Trouble setting up kibana basic authentication

I'm trying to setup a simple elastic stack. I have kibana running and two elasticsearch nodes, which seems to be working fine.
The elasticsearch nodes are setup with basic auth, however, I can't get the kibana part of it working.
Trying to access kibana sends a 401 and refresh header to "0;url=/login?msg=UNAUTHENTICATED&next=%2F" which loads, and immediately (ie. not UI is shown) sends a 302 to whatever was in the "next" parameter, which, of course, sets the same refresh header, causing a redirect loop.
This is my current kibana.yml


elasticsearch.hosts: ["https://elasticsearchurl:9200"]
elasticsearch.username: elastic
elasticsearch.password: XXXXXXXXXXXXXXXXXXXXX
elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/certs/ca.crt"]
server.host: 172.16.3.5
logging.dest: /var/log/kibana.log
logging.silent: false
kibana.defaultAppId: discover
xpack.security.authc.http.schemes: [basic]

Setting the basic auth header manually, using curl or something similar works, and doesn't set the refresh header.
Furthermore, since the url to access kibana is re-used from a previous installation, as well as username+password being the same, it actually worked when it was initially setup, since users basic auth sessions were still active.
What am I missing?

Hi @PeterH32,

Wecome to our community! What version of the stack are you using? What errors are you seeing in the kibana logs?

Also I found this guide handy at setting up security, check it out and let us know if it works for you:

Thanks,
Liza

Hi Liza

Sorry, I should have included that.
I'm running version 7.14.0 of everything, installed from your apt repository.
The only thing in the logs is:

{"type":"log","@timestamp":"2021-08-26T12:56:10+00:00","tags":["error","plugins","spaces"],"pid":8297,"message":"Unable to navigate to space \"default\". {\"error\":{\"root_cause\":[{\"type\":\"forbidden_response\",\"reason\":\"forbidden\",\"due_to\":\"OPERATION_NOT_ALLOWED\",\"header\":{\"WWW-Authenticate\":\"Basic\"}}],\"type\":\"forbidden_response\",\"reason\":\"forbidden\",\"due_to\":\"OPERATION_NOT_ALLOWED\",\"header\":{\"WWW-Authenticate\":\"Basic\"}},\"status\":401}"}

{"type":"response","@timestamp":"2021-08-26T12:56:15+00:00","tags":[],"pid":8297,"method":"get","statusCode":302,"req":{"url":"/login?msg=UNAUTHENTICATED&next=%2Fapp%2Fhome","method":"get","headers":{"host":"kb-vudutm2jaqvfs.westeurope.cloudapp.azure.com:5601","user-agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","accept-language":"en-GB,en;q=0.5","accept-encoding":"gzip, deflate","dnt":"1","connection":"keep-alive","upgrade-insecure-requests":"1","pragma":"no-cache","cache-control":"no-cache"},"remoteAddress":"XX.XX.XX.XX","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"},"res":{"statusCode":302,"responseTime":12},"message":"GET /login?msg=UNAUTHENTICATED&next=%2Fapp%2Fhome 302 12ms"}

Which makes sense, since no Authorization header is sent, since kibana doesn't prompt for one.
Also, thank you for the link. I have already spent some time googling and reading docs, though I hadn't found that exact page, I have read (but maybe not understood?) most of the pages it links to.
Thanks
Peter

Thanks @PeterH32, I think you are close! The guide I sent is really good, I have used it myself to setup security, I would suggest walking through it and feel free to post both your elasticsearch.yml and kibana.yml and we can take a closer look.

The guide has different security setups:

Minimal Security

Basic Security

Basic Security + HTTPS traffic

Hi Liza

Thank you very much.
I ended up just setting up a reverse proxy, with the basic auth headers hardcoded. Kibana is running on an internal, secured, network, so it was mostly about securing the Elastic Search endpoints. But I'll definitely bookmark and take a look at those links if we have to set it up again, or move it to a less secure network.

Thanks again for all your help.
Peter