I'm running Kibana 4.5.0 against Elasticsearch 2.3.1 with Shield and am trying to configure multiple Kibana instances on a single URL, to achieve this I was looking at specifying server.basePath within kibana.yml
Can you try deleting the sid cookie in your browser, or loading it in another browser or incognito window and see if you still see that happen? We've encountered a login redirect loop internally in rare cases, but haven't seen anything related to basePath, and I'd like to know if you are seeing what we're seeing or if this is another issue.
I pinged the Shield UI author and he hasn't seen this issue before. We think it's probably a misconfiguration somewhere, just need to figure out where. I don't see anything wrong with your Kibana config though.
What are you using for your proxy, nginx or something? Can you share that configuration as well?
The plan is to run these behind an F5 LTM, but currently I was just targeting the server directly at https://servername:5602/foo to test it out. That should work, right?
If you also had the proxy in place, then it should work. The basePath setting just re-writes the URLs, something still has to serve up the site at that path though.
It sounded like you have the proxy up though, otherwise I'd expect the first request to be a 404, but perhaps I'm wrong. If you don't have a proxy in place, that would actually explain why / redirected to /foo.
Did you have some kind of proxy set up already to redirect kibana.contoso.com/foo to server1.contoso.com/?
Okay, I think I got it figured out. Misconfiguration of the F5 LTM on my side, sorry about that.
I was following this F5 KB for configuring the rewriting on the LTM and it was instructing to do the rewrites on the request and response, which I believe caused the problem since Kibana was performing the rewrites itself. Modifying it to change just the request seems to have made it work.
I was under the impression that specifying a server.basePath simply moved the path in which everything was accessed, so I would simply have to specify it for each instance and then direct traffic based on that context to each server/port rather than perform the rewriting on the requests.
But if I login to kibana.contoso.com/ first and get the cookie, and then proceed to login to kibana.contoso.com/foo/ I get stuck in a redirect loop. Since I now see the cookie at path /, I'm guessing that's causing some type of conflict? Simply deleting the sid cookie from / allows me to login fine.
It's worth mentioning that both Kibana instances have the same shield.encryptionKey value. More of an oversight when creating the second instance, I'm assuming they should be different?
If I change the shield.encryptionKey value on the /foo/ instance, I simply get redirected back to the login page to enter credentials, not stuck in a loop. I can see the request header submitting the cookie from / and getting a response back setting an expired, empty sid cookie on path /foo/
This seems like a separate issue... Could you open a new thread and also explain more of your set-up? Are you using the Shield UI plugin for Kibana? It looks like your Kibana server isn't configured to use SSL, is this correct?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.