Basic auth on Kibana using nginx

shahid3507 · November 30, 2018, 9:11am

Hey,

I was trying to implement nginx basic auth to Kibana OSS 6.3.1 using proxy pass.

After Implementing I encountered an issue that the resources don't load on the page and show's authorization exception (403).
The same works fine with proxy pass alone without using auth.

nginx configuration

    server {
            listen 80;
            listen [::]:80;

            server_name test.com;
            root /var/www/test.com/public;

            # reverse proxy
            location / {
                    proxy_pass http://127.0.0.1:5601;

                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection "upgrade";
                    proxy_set_header Host $host;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header X-Forwarded-Proto $scheme;
                    proxy_set_header X-Forwarded-Host $host;
                    proxy_set_header X-Forwarded-Port $server_port;
                    proxy_cache_bypass $http_upgrade;
                    auth_basic "Restricted Content";
                    auth_basic_user_file /etc/nginx/.htpasswd;	
            }
    }

After trying to access the webpage, it dosen't show any error logs.

Does Kibana OSS support basic auth?
If yes than How can I achieve this?

Larry_Gregory · November 30, 2018, 8:56pm

@shahid3507,

Kibana OSS supports this setup. I just tested version 6.3.1 OSS behind an nginx reverse proxy, using the exact configuration you have in your location block above, except I swapped out the user_file for something on my own machine:

server {
        listen       8080;
        server_name  localhost;

        root /usr/local/etc/nginx/public;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            proxy_pass http://127.0.0.1:5601;

            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_cache_bypass $http_upgrade;
            auth_basic "Restricted Content";
            auth_basic_user_file "/usr/local/etc/nginx/password_list";
        }
}

When I navigate to http://localhost:8080, I am asked for a username/password. Once I enter it, nginx correctly forwards me to Kibana, which works as expected.

Are you seeing anything in your nginx access or error logs? What does the Kibana log file say?

shahid3507 · December 3, 2018, 2:03pm

@Larry_Gregory Have you used a simple text file for password or an encrypted file. ?

The below are the access logs.

192.168.0.1 - admin [30/Nov/2018:07:35:19 +0000] "GET /app/kibana HTTP/1.1" 200 13244 "http://.test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:19 +0000] "GET /bundles/app/kibana/bootstrap.js HTTP/1.1" 200 655 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:20 +0000] "GET /ui/favicons/favicon-32x32.png HTTP/1.1" 304 0 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:20 +0000] "GET /bundles/vendors.style.css HTTP/1.1" 200 17253 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:20 +0000] "GET /bundles/kibana.style.css HTTP/1.1" 200 34134 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:20 +0000] "GET /bundles/commons.style.css HTTP/1.1" 200 40891 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:20 +0000] "GET /ui/favicons/favicon-16x16.png HTTP/1.1" 304 0 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:20 +0000] "GET /ui/favicons/favicon.ico HTTP/1.1" 304 0 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:23 +0000] "GET /bundles/vendors.bundle.js HTTP/1.1" 200 1312124 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:25 +0000] "GET /bundles/commons.bundle.js HTTP/1.1" 304 0 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:25 +0000] "GET /bundles/kibana.bundle.js HTTP/1.1" 304 0 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:26 +0000] "GET /ui/fonts/open_sans/open_sans_v15_latin_regular.woff2 HTTP/1.1" 200 14048 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:27 +0000] "GET /api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=es_5_0 HTTP/1.1" 200 11613 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:27 +0000] "GET /plugins/kibana/assets/discover.svg HTTP/1.1" 304 0 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:27 +0000] "GET /plugins/kibana/assets/dashboard.svg HTTP/1.1" 304 0 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:27 +0000] "GET /api/saved_objects/_find?type=index-pattern&per_page=10000 HTTP/1.1" 403 106 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:27 +0000] "GET /plugins/kibana/assets/visualize.svg HTTP/1.1" 304 0 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:27 +0000] "GET /plugins/timelion/icon.svg HTTP/1.1" 304 0 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:27 +0000] "GET /bundles/ebdca7741674eca4e1fadeca157f3ae6.svg HTTP/1.1" 304 0 "http://test.com/bundles/commons.style.css" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:27 +0000] "GET /plugins/kibana/assets/play-circle.svg HTTP/1.1" 304 0 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:27 +0000] "GET /plugins/kibana/assets/settings.svg HTTP/1.1" 304 0 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

192.168.0.1 - admin [30/Nov/2018:07:35:27 +0000] "GET /plugins/kibana/assets/wrench.svg HTTP/1.1" 304 0 "http://test.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36"

Larry_Gregory · December 3, 2018, 2:20pm

I am using a password file generated by the htpasswd utility, which is one of the supported formats for the basic auth nginx module that you're using.

My test file looks something like this:

admin:$apr1$u.lo0CK7$gxBFT1oXM8cIrWSv381eM1
larry:$apr1$./Pk4mEL$HTFtGrDrS8nsWBwEatDGs1

Your logs look fine to me. Anything useful in your kibana.log file?

shahid3507 · December 3, 2018, 2:55pm

What happens is that always the kibana get's loaded but it's contents dosen't gets loaded and give 403 (forbidden) in browser console.

Things work fine without auth.

Larry_Gregory · December 3, 2018, 2:57pm

I need to see your kibana logs in order to diagnose this any further. Make sure to set logging.verbose: true in your kibana.yml as well, so we can get detailed output

system · December 31, 2018, 2:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Proxy setup for kibana using nginx Kibana	4	382	July 31, 2023
Kibana behind NGINX Kibana	7	1455	May 24, 2019
403 Forbidden Kibana	2	4083	June 19, 2018
Can't setup Nginx reverse proxy for Kibana in Localhost Kibana	4	1040	September 21, 2021
Using Basic Auth Reverse Proxy for iframe Kibana Dashboard Kibana	2	2257	September 3, 2018

Basic auth on Kibana using nginx

Related topics