Force Kibana url to be embedded always - deny if NOT embed=true

I have set up a Node.JS website that shows dashboards in embedded iframe. It uses basic authentication and reverse proxy to Kibana 5 using NGINX. So it's secure.
This website uses embedded iframes and looks pretty cool. Just as I wanted. So the iframe has source something like below:


But since this link is in the client code, I don't want any smart users to figure out that removing "embed=true" from the querystring will take them directly into the Kibana page with all the admin options enabled bypassing my awesome Node JS application's way of restricting which user should see which dashboard. :grin: I want any requests that does not contain "embed=true" to be denied from the proxy server or Kibana settings. I'm hoping this would be possible in NGINX configuration file. But I cannot figure out how. Because "embed=true" is part of querystring but not route. Or is this possible in Kibana settings somehow?

So for requests like below I want to return 403 Forbidden.

  • http://kibana_url:3002/app/kibana#/dashboard/My-Awesome-Dashboard
  • http://kibana_url:3002/app/kibana#/discover?_g=()
  • http://kibana_url3002/app/kibana#/management?_g=()

I have configured port 3002 to reverse proxy port 5601 in NGINX as below:

server {
    listen 3002;
    server_name localhost;
    auth_basic "Restricted Access";
    auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;

    location ~ (/app/|/kibana/|/kibana5/|/ui/|/api/|/es_admin/|/elasticsearch/|/bundles/|/status|/plugins) {
        proxy_pass http://localhost:5601;

There's not way to force that from Kibana. But afaik, you can filter on arguments by using the Lua Nginx module.

1 Like

Hi thanks for the answer. I have installed it but then I realized that all Kibana URL after app/kibana is an anchor link. Anchor links are not sent to server. And embed=true and any other filters come after the dash.

For the below address NGINX or any other server will never get the details of the anchor. They are not part of Querystring. Only bold parts will be sent to server. So the control needs to be in the client code which makes it a bit vulnerable.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.