302 errors, stuck in a loop of some sort

Search Guard
1

I’m using the same working images for elasticsearch/kibana/searchguard/jwtparams and can’t access kibana front end, both services seem to be running but it has some sort of routing issue

{"type":"log","@timestamp":"2019-09-10T09:38:23Z","tags":["status","plugin:console@6.5.4","info"],"pid":1,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2019-09-10T09:38:23Z","tags":["status","plugin:metrics@6.5.4","info"],"pid":1,"state":"green","message":"Status changed from uninitialized to green - Ready","prevState":"uninitialized","prevMsg":"uninitialized"}
{"type":"log","@timestamp":"2019-09-10T09:38:23Z","tags":["status","plugin:elasticsearch@6.5.4","info"],"pid":1,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
{"type":"log","@timestamp":"2019-09-10T09:38:23Z","tags":["info","Sentinl","init"],"pid":1,"message":"initializing ..."}
{"type":"log","@timestamp":"2019-09-10T09:38:24Z","tags":["info","Sentinl","init"],"pid":1,"message":"Chrome bin found at: /usr/share/kibana/plugins/sentinl/node_modules/puppeteer/.local-chromium/linux-609904/chrome-linux/chrome"}
{"type":"log","@timestamp":"2019-09-10T09:38:24Z","tags":["info","Sentinl","init_indices"],"pid":1,"message":"checking watcher_alarms-2019.09.10 index ..."}
{"type":"log","@timestamp":"2019-09-10T09:38:24Z","tags":["listening","info"],"pid":1,"message":"Server running at http://0.0.0.0:5601"}
{"type":"response","@timestamp":"2019-09-10T09:38:53Z","tags":[],"pid":1,"method":"get","statusCode":302,"req":{"url":"/","method":"get","headers":{"host":"a504a8b40c89511e9afc00a6dba3af0d-1018407050.eu-central-1.elb.amazonaws.com","x-request-id":"596c4f635268062233292941ef1fb948","x-real-ip":"10.0.102.194","x-forwarded-for":"10.0.102.194","x-forwarded-host":"a504a8b40c89511e9afc00a6dba3af0d-1018407050.eu-central-1.elb.amazonaws.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-original-uri":"/foo/kibana","x-scheme":"https","cache-control":"max-age=0","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 OPR/63.0.3368.66","sec-fetch-mode":"navigate","sec-fetch-user":"?1","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8","sec-fetch-site":"none","accept-encoding":"gzip, deflate, br","accept-language":"en-GB,en-US;q=0.9,en;q=0.8"},"remoteAddress":"10.0.102.66","userAgent":"10.0.102.66"},"res":{"statusCode":302,"responseTime":16,"contentLength":9},"message":"GET / 302 16ms - 9.0B"}
{"type":"response","@timestamp":"2019-09-10T09:38:53Z","tags":[],"pid":1,"method":"get","statusCode":302,"req":{"url":"//login?nextUrl=%2F","method":"get","headers":{"host":"a504a8b40c89511e9afc00a6dba3af0d-1018407050.eu-central-1.elb.amazonaws.com","x-request-id":"8ff43b4b6e90bf16168fb5106b16c809","x-real-ip":"10.0.102.194","x-forwarded-for":"10.0.102.194","x-forwarded-host":"a504a8b40c89511e9afc00a6dba3af0d-1018407050.eu-central-1.elb.amazonaws.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-original-uri":"/foo/kibana/login?nextUrl=%2F","x-scheme":"https","cache-control":"max-age=0","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 OPR/63.0.3368.66","sec-fetch-mode":"navigate","sec-fetch-user":"?1","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8","sec-fetch-site":"none","accept-encoding":"gzip, deflate, br","accept-language":"en-GB,en-US;q=0.9,en;q=0.8"},"remoteAddress":"10.0.102.66","userAgent":"10.0.102.66"},"res":{"statusCode":302,"responseTime":2,"contentLength":9},"message":"GET //login?nextUrl=%2F 302 2ms - 9.0B"}
{"type":"response","@timestamp":"2019-09-10T09:38:54Z","tags":[],"pid":1,"method":"get","statusCode":302,"req":{"url":"//login?nextUrl=%2F%2Flogin%3FnextUrl%3D%252F","method":"get","headers":{"host":"a504a8b40c89511e9afc00a6dba3af0d-1018407050.eu-central-1.elb.amazonaws.com","x-request-id":"b8a4a89ce095627fca8bd74a6d98f699","x-real-ip":"10.0.102.194","x-forwarded-for":"10.0.102.194","x-forwarded-host":"a504a8b40c89511e9afc00a6dba3af0d-1018407050.eu-central-1.elb.amazonaws.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-original-uri":"/foo/kibana/login?nextUrl=%2F%2Flogin%3FnextUrl%3D%252F","x-scheme":"https","cache-control":"max-age=0","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 OPR/63.0.3368.66","sec-fetch-mode":"navigate","sec-fetch-user":"?1","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8","sec-fetch-site":"none","accept-encoding":"gzip, deflate, br","accept-language":"en-GB,en-US;q=0.9,en;q=0.8"},"remoteAddress":"10.0.102.66","userAgent":"10.0.102.66"},"res":{"statusCode":302,"responseTime":1,"contentLength":9},"message":"GET //login?nextUrl=%2F%2Flogin%3FnextUrl%3D%252F 302 1ms - 9.0B"}

here is my kibana.yaml

# Default Kibana configuration from kibana-docker.

server.name: kibana
server.host: 0.0.0.0
elasticsearch.url: http://foo-elasticsearch-loadbalancer:9200

#server.port: "80"
#server.host: foo-elasticsearch-loadbalancer
elasticsearch.ssl.certificateAuthorities: /root-ca.pem
elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
elasticsearch.ssl.verificationMode: none
elasticsearch.requestHeadersWhitelist: ["Authorization", "sgtenant"]

server.ssl.enabled: false
server.ssl.key: /kirk-key.pem
server.ssl.certificate: /kirk.pem

searchguard.basicauth.enabled: true
searchguard.jwt.enabled: true
searchguard.auth.type: "basicauth"
# xpack.security.enabled: false
# If the token is not passed as HTTP header, but as request parameter,
# configure the parameter name here
searchguard.jwt.url_param: jwtparam
searchguard.cookie.secure: true
#logging.verbose: true
#server.defaultRoute: ""
server.basePath: /foo/kibana
server.rewriteBasePath: false

#xpack.security.enabled: false
#xpack.security.secureCookies: true

sentinl:
  settings:
    email:
      active: true
      host: 'smtp.gmail.com'
      user: 'no-reply@gotbot.co.za'
      password: '<secretly secret secret>'
      port: 465
      # domain: 'gmail.com'
      ssl: true
      # tls: true
      # authentication: ['PLAIN', 'LOGIN', 'CRAM-MD5', 'XOAUTH2']
      # timeout: 10000  # mail server connection timeout
      # cert:
        # key: '/full/sys/path/to/key/file'
        # cert: '/full/sys/path/to/cert/file'
        # ca: '/full/sys/path/to/ca/file'
    report:
      active: true
      engine: puppeteer
3

Hi @rosslutsch,

First of all, unfortunately you can only have one authentication type active on the Kibana side.
searchguard.basicauth.enabled and searchguard.jwt.enabled have been deprecated. Instead, you should only use searchguard.auth.type.

The redirect loop you’re seeing is probably caused by the combination of using a basePath and having rewriteBasePath: false.
Do you need those settings like that?

Not knowing much about your setup, maybe the configuration documentation here helps?

Best Regards
Mike

4

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.