxy_pass_url;
proxy_redirect $proxy_pass_url/ /;
}
# Reverse proxy of assets and front end app
location ~ (/app|/translations|/node_modules|/built_assets/|/bundles|/es_admin|/plugins|/api|/ui|/elasticsearch|/internal|/spaces/enter) {
#I cannot do this in production!!!!
set $aut = "Basic myauthtokenbased64_";
proxy_pass $proxy_pass_url;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header Authorization $aut;
proxy_hide_header Authorization;
}
}
With this configuration, setting the auth header to a fixed value, it works, but this is not acceptable .
In the first defintion /kibana I'm able to pass the auth header value as a parameter but I cannot do it for the reverse proxy of assets and front end app, since I'm not able to add any dinamic information.
If I remove the authorization setting then I obtain too many redirect error.
If I remove the reverse proxy for the front end app, then I'm not able to login.
May anyone help me understand?
Thank you