Please see the attached
elasticsearch-default.log (24.3 KB)
elasticsearch.yml (1.33 KB)
sg_config.yml (794 Bytes)
···
On Thursday, February 1, 2018 at 5:37:13 PM UTC-5, Search Guard wrote:
pls provide your sg_config.yml, elasticsearch.yml and the logs (as files/attachments)
Am 01.02.2018 um 23:04 schrieb Kalada kalada...@t1cg.com:
Thank you https wasnt enabled please see below
- Rebuilt URL to: http://elasticsearch:9200/
- Trying 172.22.0.3…
- TCP_NODELAY set
- Connected to elasticsearch (172.22.0.3) port 9200 (#0)
GET / HTTP/1.1
Host: elasticsearch:9200
User-Agent: curl/7.57.0
Accept: /
x-proxy-user: myuser
x-proxy-roles: myrole
x-forwarded-for: 127.0.0.1
< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Basic realm=“Search Guard”
< content-type: text/plain; charset=UTF-8
< content-length: 12
<
- Connection #0 to host elasticsearch left intact
On Thursday, February 1, 2018 at 4:41:37 PM UTC-5, Search Guard wrote:
Have you https enabled? If not its
curl -sS http://elasticsearch:9200 -v -H “x-proxy-user: myuser” -H “x-proxy-roles: myrole” -H “x-forwarded-for: 127.0.0.1”otherwise you curl library seems messed up. Make sure its compiled against a recent openssl version.
curl --versionAm 01.02.2018 um 22:27 schrieb Kalada kalada...@t1cg.com:
This is the messages I received
- Rebuilt URL to: https://elasticsearch:9200/
- Trying 172.22.0.3…
- TCP_NODELAY set
- Connected to elasticsearch (172.22.0.3) port 9200 (#0)
- ALPN, offering http/1.1
- successfully set certificate verify locations:
- CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none- TLSv1.2 (OUT), TLS handshake, Client hello (1):
- error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number
- Closing connection 0
curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version numberOn Thursday, February 1, 2018 at 3:42:22 PM UTC-5, Search Guard wrote:
Can you test it via curl or postman (without kibana) likecurl -sSk https://elasticsearch:9200 -v -H “x-proxy-user: myuser” -H “x-proxy-roles: myrole” -H “x-forwarded-for: 127.0.0.1”
Am 31.01.2018 um 22:36 schrieb Kalada kalada...@t1cg.com:
internalProxies: ‘.*’ is the current setting. The headers appear to be valid please see an example below
kibana_1 | {“type”:“response”,“@timestamp”:“2018-01-31T20:14:37Z”,“tags”:,“pid”:21,“method”:“post”,“statusCode”:200,
“req”:{“url”:“/elasticsearch/_msearch”,“method”:“post”,“headers”:{“es-security-runas-user”:“USERNAME”,“x-proxy-user”:“USENAME”,“host”:
“kibana:5601”,“connection”:“close”,“content-length”:“732”,“user-agent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ADDRESS Safari/537.36”,“accept”:"application/json, text/plain, /
",“accept-encoding”:“gzip, deflate, br”,“accept-language”:“en-US,en;q=0.9”,“content-type”:“application/x-ndjson”,
“kbn-version”:“6.1.1”,“origin”:“http://localhost:4180”,“referer”:“http://localhost:4180/app/kibana”,
“x-forwarded-email”:“EMAIL”,“x-forwarded-for”:“172.19.0.1”,“x-forwarded-user”:“USERNAME”},
“remoteAddress”:“172.19.0.3”,“userAgent”:“172.19.0.3”,“referer”:“http://localhost:4180/app/kibana”},
“res”:{“statusCode”:200,“responseTime”:18,“contentLength”:9},“message”:“POST /elasticsearch/_msearch 200 18ms - 9.0B”}On Wednesday, January 31, 2018 at 4:05:14 PM UTC-5, Search Guard wrote:
“xff not done” means typically that non of your configured internal proxies match and/or the X-Forwarded-For header is not presentyou can test ist by allowing simply all internal proxies
internalProxies: ‘.*’
and make sure your request contains a valid X-Forwarded-For header like described here https://en.wikipedia.org/wiki/X-Forwarded-For
Am 31.01.2018 um 19:35 schrieb Kalada kalada...@t1cg.com:
Hi Jochen,
Playing with the setting I noticed this message now
[2018-01-31T18:31:55,847][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from proxy http authenticator
[2018-01-31T18:31:55,847][DEBUG][c.f.s.a.BackendRegistry ] ‘ElasticsearchSecurityException[xff not done]’ extracting credentials from proxy http authenticator
org.elasticsearch.ElasticsearchSecurityException: xff not done
at com.floragunn.searchguard.http.HTTPProxyAuthenticator.extractCredentials(HTTPProxyAuthenticator.java:49) ~[search-guard-6-6.1.1-20.1.jar:6.1.1-20.1]
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:380) [search-guard-6-6.1.1-20.1.jar:6.1.1-20.1]
at com.floragunn.searchguard.filter.SearchGuardRestFilter.checkAndAuthenticateRequest(SearchGuardRestFilter.java:122) [search-guard-6-6.1.1-20.1.jar:6.1.1-20.1]
at com.floragunn.searchguard.filter.SearchGuardRestFilter.access$000(SearchGuardRestFilter.java:47) [search-guard-6-6.1.1-20.1.jar:6.1.1-20.1]
at com.floragunn.searchguard.filter.SearchGuardRestFilter$1.handleRequest(SearchGuardRestFilter.java:74) [search-guard-6-6.1.1-20.1.jar:6.1.1-20.1]
at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:240) [elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.rest.RestController.tryAllHandlers(RestController.java:336) [elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:174) [elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.http.netty4.Netty4HttpServerTransport.dispatchRequest(Netty4HttpServerTransport.java:497) [transport-netty4-client-6.1.1.jar:6.1.1]
at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:80) [transport-netty4-client-6.1.1.jar:6.1.1]
at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at org.elasticsearch.http.netty4.pipelining.HttpPipeliningHandler.channelRead(HttpPipeliningHandler.java:68) [transport-netty4-client-6.1.1.jar:6.1.1]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at org.elasticsearch.http.netty4.cors.Netty4CorsHandler.channelRead(Netty4CorsHandler.java:76) [transport-netty4-client-6.1.1.jar:6.1.1]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:111) [netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:310) [netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:284) [netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.