Kibana authenticate iframe for nginx


(Arun Ramachandran) #1

I've seen old posts on this topic but they appear to talk about shield. I'm not using shield, but simply have a basic auth in nginx serving as a reverse proxy. This prevents direct access to Kibana, great. Now, I have an embedded iframe within my flask app which I want to avoid having to provide the auth info. Can someone explain how I might be able to provide this auth info to the iframe so it goes through? I've seen examples of adding user:pwd in the URL but it doesn't not work. If there is a javascript way of doing this, can someone provide the actual code to provide username:password so the iframe clears the nginx basic auth? thanks in advance.


(Thomas Neirynck) #2

hi @Akramach

Do I have that correct, are you running Kibana in an iframe (e.g. by embedding that iframe dashboard link?), and that Kibana-instance sits behind your nginx reverse proxy?

I would have suggested the user:pwd in the URL too. Not sure why this doesn't work. Is this helpful at all: https://stackoverflow.com/questions/15639280/basic-authentication-for-a-url-in-an-iframe?

I would also look into the security plugin of xpack. It does this kind of thing, where you restrict access to Kibana to known users, but allow others to view dashboards.


(Arun Ramachandran) #3

Yes, Kibana is running on localhost:5601 and sits behind nginx reverse proxy and is mounted at /kibana.

I have a SaaS application written in python flask that already has an authentication mechanism. The only exposure of Kibana to user is a preconfigured dashboard via an iframe. But currently if user visits /kibana, he can see the instance. I want to restrict this while giving user access to only iframe.

My flask app is unable to block /kibana access from client as nginx is redirecting traffic to localhost:5601.

If I basic auth protect it, then the iframe also needs authentication which is a no-go. The stack posts you sent and many others basically state no browsers going forward will support embedded user:pwd in the URL.

I'm in development mode, so x-pack pricing is not an option right now. Having said that, based on other stack posts, I assume x-pack auth will have the same iframe auth issues as basic auth.

In summary, is there any other way to expose a kibana dashboard via iframe while restricting direct access to kibana instance itself?


(Thomas Neirynck) #4

hi @Akramach

thanks,

yes, if you continue to host kibana behind a revers proxy, you'll have the basic-auth issue.

With xpack.security, you wouldn't need to hide kibana behind that proxy. You would still get an additional login screen though, which it seems is something you like to avoid.

One thing you could look into, and I'm not 100% if this is going to work, I;m not an nginx expert, but could you route your request to nginx based on the path and value of a query-parameter in the request?

If the request is to a path starting with /app and the embed=true query-parameter is present in the url, you pass on the request to kibana right away without authentication. If not, you require authentication.

You would also allow any request without authentication to all the resources required by kibana (javascript, css, ...), I think any resources under the plugins, bundles, and ui folders.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.