I cannot make proxy work

Search Guard
1

Hi,

I am using elasticsearch 5.1.2 and searchguard 5.1.2

I can successfully use http basic auth with

curl -GET ‘http://admin:admin@127.0.0.1:9200/_searchguard/authinfo?pretty=true’ -v -H “x-proxy-user: kirk” -H “x-forwarded-for: 127.0.0.1”

  • Trying 127.0.0.1…
  • Connected to 127.0.0.1 (127.0.0.1) port 9200 (#0)
  • Server auth using Basic with user ‘admin’

GET /_searchguard/authinfo?pretty=true HTTP/1.1

Host: 127.0.0.1:9200

Authorization: Basic YWRtaW46YWRtaW4=

User-Agent: curl/7.47.0

Accept: /

x-proxy-user: kirk

x-forwarded-for: 127.0.0.1

< HTTP/1.1 200 OK

< content-type: application/json; charset=UTF-8

< content-length: 215

<

{

“user” : “User [name=admin, roles=]”,

“remote_address” : “127.0.0.1:50588”,

“sg_roles” : [

“sg_all_access”,

“sg_own_index”,

“sg_public”

],

“principal” : null,

“peer_certificates” : “0”

}

  • Connection #0 to host 127.0.0.1 left intact

here is my sg_config.yml

searchguard:

dynamic:

http:

anonymous_auth_enabled: false

xff:

enabled: true

trustedProxies: “.*”

internalProxies: “.*”

remoteIpHeader: “x-forwarded-for”

proxiesHeader: “x-forwarded-by”

authc:

proxy_auth_domain:

enabled: true

order: 1

http_authenticator:

type: proxy

challenge: false

config:

user_header: “x-proxy-user”

roles_header: “x-proxy-roles”

authentication_backend:

type: noop

Problem 1:

when attempting to curl as if I am using a proxy I get

curl -GET ‘http://127.0.0.1:9200/_searchguard/authinfo?pretty=true’ -v -H “x-proxy-user: admin” -H “x-forwarded-for: 127.0.0.1”

  • Trying 127.0.0.1…

  • Connected to 127.0.0.1 (127.0.0.1) port 9200 (#0)

GET /_searchguard/authinfo?pretty=true HTTP/1.1

Host: 127.0.0.1:9200

User-Agent: curl/7.47.0

Accept: /

x-proxy-user: admin

x-forwarded-for: 127.0.0.1

< HTTP/1.1 401 Unauthorized

< WWW-Authenticate: Basic realm=“Search Guard”

< content-type: text/plain; charset=UTF-8

< content-length: 12

<

  • Connection #0 to host 127.0.0.1 left intact

Problem 2:

I have added the auditlog to /usr/share/elasticsearch/plugins/search-guard-5 according to these instructions: Home · floragunncom/search-guard-module-auditlog Wiki · GitHub

and I’ve added to my elasticsearch.yml in /etc/elasticsearch/ these configurations

searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks

searchguard.ssl.transport.keystore_password: changeit

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: changeit

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.audit.type: debug

#searchguard.audit.config.disabled_categories: AUTHENTICATED, SG_INDEX_ATTEMPT

searchguard.authcz.admin_dn:

  • cn=admin,ou=Test,ou=ou,dc=company,dc=com

  • cn=smith,ou=IT,ou=IT,dc=company,dc=com

however I get no DEBUG logs for searchguard in /var/log/elasticsearch/elasticsearch.log

Thanks for your time,

Brad

2

I figured out what I was doing wrong

I neglected to use sgadmin.sh again after changing sh_config.yml

now I successfully get

curl -GET ‘http://127.0.0.1:9200/_searchguard/authinfo?pretty=true’ -v -H “x-proxy-user: kirk” -H “x-forwarded-for: 127.0.0.1”

  • Trying 127.0.0.1…

  • Connected to 127.0.0.1 (127.0.0.1) port 9200 (#0)

GET /_searchguard/authinfo?pretty=true HTTP/1.1

Host: 127.0.0.1:9200

User-Agent: curl/7.47.0

Accept: /

x-proxy-user: kirk

x-forwarded-for: 127.0.0.1

< HTTP/1.1 200 OK

< content-type: application/json; charset=UTF-8

< content-length: 193

<

{

“user” : “User [name=kirk, roles=]”,

“remote_address” : “127.0.0.1:53004”,

“sg_roles” : [

“sg_own_index”,

“sg_public”

],

“principal” : null,

“peer_certificates” : “0”

}

  • Connection #0 to host 127.0.0.1 left intact
···

On Friday, January 20, 2017 at 11:17:46 AM UTC-5, Brad Harris wrote:

Hi,

I am using elasticsearch 5.1.2 and searchguard 5.1.2

I can successfully use http basic auth with

curl -GET ‘http://admin:admin@127.0.0.1:9200/_searchguard/authinfo?pretty=true’ -v -H “x-proxy-user: kirk” -H “x-forwarded-for: 127.0.0.1”

  • Trying 127.0.0.1…
  • Connected to 127.0.0.1 (127.0.0.1) port 9200 (#0)
  • Server auth using Basic with user ‘admin’

GET /_searchguard/authinfo?pretty=true HTTP/1.1

Host: 127.0.0.1:9200

Authorization: Basic YWRtaW46YWRtaW4=

User-Agent: curl/7.47.0

Accept: /

x-proxy-user: kirk

x-forwarded-for: 127.0.0.1

< HTTP/1.1 200 OK

< content-type: application/json; charset=UTF-8

< content-length: 215

<

{

“user” : “User [name=admin, roles=]”,

“remote_address” : “127.0.0.1:50588”,

“sg_roles” : [

“sg_all_access”,

“sg_own_index”,

“sg_public”

],

“principal” : null,

“peer_certificates” : “0”

}

  • Connection #0 to host 127.0.0.1 left intact

here is my sg_config.yml

searchguard:

dynamic:

http:

anonymous_auth_enabled: false

xff:

enabled: true

trustedProxies: “.*”

internalProxies: “.*”

remoteIpHeader: “x-forwarded-for”

proxiesHeader: “x-forwarded-by”

authc:

proxy_auth_domain:

enabled: true

order: 1

http_authenticator:

type: proxy

challenge: false

config:

user_header: “x-proxy-user”

roles_header: “x-proxy-roles”

authentication_backend:

type: noop

Problem 1:

when attempting to curl as if I am using a proxy I get

curl -GET ‘http://127.0.0.1:9200/_searchguard/authinfo?pretty=true’ -v -H “x-proxy-user: admin” -H “x-forwarded-for: 127.0.0.1”

  • Trying 127.0.0.1…
  • Connected to 127.0.0.1 (127.0.0.1) port 9200 (#0)

GET /_searchguard/authinfo?pretty=true HTTP/1.1

Host: 127.0.0.1:9200

User-Agent: curl/7.47.0

Accept: /

x-proxy-user: admin

x-forwarded-for: 127.0.0.1

< HTTP/1.1 401 Unauthorized

< WWW-Authenticate: Basic realm=“Search Guard”

< content-type: text/plain; charset=UTF-8

< content-length: 12

<

  • Connection #0 to host 127.0.0.1 left intact

Problem 2:

I have added the auditlog to /usr/share/elasticsearch/plugins/search-guard-5 according to these instructions: https://github.com/floragunncom/search-guard-module-auditlog/wiki

and I’ve added to my elasticsearch.yml in /etc/elasticsearch/ these configurations

searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks

searchguard.ssl.transport.keystore_password: changeit

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: changeit

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.audit.type: debug

#searchguard.audit.config.disabled_categories: AUTHENTICATED, SG_INDEX_ATTEMPT

searchguard.authcz.admin_dn:

  • cn=admin,ou=Test,ou=ou,dc=company,dc=com
  • cn=smith,ou=IT,ou=IT,dc=company,dc=com

however I get no DEBUG logs for searchguard in /var/log/elasticsearch/elasticsearch.log

Thanks for your time,

Brad