Kibana 7.2 behind nginx

usfbh95 · August 19, 2019, 3:58pm

I'm trying to use nginx to authenticate users into kibana with a token that is passed as an query parameter (i.e. ?token=XXXXXX), I'm totally new to nginx and I'm facing several problem and would really appreciate some help.

when using a static authorization header it works just fine :

server{
        listen       8080;
        location / {
              proxy_pass http://localhost:5601;
              proxy_set_header Authorization "Basic ZWxhc3RpYzoxMjM0NTY=";
      }

but when I try something like :

server{
        listen       8080;
        #to open kibana
        location /kibana {
            proxy_pass http://localhost:5601/app/kibana;
            proxy_set_header Authorization "Basic $arg_token";
        }
        #for kibana to get it resources
        location / {
                 proxy_pass http://localhost:5601/;
        }
   }

and then I pass the token in the url, It works for a second but then I got redirected to http://localhost:5601/logout?next=%2Fkibana%23%2Fhome%3F_g%3D()&msg=SESSION_EXPIRED and then it prompt to login again...
anyone can help please ?
I'm using kibana 7.2
Thank you !

Larry_Gregory · August 19, 2019, 4:07pm

Hey @usfbh95,

Do you need two location blocks defined? Can you try something like this:

server{
        listen       8080;
        location / {
                 proxy_pass http://localhost:5601/;
                 proxy_set_header Authorization "Basic $arg_token";
        }
   }

usfbh95 · August 19, 2019, 4:31pm

Thank you for your quick answer, actually this the first thing I tried, something weird happens, if i enter a valid token there is some kind of redirection that causes the token to disappear and I get a security exception telling me that there is no token, otherwise (if the token is wrong) I get an error telling me that the token is wrong (so the token is still present)

Larry_Gregory · August 19, 2019, 4:36pm

Can you turn on verbose logging to get a better idea of what's causing this? In your kibana.yml, set:

logging.verbose: true
logging.quiet: false

usfbh95 · August 19, 2019, 4:48pm

Here are the logs in case of correct token (the token is : ZWxhc3RpYzoxMjM0NTY= )
https://pastebin.com/z4AeTrUL

Here are the logs when I pass wrong token : (the token is : WrongToken=)
https://pastebin.com/de21UunQ

Larry_Gregory · August 19, 2019, 4:59pm

Thanks for the logs. I had a typo in my setup, can you try the following?

server{
        listen       8080;
        location / {
                 proxy_pass http://localhost:5601;
                 proxy_set_header Authorization "Basic $arg_token";
        }
   }

The difference here is that I removed the trailing slash in the proxy_pass command.

If you continue with the token-in-url route, you'll also need to strip off the token query parameter before sending the request to Kibana. Certain Kibana routes perform validation, and will reject requests that contain unexpected parameters. I'm not certain of the best way to do this with NGINX.

I'm also not sure what your entire system looks like, but this is likely not a secure setup. $arg_token is not an encrypted value, so anyone with access to the URLs will have access to the user credentials (username/password) since this is being pulled from a query string

usfbh95 · August 19, 2019, 5:04pm

I did that but still have the same behavior
Can you explain to me how to do the stripp off the token as you said ?
I know it's not so secured I'm just trying to get it to work

usfbh95 · August 24, 2019, 1:02am

... any idea please ?

system · September 21, 2019, 1:02am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.