Trying to setup Kibana behind a proxy

I'm trying to setup Kibana through a reverse proxy but am running into

security_exception Root causes: security_exception: missing authentication credentials for REST request [/_security/user/_has_privileges]

I have a raspberry pi with 3 docker containers running.


Accessing through Kibana works through localhost but my plan is to keep Elasticsearch behind the local intranet and only expose Kibana via my reverse proxy. Here are my configs:

        location ~ ^/kibana(?:/(.*)|$) {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
server.shutdownTimeout: 5s
server.publicBaseUrl: ""
server.basePath: "/kibana"
server.rewriteBasePath: false
elasticsearch.hosts: ['']

//Elasticsearch.yml "docker-cluster" true true
  enabled: true
  keystore.path: certs/http.p12
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12
cluster.initial_master_nodes: ["database"]

I'm not super familiar with webhosting so I may be missing something simple. Any assistance would be appreciated.

I added basic authentication at the nginx level and that worked. This makes zero sense. Why do I need to sign in to the server just to access kibana? Kibana should be the one asking me for login credentials, not my nginx server.

1 Like

Thanks for sharing what worked for you, @moondc. I found this community guide a little while back while researching another question which may help explain things a bit more.

Thanks for the blogpost. I was able to solve my main issue. Here's my configs for others:

Kibana.yml (was mostly autogenerated except for basePath)
server.shutdownTimeout: 5s
elasticsearch.hosts: ['']
monitoring.ui.container.elasticsearch.enabled: true
elasticsearch.serviceAccountToken: <redacted>]
elasticsearch.ssl.certificateAuthorities: [/usr/share/kibana/data/ca_1720935840680.crt]
xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: [''], ca_trusted_fingerprint: <redacted>]
server.basePath: "/kibana"


Autogenerated, nothing to show here


        location /kibana {
            rewrite /kibana\/?(.*)$ /$1 break;

I do not currently have SSL setup for inside my domain.

As a side note, it would've been nice to be able to selectively choose whether to have a basepath based on accessing from internal or external.

For example I can either configure it to work on http://localhost:5601 or but not both due to my local setup not using a reverse proxy and therefore the basePath would be wrong. I could've setup a reverse proxy for my local development environment but that's not necessary for my needs.

1 Like

Most people shouldn't face that issue since they'd ideally have at least two environments for dev and prod.

1 Like

Thanks for your sharing your solution, @moondc. Let us know if you need any further assistance here.