I am using elk stack 7.9 with xpack-security. When i dont use nginx it works properly( a login page comes up of kibana).When i use nginx.. i provide the user name and password of nginx but kibana page doesn't open.. i want to run kibana on port 443
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
server_name 192.168.0.100;
return 301 https://192.168.0.100;
}
server {
## Log location ##
#access_log /var/log/nginx/kibana.access.log;
#error_log /var/log/nginx/kibana.error.log;
## End ##
## (Web) Server Configuration ##
listen 443 ssl;
ssl_certificate_key /etc/ssl/private/HELK.key;
ssl_certificate /etc/ssl/certs/HELK.crt;
ssl_session_cache shared:SSL:10m;
## End ##
## Hide Version ##
server_tokens off;
## End ##
## Some Hardening/Security ##
# Web Server Attack (ie: XSS, Clickjacking)
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "SAMEORIGIN";
# BufferOverflow Hardening
client_body_buffer_size 500K;
client_header_buffer_size 1k;
client_max_body_size 7500k;
# TLS/SSL
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
# HTTP Methods
# DELETE is required for some index management
if ($request_method !~ ^(GET|PUT|POST|DELETE)$ ) {
return 444;
}
## End ##
## Timeout definitions ##
proxy_connect_timeout 900;
proxy_send_timeout 600;
proxy_read_timeout 600;
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 10 10;
send_timeout 10;
## End ##
## Performance Tuning ##
gzip on;
gzip_comp_level 1;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
## End ##
## Kibana Settings / Kibana Proxy ##
# Kibana generates really long URI's so need to set this
large_client_header_buffers 4 64k;
# Proxy forward to elasticsearch
location / {
## Local Authentication ##
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/htpasswd.users;
## End ##
proxy_pass https://192.168.0.100:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
## End ##
}
The problem is that i can't get the ui page of kibana.I just want nginx to redirect the kibana 5601 to 443 that is https://192.168.0.100.I dont where it is going wrong.A login page of kibana should come but it just showing me 401 error unable to authenticate
I need a solution of it i tried everything.
Thanks @Aniket_Pant,
Let's see if we can get to the bottom of the issue. If you can describe a bit more of the setup you are trying. Are you using Kibana default or OSS packages? Can you share your Kibana configurations? Are there any error messages in your Kibana and nginx logs?
Thanks for replying me @LizaD
The problem i am facing is that i should get the kibana login ui but whenever i do https://192.168.0.100 the authentication popup box comes and i provide username and password and it gives me error like unable to authenticate user helk
kibana logs show me
{"type":"log","@timestamp":"2020-11-17T22:03:14Z","tags":["info","plugins","security","authentication"],"pid":3366,"message":"Authentication attempt failed: [security_exception] unable to authenticate user [helk] for REST request [/_security/_authenticate], with { header={ WWW-Authenticate=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } }"}
{"type":"response","@timestamp":"2020-11-17T22:03:14Z","tags":[],"pid":3366,"method":"get","statusCode":401,"req":{"url":"/","method":"get","headers":{"connection":"upgrade","host":"10.197.232.100","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","upgrade-insecure-requests":"1"},"remoteAddress":"127.0.0.1","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0"},"res":{"statusCode":401,"responseTime":47,"contentLength":9},"message":"GET / 401 47ms - 9.0B"}
my kibana.yml file
# Kibana is served by a back end server. This setting specifies the port to use.
#server.port: 5601
# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
#server.host: "helk-kibana"
# Enables you to specify a path to mount Kibana at if you are running behind a proxy.
# Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath
# from requests it receives, and to prevent a deprecation warning at startup.
# This setting cannot end in a slash.
#server.basePath: ""
# Specifies whether Kibana should rewrite requests that are prefixed with
# `server.basePath` or require that they are rewritten by your reverse proxy.
# This setting was effectively always `false` before Kibana 6.3 and will
# default to `true` starting in Kibana 7.0.
#server.rewriteBasePath: false
# The maximum payload size in bytes for incoming server requests.
#server.maxPayloadBytes: 1048576
# The Kibana server's name. This is used for display purposes.
#server.name: "helk-kibana"
# The URLs of the Elasticsearch instances to use for all your queries.
elasticsearch.hosts: ["http://ec1:9200", "http://ec2:9200"]
# When this setting's value is true Kibana uses the hostname specified in the server.host
# setting. When the value of this setting is false, Kibana uses the hostname of the host
# that connects to this Kibana instance.
#elasticsearch.preserveHost: true
# Kibana uses an index in Elasticsearch to store saved searches, visualizations and
# dashboards. Kibana creates a new index if the index doesn't already exist.
#kibana.index: ".kibana"
# The default application to load.
#kibana.defaultAppId: "home"
# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
# is proxied through the Kibana server.
elasticsearch.username: "kibana_system"
elasticsearch.password: "kibana"
# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the Kibana server to the browser.
#server.ssl.enabled: false
#server.ssl.certificate: "/usr/share/kibana/HELK.crt"
#server.ssl.key: "/usr/share/kibana/HELK.key"
# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
# These files are used to verify the identity of Kibana to Elasticsearch and are required when
# xpack.security.http.ssl.client_authentication in Elasticsearch is set to required.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key
# Optional setting that enables you to specify a path to the PEM file for the certificate
# authority for your Elasticsearch instance.
#elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]
# To disregard the validity of SSL certificates, change this setting's value to 'none'.
#elasticsearch.ssl.verificationMode: full
# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
# the elasticsearch.requestTimeout setting.
#elasticsearch.pingTimeout: 1500
# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
# must be a positive integer.
#elasticsearch.requestTimeout: 30000
# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
# headers, set this value to [] (an empty list).
#elasticsearch.requestHeadersWhitelist: [ es-security-runas-user,authorization ]
# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
#elasticsearch.customHeaders: {}
# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
#elasticsearch.shardTimeout: 30000
# Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying.
#elasticsearch.startupTimeout: 5000
# Logs queries sent to Elasticsearch. Requires logging.verbose set to true.
#elasticsearch.logQueries: false
# Specifies the path where Kibana creates the process ID file.
#pid.file: /var/run/kibana.pid
#
logging.rotate:
enabled: true
everyBytes: 10485760
#
# Enables you to specify a file where Kibana stores log output.
logging.dest: /var/log/kibana/kibana.log
# Set the value of this setting to true to suppress all logging output.
#logging.silent: false
# Set the value of this setting to true to suppress all logging output other than error messages.
#logging.quiet: false
# Set the value of this setting to true to log all events, including system usage information
# and all requests.
#logging.verbose: false
# Set the interval in milliseconds to sample system and process performance
# metrics. Minimum is 100ms. Defaults to 5000.
#ops.interval: 5000
# Specifies locale to be used for all localizable strings, dates and number formats.
# Supported languages are the following: English - en , by default , Chinese - zh-CN .
#i18n.locale: "en"
#xpack.monitoring.enabled: true
#xpack.monitoring.ui.elasticsearch.hosts: ["http://ec1:9200","http://ec2:9200"]
#xpack.monitoring.ui.elasticsearch.username: "kibana_system"
#xpack.monitoring.ui.elasticsearch.password: "kibana"
#xpack.monitoring.collection.enabled: true
my objective is that users can login into their kibana account do their dashboarding
I found this discuss post that may help: Secure my ELK - nginx credentials
Also pinging one of security team members @jportner who may help us. Joe, have you worked with this setup and know what needs to be done to pass in the correct authentication from the proxy to Kibana?
I did this earlier i create a role in nginx and a user also...but it takes me to the dashboarding page.I want kibana login ui
Hey @Aniket_Pant,
I assume the 401 error you see is because of these lines in your nginx config:
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/htpasswd.users;
That means that nginx first will ask you for the credentials, then validate them according to user list in /etc/nginx/htpasswd.users and then will pass them to Kibana too in Authorization: Basic xxxx header. When Kibana sees such a header it extracts credentials from it and automatically tries to use them to authenticate user in Elasticsearch using its Native security realm.
If you request includes Authorization: xxx xxx HTTP header Kibana will never show the login screen.
But the question is: why do you need authentication both on the nginx and Kibana level?
Best,
Oleg
It is working because i am not using Authorization header.
I'm not sure I understand what you mean to be honest, auth_basic does use Authorization header. And what exactly is working and what isn't?
i mean auth_basic. I thought they work different now i got your point. I was using authentication both on kibana and nginx
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.