Trying to setup Kibana behind a proxy

moondc · July 9, 2024, 10:16pm

I'm trying to setup Kibana through a reverse proxy but am running into

security_exception Root causes: security_exception: missing authentication credentials for REST request [/_security/user/_has_privileges]

I have a raspberry pi with 3 docker containers running.

Nginx
Elasticsearch
Kibana

Accessing through Kibana works through localhost but my plan is to keep Elasticsearch behind the local intranet and only expose Kibana via my reverse proxy. Here are my configs:

//NGINX
        location ~ ^/kibana(?:/(.*)|$) {
            proxy_pass http://192.168.1.11:5601/$1;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }

//Kibana.yml
server.host: 0.0.0.0
server.shutdownTimeout: 5s
server.publicBaseUrl: "https://mywebsite.com/kibana"
server.basePath: "/kibana"
server.rewriteBasePath: false
elasticsearch.hosts: ['https://192.168.1.11:9200']

//Elasticsearch.yml
cluster.name: "docker-cluster"
network.host: 0.0.0.0
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12
cluster.initial_master_nodes: ["database"]

I'm not super familiar with webhosting so I may be missing something simple. Any assistance would be appreciated.

moondc · July 11, 2024, 6:23pm

I added basic authentication at the nginx level and that worked. This makes zero sense. Why do I need to sign in to the server just to access kibana? Kibana should be the one asking me for login credentials, not my nginx server.

jessgarson · July 11, 2024, 6:48pm

Thanks for sharing what worked for you, @moondc. I found this community guide a little while back while researching another question which may help explain things a bit more.

moondc · July 17, 2024, 1:57am

Thanks for the blogpost. I was able to solve my main issue. Here's my configs for others:

Kibana.yml (was mostly autogenerated except for basePath)

server.host: 0.0.0.0
server.shutdownTimeout: 5s
elasticsearch.hosts: ['https://192.168.1.11:9200']
monitoring.ui.container.elasticsearch.enabled: true
elasticsearch.serviceAccountToken: <redacted>]
elasticsearch.ssl.certificateAuthorities: [/usr/share/kibana/data/ca_1720935840680.crt]
xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: ['https://192.168.1.11:9200'], ca_trusted_fingerprint: <redacted>]
server.basePath: "/kibana"

Elasticsearch.yml

Autogenerated, nothing to show here

Nginx

        location /kibana {
            proxy_pass http://192.168.1.11:5601/kibana;
            rewrite /kibana\/?(.*)$ /$1 break;
        }

I do not currently have SSL setup for inside my domain.

As a side note, it would've been nice to be able to selectively choose whether to have a basepath based on accessing from internal or external.

For example I can either configure it to work on http://localhost:5601 or https://mydomain.com/kibana but not both due to my local setup not using a reverse proxy and therefore the basePath would be wrong. I could've setup a reverse proxy for my local development environment but that's not necessary for my needs.

moondc · July 17, 2024, 1:59am

Most people shouldn't face that issue since they'd ideally have at least two environments for dev and prod.

jessgarson · July 17, 2024, 3:06pm

Thanks for your sharing your solution, @moondc. Let us know if you need any further assistance here.