Hi again plusque,
I would say your Elasticsearch and Kibana configuration seems correct. One solution/workaround that worked for me when I tried a setup to simulate yours is to add a proxy in front of Kibana as well, and have that proxy enforce the same authentication as the one you have in front of Elasticsearch - same realm and same username/password to allow access.
What this does is get the browser to pop up the Basic authentication dialog for the first full-page request of Kibana. The user will enters a username and password for this first request to get access, and after that, the browser will send the Authorization
header for every request from there.
The situation that happens if you have the proxy and authentication wall in front of just Elasticsearch and not Kibana, is that the Basic authentication dialog only pops up for the AJAX requests made, and browsers will not send the Authorization
header for every subsequent request when it's just AJAX requests that prompt the authentication popup. Getting the auth popup to happen for the first full-page load fixes it.
I'll share my config with you:
elasticsearch.yml:
xpack.security.enabled: false
xpack.graph.enabled: false
xpack.watcher.enabled: false
kibana.yml:
xpack.security.enabled: false
xpack.graph.enabled: false
xpack.reporting.enabled: false
elasticsearch.url: "http://localhost:9229" # connects to the proxy in front of elasticsearch
elasticsearch.username: "tim"
elasticsearch.password: "password-for-proxy-in-front-of-elasticsearch"
server.host: "tim-virtual-machine.local"
I didn't set up an Apache that uses ldap-auth to proxy the Elastic stack, but here is the important pieces of an nginx.conf that worked for me. It just uses Basic authentication and hopefully it's easy enough to follow:
http {
# proxy elasticsearch
server {
listen 9229; # match elasticsearch.url port in kibana.yml
auth_basic "Protected Elasticsearch";
auth_basic_user_file passwords;
access_log logs/proxy.access-es.log main;
location / {
proxy_pass http://localhost:9200;
}
}
# proxy kibana
server {
listen 5665; # browser will connect to the kibana server via this port
auth_basic "Protected Kibana";
auth_basic_user_file passwords; # same passwords file needed as elasticsearch
access_log logs/proxy.access-kbn.log main;
location / {
proxy_pass http://tim-virtual-machine.local:5601; # match server.host in kibana.yml
}
}
}
Now when I navigate to http://tim-virtual-machine.local:5665
(Note: you should probably have SSL enabled) I get the basic auth popup before able to see anything else in the UI. That is the key - the auth has to pop up on the first request for a full page, not after an AJAX call.
If you see the site navigation on the side, and other UI elements such as a welcome screen, then the auth popup triggered because of an AJAX call. That would mean only the proxy to Elasticsearch is asking for the password. If this happens, the browser won't send the authentication header with every request.
Bad:
You need the proxy in front of Kibana to ask for the password.
Good:
Then after logging in, you'll be able to access all the parts of the UI, including Monitoring.