Proxy pass for security always redirects to kibana port?

Elastic Stack Kibana
1

Hello!
I am attempting to set up proxypass of Kibana 5.1 through a same-server Apache service using the standard procedure. While I have this working, it seems that after the initial authentication approval by Apache, kibana always redirects future requests to the specified server.host defined in kibana.yml config but also always seems to append the server.port to the rewritten URL.

Considering the hostname in question is a publicly accessible domain, opening port 5601 for continued access completely defeats the purpose of proxypass for authentication purposes, if kibana can just natively be accessed by the host:port to begin with..

Is there a way around this? A way to prevent kibana from rewriting the domain and port part of the URL? Or is this a limitation of the Kibana proxypass feature right now?

I would be grateful for any advice on proxypass configuration for authentication with kibana, it's a great tool!

2

Hi Jolyon, I brought up your issue with the team and we spitballed a few solutions, but we were a little fuzzy on exactly how you're using SSL. Could you describe your setup in more detail? If you could share your Apache config and your kibana.yml config that would really help a ton.

Thanks,
CJ

3

Hi Cj, thanks for the reply and most excellent question! I never mentioned SSL but, yes I had it enabled in our config file:

server.host: "127.0.0.1"
server.name: "Kibana Ops"
server.ssl.cert: /etc/letsencrypt/live/example.com/cert.pem
server.ssl.key: /etc/letsencrypt/live/example.com/privkey.pem

of course it was also in our htconf, which made this redundant. disabling the kibana SSL certs stopped the redirects with port from happening. Makes sense kibana would force the URL when running its own SSL implementation!

I also learned a few other things securing with the htconfig: when using proxypass, you must place the auth inside a Location section matching the path you are serving for kibana to get a htauth password request; our generic htauth config for Directory / was not being recognized. Here's the config I ended up using:

<VirtualHost *:443>
  ServerAdmin admin@example.com
  ServerName kibana.example.com

  <Location />
    Options FollowSymLinks
    AuthType Basic
    AuthName "Kibanarama!"
    AuthUserFile /etc/httpd/conf/.htpasswd
    Require valid-user
    ProxyPass         http://127.0.0.1:5601/
    ProxyPassReverse  http://127.0.0.1:5601/
  </Location>

  DocumentRoot /var/www/html

  SSLEngine on

  SSLCertificateFile      /etc/letsencrypt/live/example.com/cert.pem
  SSLCertificateKeyFile   /etc/letsencrypt/live/example.com/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
</VirtualHost>

Now kibana serves fine from external host on its own subdomain, with Apache authentication.

Thanks for the SSL tip off!!
Cheers, Jt

4

Hey, cool! I've learned a lot from this conversation, too, so thanks for posting your original question, and double thanks for posting the follow-up on your solution. :slight_smile:

Take care,
CJ

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.