Kibana With X-Pack Security behind apache rejects digest authentication


#1

Hello,

I recently installed X-Pack 6.2.4 and am running Kibana behind an Apache reverse proxy using digest authentication. For whatever reason, when X-Pack security and Apache Digest authentication are both enabled, Kibana returns this error:

{"statusCode":400,"error":"Bad Request","message":"Unsupported authentication schema: Digest"}

If I disable the digest auth OR I disable x-pack security, it works. Is there a way to keep this proxy + digest auth intact?

Thanks!


(Joe Fleming) #2

Looks like you could implement Digest authentication by writing a custom realm. Not being a Java developer though, I don't know how involved that is. There's an example linked to from the docs though.

I want to point out the following from the Apache docs though:

This module implements HTTP Digest Authentication (RFC2617), and provides an alternative to mod_auth_basic where the password is not transmitted as cleartext. However, this does not lead to a significant security advantage over basic authentication. On the other hand, the password storage on the server is much less secure with digest authentication than with basic authentication. Therefore, using basic auth and encrypting the whole connection using mod_ssl is a much better alternative.

Food for thought.


#3

Thanks for your response Joe. I am not trying to get Kibana to use digest authentication, but just am using it on Apache. I will bring your point about Apache digest authentication back to my team, but it does seem to be a separate issue.

Just so that I understand what is happening here -

Apache has a digest-authenticated session between the client browser and itself. When it passes the traffic off to Kibana, somewhere in the header the fact that Apache performed Digest authentication is indicated. Because of this, even though Kibana is not using that authentication mechanism at all, Kibana rejects the traffic.

If this is the case, it seems like it may be a bug because it does not seem to actually improve the security provided by the Elastic stack.


(Brandon Kobel) #4

Hey @Emily1, if I understand correctly, you're using Apache in front of Kibana to enforce your own Digest authentication, and it appears that the requests that are being forwarded to Kibana still have the digest authentication header specified on them. You should be able to use RequestHeader unset Authorization in Apache to no longer forward these headers to Kibana, as Kibana doesn't support digest authentication so we're throwing an error when we receive requests with this header.


#5

Thanks Brandon! That did it :slight_smile:


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.