I have a single VM with Elastic 7.3.1 and Kibana 7.3.1 - a fresh install, just so I can do this without stepping on production stuff. The system works fine, log in with username and password, that's great. The nginx reverse proxy works fine, can log in through it, but trying to add an automatic authorization header has been fruitless.
Here is the current config:
server {
listen 80;
server_name elk.netwarsystem.com;
access_log /var/log/nginx/elk.access.log;
location / {
proxy_pass http://192.168.88.124:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header Authorization "Basic c3R1cGlkd2ViOnN0dXBpZHdlYgo=";
}
}
I know what the first and last ones do - the proxy pass itself, and a base64 encoded string of "username:password" for Authorization. The rest I have copied from various posts I have read, doesn't seem to help/harm.
Here is the error I get:
{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [stupidweb] for REST request [/_security/_authenticate], with { header={ WWW-Authenticate="Basic realm=\"security\" charset=\"UTF-8\"" } }"}
I have this in both elasticsearch.yml and kibana.yml.
xpack.security.enabled: true
if I use the following curl and enter the password, no problems here.
curl -u stupidweb 'http://localhost:9200/_xpack/security/_authenticate?pretty'
If I access Kibana directly I can log in with the username and password.
This really seems like something that should be written up and pinned in the Kibana support area - there are dozens of posts on it, none of them are particularly clear, none end with a solid answer containing all config files, etc, etc.