Kibana Security in conjunction with nginx

I've been trying to setup security so I've enabled xpack and the p12 certificate on elasticsearch

elasticsearch.yml

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12

I've also enabled
elasticsearch-setup-passwords interactive

./kibana-keystore list
elasticsearch.username
elasticsearch.password

kibana.yml

elasticsearch.username: "kibana"
elasticsearch.password: "elasticsearch.password"

How do I use this setup with nginx reverse proxy

All I get is

statusCode403
error"Forbidden"
message"Forbidden"

Also when I enable

#Encrypting HTTP Client communicatons
#xpack.security.http.ssl.enabled: true
#xpack.security.http.ssl.keystore.type: PKCS12
#xpack.security.http.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
#xpack.security.http.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12

I get an error

[2019-06-08T19:36:46,473][WARN ][o.e.h.AbstractHttpServerTransport] [ndelk2] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=0.0.0.0/0.0.0.0:9200, remoteAddress=/127.0.0.1:35400}
io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 48454144202f20485454502f312e310d0a417574686f72697a6174696f6e3a204261736963205a57786863335270597a70335953466b5a5849320d0a486f73743a206c6f63616c686f73743a393230300d0a436f6e74656e742d4c656e6774683a20300d0a436f6e6e656374696f6e3a206b6565702d616c6976650d0a0d0a
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472) ~[netty-codec-4.1.32.Final.jar:4.1.32.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278) ~[netty-codec-4.1.32.Final.jar:4.1.32.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:656) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:556) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:510) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:470) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:909) [netty-common-4.1.32.Final.jar:4.1.32.Final]
        at java.lang.Thread.run(Thread.java:835) [?:?]

If I go to serverip/login I can get to the login page, it detects if I type in an incorrect password but if I log in using the correct one I get forbidden :confused:

Here's nginx error.log

2019/06/09 20:04:54 [error] 19465#19465: *7 connect() failed (111: Connection refused) while connecting to upstream, client: 10.131.175.99, server: 192.168.131.104, request: "GET /built_assets/dlls/vendors.style.dll.css HTTP/2.0", upstream: "http://[::1]:5601/built_assets/dlls/vendors.style.dll.css", host: "192.168.131.104", referrer: "https://192.168.131.104/login"

Now that I narrowed it down I commented out some nginx settings and its working

#auth_basic "Restricted Access";
#auth_basic_user_file /etc/nginx/htpasswd.kibana;


#    proxy_http_version 1.1;
#    proxy_set_header Upgrade $http_upgrade;
#    proxy_set_header Connection 'upgrade';
#    proxy_set_header Host $host;
#    proxy_cache_bypass $http_upgrade;

Hmm, is your preference to use elasticsearch's security or nginx's basic auth? My best guesss is the two are conflicting. Kibana authenticates by setting the same auth headers as nginx.

Now that elasticsearch security can be used with a free/basic license I'd like to use ES
Thanks for your reply.

I just have to work out my other issue with Encrypting HTTP Client communicatons section

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.