Kibana, xpack, nginx proxy and authentication

annanicotera · November 30, 2020, 11:28pm

Hello,
We have embedded Kibana dashboards in our application. if xpack security is enabled, we configure a nginx proxy so that the user viewing the dashboards can seamlessly access/view the dashboards without having to be prompted for credentials to login to Kibana. We do that by setting a rule in the proxy similar to this:

    location / {
            proxy_pass http://localhost:5601;
            proxy_set_header Authorization "Basic $cookie_MY_KIBANA_COOKIE";
            # CHANGE host and port
	    proxy_set_header        Accept-Encoding   ""; # no backend compression
            proxy_set_header        X-Forwarded-By    $server_addr:$server_port;
            proxy_set_header        X-Forwarded-For   $proxy_add_x_forwarded_for;# $remote_addr;
            proxy_set_header        X-Forwarded-Proto $scheme;
            proxy_set_header Host $server_name:8091;
        }

Now, this can expose a vulnerability because:
"A username was detected either in the request query string or the Set-Cookie header. A username is considered sensitive private information that should be protected. Exposing a username in query strings or cookies can also leave it exposed in server logs, proxy logs, and network traffic inspection tools."

Question:
Aside from using a proxy, how do we allow our application users to be able to view the embedded Kibana dashboards without having to get prompted for Kibana Credentials? I welcome suggestions.

Thanks,
Anna

jportner · December 2, 2020, 7:36pm

It sounds like this configuration is currently working for you. Am I correct in assuming that the content of $cookie_MY_KIBANA_COOKIE is actually a base64-encoded username:password string?

From this quote it sounds like some vulnerability scanner picked this up. This configuration should not result in a cookie being set in the user's browser, and it should not result in the credentials being exposed to end-users.

Perhaps the scanner is picking up a different cookie from your application?

Also, I did notice you are not using SSL on your Kibana server, which I would highly recommend if your Nginx proxy is not running on the same host.

This is a commonly requested feature! Starting in Kibana 7.11, you'll be able to configure your own anonymous access all within in Kibana

annanicotera · December 7, 2020, 10:06pm

Ok thank you for the reply.
And yes the auth header has the base64-encoded string of the kibana credentials.

The issue with the approach of putting the auth in the cookie and set that in the auth header to be sent to Kibana is, if the same user who access the embedded dashboards then, within the same browser, navigates to the kibana URL, then the user is logged in right away.
And that is a security issue.

Any other approaches/recommendations (aside from Kibana 7.11)?

system · January 4, 2021, 10:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.