Secure my ELK - nginx credentials

I was trying to secure my cluster, so I am using X-Pack to define users to each roles. I was trying to embed dashboards in an external web page. The user, when logged in my web page, should be able to see the kibana dashboards that corresponds to each role in the company. I was thinking in using nginx to authenticate my user when getting the kibana dashboards, but I am facing a problem: when I use nginx, accessing the link, a popup of authentication required shows.
There is any way to send those credentials through my web page, without needing that my user type it's credentials?

Thank you,
Francisca Lima

Hey @Francisca_Lima, are you trying to make it so that users which accessing Kibana using Nginx don't have to type a username/password at all and are always logged in as the same user?

Or are you trying to use Nginx to do your own basic authorization, similar to what is described here and then forward that information on to Kibana?

A popup authentication from NGINX or Kibana?

What you probably want is NGINX to pass its credentials from your web app to Kibana right?

If so you need to use the following configuration line in your elasticsearch.yml config file:

elasticsearch.requestHeadersWhitelist: [ es-security-runas-user, authorization ]

Then you should add a user in Kibana, I called mine "nginx"

Create a role for this user, I called mine "nginx" as well. Leave all everything default with no permissions to anything except add the users you want authenticated through NGINX to the "Run As privileges" section.

You need to base 64 encode the username:password for the NGINX account in Kibana.
the one shown below ("bmdpbng6c2VjcmV0cGFzc3dvcmQ=") is base 64 encoding of nginx:secretpassword

$NAME_OF_HEADER_WITH_USER_TO_RUN_AS shown below should be a named header that your application uses to pass the username you want authenticated into Kibana. The username from the web app and Kibana must match exactly, as this is what allows the NGINX user in Kibana to run as another user. This would be a header such as $http_x_forwarded_user.

add these two lines to your nginx config:

proxy_set_header Authorization "Basic bmdpbng6c2VjcmV0cGFzc3dvcmQ=";
proxy_set_header es-security-runas-user $NAME_OF_HEADER_WITH_USER_TO_RUN_AS;

Hope this makes sense..

Check out this blog for more detail:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.