Hitting Security API Endpoint

Alright, I got something to work. I'm probably not going to list out every single step I did, but I found an IIS solution that worked for me. Sorry if you use Apache or NGinX. I'm not familiar with those web servers so I can't help there.

You must have a valid SSL Cert for IIS and IIS must be installed on the same server that your ELK stack is installed on. You may be able to spin up a free trial of this on an Azure VM and use Let's Encrypt to get an SSL Cert (or perhaps Azure has a way to let you get an SSL cert on the cheap from the portal).

OS: Windows Server 2019
Roles: Web Server (IIS)
IIS Component to install: URL Rewrite (latest version, mine reports 2.5)

The idea here is that you'll need a Reverse Proxy between the user browsing your site and Kibana. The Reverse proxy will be in charge of lying to your browser, telling it that the CORS request is valid. We have to do this because Kibana seemingly doesn't have CORS functionality exposed even though it's in the code from what I've seen on GitHub. That's why this question exists in the first place.

I can post my basic setup and if anyone has any questions I'll try to field them if I have a chance.

This is the page that will host the embeded dashboard. You'll have to pass the username and password somehow to the user. If you can figure out some process to encrypt it I suppose, but it really makes no difference because either way the user will have the cookie when they are logged in.
index.html code:



<script>
    var raw = JSON.stringify({ "username": "omittedusername", "password": "omittedpassword" });
    var iframeSource = "https://my-elk-proxy.com/app/kibana#/dashboard/e0eaa645-decd-45d9-b166-274c89374b5e?embed=true&omittedparams";

    function login_success(e) {
        console.log("Success");
        console.log(e);
        document.getElementById("myiframe").src = iframeSource;
    }

    function login_error(e) {
        console.log("error");
        console.log(e);
    }

    $.ajax("https://my-elk-proxy.com/internal/security/login", {
        method: 'POST',
        data: raw,
        crossDomain: true,
        xhrFields: {
            withCredentials: true
        },
        beforeSend: function (xhr) {
            xhr.setRequestHeader('kbn-version', '7.8.0');
            xhr.setRequestHeader('Content-Type', 'application/json');
        },
        success: login_success,
        error: login_error
    });
</script>

You will need to create a site in IIS with a binding on port 443 (SSL port)
image

You will need to find the URL Rewite icon under the site you made and make sure the server variable HTTP_Authorization is allowed
image

You will need to set up both inbound and outbound rules. Both inbound rules should be set up as "Reverse Proxy" while the outbound rule should be set up as "Blank rule":

Options Intercept Rule 1 of 2


Note: The HTTP_Origin where it's blurred out is simply a regex that will match the Header "Origin" that's sent in the header. Mine was https://localhost:31345 for instance, but you can put multiple here as long as it's valid regex. This will keep sites you don't want hosting your dashboards from doing so; however, if you have multiple sites, it will not keep site A from hosting site B's content in the event that they were to get each other's credentials.

Options Intercept (same rule as above, don't save changes yet) Rule 2 of 2
image

General Proxy (this handles the subsequent calls after the OPTIONS call. The blurred out portion is the URL you go to for your Kibana instance)

Outbound Rule (This will make sure the cookie comes across so that future browser updates should allow this cookie to be set securely. If you don't do SameSame=None and Secure then you'll get a browser warning, but it should still work)

Edit: I forgot to add what I used for the Precondition above. It looks like this. It basically checks to see if Set-Cookie exists in the unaltered ELK response before running the rule

1 Like