Basic auth on Kibana using nginx


(Shahid Ali Khan) #1

Hey,

I was trying to implement nginx basic auth to Kibana OSS 6.3.1 using proxy pass.

After Implementing I encountered an issue that the resources don't load on the page and show's authorization exception (403).
The same works fine with proxy pass alone without using auth.

nginx configuration

    server {
            listen 80;
            listen [::]:80;

            server_name test.com;
            root /var/www/test.com/public;

            # reverse proxy
            location / {
                    proxy_pass http://127.0.0.1:5601;

                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection "upgrade";
                    proxy_set_header Host $host;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header X-Forwarded-Proto $scheme;
                    proxy_set_header X-Forwarded-Host $host;
                    proxy_set_header X-Forwarded-Port $server_port;
                    proxy_cache_bypass $http_upgrade;
                    auth_basic "Restricted Content";
                    auth_basic_user_file /etc/nginx/.htpasswd;	
            }
    }

After trying to access the webpage, it dosen't show any error logs.

Does Kibana OSS support basic auth?
If yes than How can I achieve this?


(Larry Gregory) #2

@shahid3507,

Kibana OSS supports this setup. I just tested version 6.3.1 OSS behind an nginx reverse proxy, using the exact configuration you have in your location block above, except I swapped out the user_file for something on my own machine:

server {
        listen       8080;
        server_name  localhost;

        root /usr/local/etc/nginx/public;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            proxy_pass http://127.0.0.1:5601;

            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_cache_bypass $http_upgrade;
            auth_basic "Restricted Content";
            auth_basic_user_file "/usr/local/etc/nginx/password_list";
        }
}

When I navigate to http://localhost:8080, I am asked for a username/password. Once I enter it, nginx correctly forwards me to Kibana, which works as expected.

Are you seeing anything in your nginx access or error logs? What does the Kibana log file say?


(Shahid Ali Khan) #3

@Larry_Gregory Have you used a simple text file for password or an encrypted file. ?

The below are the access logs.

192.168.0.1 - admin [30/Nov/2018:07:35:19 +0000] "GET /app/kibana HTTP/1.1" 200 13244 "http://.test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:19 +0000] "GET /bundles/app/kibana/bootstrap.js HTTP/1.1" 200 655 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:20 +0000] "GET /ui/favicons/favicon-32x32.png HTTP/1.1" 304 0 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:20 +0000] "GET /bundles/vendors.style.css HTTP/1.1" 200 17253 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:20 +0000] "GET /bundles/kibana.style.css HTTP/1.1" 200 34134 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:20 +0000] "GET /bundles/commons.style.css HTTP/1.1" 200 40891 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:20 +0000] "GET /ui/favicons/favicon-16x16.png HTTP/1.1" 304 0 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:20 +0000] "GET /ui/favicons/favicon.ico HTTP/1.1" 304 0 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:23 +0000] "GET /bundles/vendors.bundle.js HTTP/1.1" 200 1312124 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:25 +0000] "GET /bundles/commons.bundle.js HTTP/1.1" 304 0 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:25 +0000] "GET /bundles/kibana.bundle.js HTTP/1.1" 304 0 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:26 +0000] "GET /ui/fonts/open_sans/open_sans_v15_latin_regular.woff2 HTTP/1.1" 200 14048 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:27 +0000] "GET /api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=es_5_0 HTTP/1.1" 200 11613 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:27 +0000] "GET /plugins/kibana/assets/discover.svg HTTP/1.1" 304 0 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:27 +0000] "GET /plugins/kibana/assets/dashboard.svg HTTP/1.1" 304 0 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:27 +0000] "GET /api/saved_objects/_find?type=index-pattern&per_page=10000 HTTP/1.1" 403 106 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:27 +0000] "GET /plugins/kibana/assets/visualize.svg HTTP/1.1" 304 0 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:27 +0000] "GET /plugins/timelion/icon.svg HTTP/1.1" 304 0 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:27 +0000] "GET /bundles/ebdca7741674eca4e1fadeca157f3ae6.svg HTTP/1.1" 304 0 "http://test.com/bundles/commons.style.css" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:27 +0000] "GET /plugins/kibana/assets/play-circle.svg HTTP/1.1" 304 0 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:27 +0000] "GET /plugins/kibana/assets/settings.svg HTTP/1.1" 304 0 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:27 +0000] "GET /plugins/kibana/assets/wrench.svg HTTP/1.1" 304 0 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

(Larry Gregory) #4

I am using a password file generated by the htpasswd utility, which is one of the supported formats for the basic auth nginx module that you're using.

My test file looks something like this:

admin:$apr1$u.lo0CK7$gxBFT1oXM8cIrWSv381eM1
larry:$apr1$./Pk4mEL$HTFtGrDrS8nsWBwEatDGs1

Your logs look fine to me. Anything useful in your kibana.log file?


(Shahid Ali Khan) #5

What happens is that always the kibana get's loaded but it's contents dosen't gets loaded and give 403 (forbidden) in browser console.

Things work fine without auth.


(Larry Gregory) #6

I need to see your kibana logs in order to diagnose this any further. Make sure to set logging.verbose: true in your kibana.yml as well, so we can get detailed output