Protecting endpoints in Kibana with fragment identifier


(dob) #1

Hi,

I am trying to protect certain endpoints in Kibana, specifically dashboards, with Nginx. The problem is that the fragment identifier does not get sent in the request, so everything after /app/kibana is ignored, only allowing basic authentication to /app/kibana.

I want to have a nginx configuration like this:

server {
listen 8080;

            auth_basic "Protected Kibana for admins";
           auth_basic_user_file /etc/nginx/.htpasswd;

           location / {
                   return 403;

            }

            location /app/kibana/dashboards/dashboard_name {

                    proxy_pass http://localhost:5601;
                    proxy_redirect off;

            }

}

but every request ends up returning 403 because everything after /app/kibana is not sent in the request. Any solutions would be really helpful.


(Bryan Vest) #2

I just set one of these up. To access a dashboard through proxy you need to allow access to different parts of kibana as they all work together to build the dashboard:

upstream eskibana {
server localhost:5601;
keepalive 15;
}
server {
listen 8080;
auth_basic "Protected Kibana for admins";
auth_basic_user_file /etc/nginx/.htpasswd;
location / {
return 403;
}
location ~ (/goto|/app/kibana/dashboard|/dashboard|/app/kibana|/status|/plugins|/elasticsearch/|/bundles|/plugins|/api) {
satisfy any;
proxy_http_version 1.1;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_pass http://eskibana;
proxy_redirect off;
proxy_buffering off;
}
}

This is not exactly like my setup but a good pointer towards how it should be setup.


(dob) #3

Thanks so much for the quick reply! I'll try this out!

Very interesting though. If you have any more information as to why it needs to be configured like this, I'd greatly appreciate it.


(Bryan Vest) #4

I configured it like this because I use a lot of shared dashboards. Setting similar to this lets the user view dashboards without access to other parts of the kibana system. There may be other ways to do this but this is what works for me.

When you access a dashboard there are more parts that need to be accessed through the proxy than just the dashboard. Those would be the items listed in the location section. When you are using a location directly to /app/kibana/dashboards/dashboard_name it will not load some of what it needs. You can probably see this if you watch the web developer console in your browser as the page tries to load.

I see in my location part of the config /plugins is referenced twice, that was just a mistake as I typed the config part, it does not need to be there twice.


(dob) #5

Thanks for the clarification. Testing the config that you posted, it allows access to almost all of kibana though because of the |/app/kibana|. I want to restrict users to just one dashboard, you able to accomplish that with this method?


(Bryan Vest) #6

Yes I guess it would allow access to the board if you knew how to get there. I stop that from happening with some other nginx code that is based on the requesting host. Of course my setup's are not exact to what yours would be.

I have something I want to test but my Kibana server is optimizing at the moment. When that is complete I will do my rule adjustment test and reply with the results.


(dob) #7

Great! That'd be really helpful


(system) #8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.