Unable to redirect to dashboard , visualize or discover when using nginx as reverse proxy for custom realm protected Elasticsearch


(Sumit Monga) #1

Hi All,
I have a usecase where there is custom realm in X-Pack that is used to authenticate and authorize users based on their configuration in third party application. This requires sending request headers Tenant and AccessToken in every request. Nginx is used as reverse proxy which will hit the the base url for kibana like http://XX.XX.XX.XXX/?Tenant=roy&AccessToken=ce617cf5-7d27-4127-8197-46c98635998d . Then nginx sets the headers in the proxied request and to achieve authentication on every subsequent request, I am updating the url of every request by checking if the request doesn't contain the Tenant and AccessToken but its referer does contain it, then by redirecting it to the new url which will have these parameters. For eg if request is like /app/kibana , then it will be redirected to /app/kibana?Tenant=roy&AccessToken=ce617cf5-7d27-4127-8197-46c98635998d . The nginx config used to achieve this is shown below :

location ^~ /ui/ {
    proxy_pass http://XX.XX.XX.XXX:5601;
}

location ^~ /bundles/ {
    proxy_pass http://XX.XX.XX.XXX:5601;
}

location ^~ /plugins/ {
    proxy_pass http://XX.XX.XX.XXX:5601;
}

location ~* ^/(.*) {

error_log logs/kibana.log debug;

set $tenant "";
set $token "";

set $check "";

if ($request_uri ~ "^(.*)(?:\?|%3F)Tenant(?:=|%3D)(.*)(?:&|%26)AccessToken(?:=|%3D)([a-zA-Z0-9-]{36})$") {
    set $tenant $2;
    set $token $3;
    set $check "1${check}";
}

if ($http_referer ~ "^(.*)(?:\?|%3F)Tenant(?:=|%3D)(.*)(?:&|%26)AccessToken(?:=|%3D)([a-zA-Z0-9-]{36})$") {
set $tenant $2;
set $token $3;
set $check "2${check}";
}

if ($check = 2) {
  set $additional ?Tenant=$tenant&AccessToken=$token;
  return 302 $request_uri/$additional;
}

add_header Tenant $tenant;
add_header AccessToken "Bearer ${token}";
add_header Authorization "Basic ZWxhc3RpYzpjaGFuZ2VtZQ==";

proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://XX.XX.XX.XXX:5601;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host http://XX.XX.XX.XXX:5601;
proxy_cache_bypass $http_upgrade;
proxy_set_header Authorization "Basic ZWxhc3RpYzpjaGFuZ2VtZQ==";
proxy_set_header Tenant $tenant;
proxy_set_header AccessToken "Bearer ${token}";
proxy_pass_request_headers on;

}

However the url for visualisations and dashboards looks like http://XX.XX.XX.XXX:5601/app/kibana#/visualize?_g=() and http://XX.XX.XX.XXX:5601/app/kibana#/dashboards?g=() respectively. Since we cannot capture the part of the uri after the # as suggested here Hash character rewrite, I am redirected to /app/kibana and cannot move to see the dashboard or visualisations. The approach taken here is only to make sure that every request originated from the first request will have these params which can be put into headers when proxying the same. Any idea how this can be solved ?


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.