Kibana not loading after providing credential, It is coming back to login page itself

Elastic Stack Kibana
1

I have setup my ELK stack kibana instance in Azure kubernetes. I have exposed my kibana service to external load balancer and accessing the load balancer service using DNS from NGINX ingress.

I have tried accessing elastic search endpoint using below cmd , it is giving me resopnse
curl --cacert tls.crt -u elastic:$PW https://:9200$NAME-es-http/

After clearing browser cache (I tried in both chrome and edge latest version browser)

When i try to hit the DNS

Welcome to Elastic page is loading correctly without any console error.

Then after i tried logging in using the username -elastic and corresponding generated password.

it again downloading some 21.5 MB resource in console again showing the same login page to enter credential.

Please help me to solve this

2

What version of Chrome and what version of the stack you are using?
Can you try in an incognito window /any other browser ? Do the logs say anything ?

3

My chrome version is Version 89.0.4389.82 (Official Build) (64-bit)

I also tried in incognito window same problem.

I checked kibana pod log also no errors.

As suggested in another discussion i have used
xpack.security.sameSiteCookies : None

under my config section of my kibana yaml

That gives me internal server down so i removed it.

4

What do the kibana logs say ?
Can you try in Firefox ?

5

Kibana pod log is continuously generating not able track the logs.

Is anyother place i need to check the log for kubernetes pod ??

6

only error we are getting is in UI "Your browser does not meet the security requirements for Kibana."

And we also tried in firefox same issue,

image
image1920×912 73.9 KB

In console alone we are getting below warning

image
image1917×366 45.8 KB

7

Below message we got in kibana pod looks suspicious.

{"type":"response","@timestamp":"2021-03-13T07:46:03Z","tags":,"pid":7,"method":"post","statusCode":401,"req":{"url":"/internal/security/login","method":"post","headers":{"host":"xxx-dev-xxx.xxxxx.com","x-real-ip":"xx.x.x.xx","x-forwarded-for":"xx.0.5.xx","x-forwarded-host":"xxxx-dev-xx.xxx.com","x-forwarded-port":"443","x-forwarded-proto":"https","connection":"close","content-length":"190","sec-ch-ua":""Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36 managedpc (xxxxxxx)","kbn-version":"7.10.1","content-type":"application/json","accept":"/","origin":"https://xxxxx-dev-xx.xxxx.com","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://xxxx-dev-xx.xxxx.com/login?next=%2F","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9"},"remoteAddress":"xx.0.5.xx","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36 managedpc (xxxxxxx)","referer":"https://xx-dev-xx.xxxx.com/login?next=%2F"},"res":{"statusCode":401,"responseTime":24,"contentLength":9},"message":"POST /internal/security/login 401 24ms - 9.0B"}

8

Kibana shows this message if a browser doesn't support content-security-policy . Which shouldn't be a problem for all the modern browsers except IE11.

Do you have a proxy in front of Kibana that could affect set CSP headers?
More details: Provide a doc link to IE 11 users when showing "Your browser does not meet the security requirements.." · Issue #38781 · elastic/kibana · GitHub

Thanks
Rashmi

9

yes we have defined below set of proxy rules,

annotations:
kubernetes.io/ingress.class: nginx
nginx.org/client-max-body-size: 4m
nginx.org/proxy-connect-timeout: 30s
nginx.org/proxy-read-timeout: 20s
#nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
#nginx.org/redirect-to-https: "True"
#ingress.kubernetes.io/ssl-redirect: "True"
nginx.org/server-snippets: |
add_header X-Frame-Options SAMEORIGIN always;
add_header X-Content-Type-Options nosniff always;
add_header Cache-Control "private, max-age=31536000" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src https://.XXX.com https://.elastic.co https://grafana.com 'unsafe-inline' blob:; worker-src https://*.XXX.com 'unsafe-inline' blob:; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' ; font-src 'self' data:; block-all-mixed-content; upgrade-insecure-requests" always;
add_header X-XSS-Protection "1; mode=block" always;
location = /robots.txt {
return 200 "User-agent: *\nDisallow: /\n";
}

nginx.org/location-snippets: |
  proxy_hide_header Cache-Control;
  proxy_hide_header Content-Security-Policy;

pls let me know if above headers are blocking anything

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

11

@LeeDr / @jbudz - any idea why this would be ?

12

I would advise removing the CSP headers at the proxy level as a starting point. The error occurs during a CSP validation phase from Kibana. Kibana willl attach it's own requirements if they're forwarded.

Is there a requirement to have these enforced by the proxy?