Do I have that correct, are you running Kibana in an iframe (e.g. by embedding that iframe dashboard link?), and that Kibana-instance sits behind your nginx reverse proxy?
I would have suggested the
user:pwd in the URL too. Not sure why this doesn't work. Is this helpful at all: https://stackoverflow.com/questions/15639280/basic-authentication-for-a-url-in-an-iframe?
I would also look into the security plugin of xpack. It does this kind of thing, where you restrict access to Kibana to known users, but allow others to view dashboards.
Yes, Kibana is running on localhost:5601 and sits behind nginx reverse proxy and is mounted at /kibana.
I have a SaaS application written in python flask that already has an authentication mechanism. The only exposure of Kibana to user is a preconfigured dashboard via an iframe. But currently if user visits /kibana, he can see the instance. I want to restrict this while giving user access to only iframe.
My flask app is unable to block /kibana access from client as nginx is redirecting traffic to localhost:5601.
If I basic auth protect it, then the iframe also needs authentication which is a no-go. The stack posts you sent and many others basically state no browsers going forward will support embedded user:pwd in the URL.
I'm in development mode, so x-pack pricing is not an option right now. Having said that, based on other stack posts, I assume x-pack auth will have the same iframe auth issues as basic auth.
In summary, is there any other way to expose a kibana dashboard via iframe while restricting direct access to kibana instance itself?
yes, if you continue to host kibana behind a revers proxy, you'll have the basic-auth issue.
With xpack.security, you wouldn't need to hide kibana behind that proxy. You would still get an additional login screen though, which it seems is something you like to avoid.
One thing you could look into, and I'm not 100% if this is going to work, I;m not an nginx expert, but could you route your request to nginx based on the path and value of a query-parameter in the request?
If the request is to a path starting with
/app and the
embed=true query-parameter is present in the url, you pass on the request to kibana right away without authentication. If not, you require authentication.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.