Proxy Authentication for Kibana requires Basic Authentication header

I’m trying to setup Proxy Authentication in Search Guard.
The _authinfo API doesn’t return the user information. It returns Unauthorized.

curl -k -H “x-forwarded-for: 127.0.0.1” -H “x-proxy-user: admin” -H “x-proxy-roles: admin” -XGET “https://localhost:9200/_searchguard/authinfo?pretty”

Elasticsearch: 7.2
Search Guard: 35.0.0

sg_config.yml (2.0 KB)

Elasticsearch Logs after enable TRACE log level.

[2019-07-22T04:33:09,657][TRACE][c.f.s.h.XFFResolver ] [10.49.112.166]resolve /127.0.0.1:53958
[2019-07-22T04:33:09,657][TRACE][c.f.s.h.RemoteIpDetector ] [10.49.112.166]originalRemoteAddr 127.0.0.1
[2019-07-22T04:33:09,657][TRACE][c.f.s.h.RemoteIpDetector ] [10.49.112.166]concatRemoteIpHeaderValue 127.0.0.1
[2019-07-22T04:33:09,657][TRACE][c.f.s.h.RemoteIpDetector ] [10.49.112.166]Incoming request /_searchguard/authinfo?pretty with originalRemoteAddr ‘127.0.0.1’, originalRemoteHost=‘localhost’, will be seen as newRemoteAddr='127.0.0.1
[2019-07-22T04:33:09,657][TRACE][c.f.s.h.XFFResolver ] [10.49.112.166]xff resolved localhost/127.0.0.1:53958 to /127.0.0.1:53958
[2019-07-22T04:33:09,657][TRACE][c.f.s.a.BackendRegistry ] [10.49.112.166]Rest authentication request from 127.0.0.1:53958 [original: localhost/127.0.0.1:53958]
[2019-07-22T04:33:09,657][DEBUG][c.f.s.a.BackendRegistry ] [10.49.112.166]Check authdomain for rest internal/1 or 3 in total
[2019-07-22T04:33:09,657][TRACE][c.f.s.a.BackendRegistry ] [10.49.112.166]Try to extract auth creds from basic http authenticator
[2019-07-22T04:33:09,658][TRACE][c.f.s.a.i.AuditLogImpl ] [10.49.112.166]Check for REST category:FAILED_LOGIN, effectiveUser:, request:/_searchguard/authinfo
[2019-07-22T04:33:09,658][TRACE][c.f.s.a.r.AuditMessageRouter] [10.49.112.166]will store on sink InternalESSink asynchronously
[2019-07-22T04:33:09,658][TRACE][c.f.s.a.BackendRegistry ] [10.49.112.166]No ‘Authorization’ header, send 401 and ‘WWW-Authenticate Basic’
[2019-07-22T04:33:09,687][TRACE][c.f.s.a.r.AsyncStoragePool] [10.49.112.166]stored on delegate InternalESSink asynchronously

In Kibana.yml, I also added requestHeadersWhitelist.

elasticsearch.requestHeadersWhitelist:

• authorization
• sgtenant
• x-proxy-user
• x-proxy-roles

In the basic_internal_auth_domain of your sg_config you have set the challenge flag to true:

  basic_internal_auth_domain: 
    http_enabled: true
    transport_enabled: true
    order: 1
    http_authenticator:
      type: basic
      challenge: true
    authentication_backend:
      type: internal

This means SG will ask (“challenge”) the browser to provide Basic Auth credentials if none are present in the request.

You can either set the challenge flag to false, or change the order of the authentication domains so the proxy authenticator comes before the Basic Auth domain.

Thanks. I can get the user information by passing the headers.

Do I need to configure things in Kibana.yml?
Follow this document right? Kibana Proxy Authentication | Security for Elasticsearch | Search Guard

Yes. Enable proxy auth like:

searchguard.auth.type: "proxy"

and whitelist your proxy headers like:

elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant", "x-forwarded-for", "x-proxy-user", "x-proxy-roles" ]

And of course make sure your Kibana server user is configured:

# Configure the Kibana internal server user
elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"

@jkressin I still got the dialog.

My config in Kibana.yml

searchguard.auth.type: “proxycache”

The Kibana log also have the headers.

{“type”:“response”,“@timestamp”:“2019-07-24T07:42:25Z”,“tags”:,“pid”:10177,“method”:“get”,“statusCode”:302,“req”:{“url”:“/”,“method”:“get”,“headers”:{“x-proxy-user”:“8015996”,“x-proxy-roles”:“kibanauser,a202667”,“host”:“localhost:5601”,“connection”:“close”,“x-forwarded-for”:“159.220.76.4”,“x-forwarded-proto”:“http”,“x-forwarded-port”:“80”,“x-amzn-trace-id”:“Root=1-5d380be1-4e0d70942bf2fc98d2f02aa0”,“pragma”:“no-cache”,“cache-control”:“no-cache”,“upgrade-insecure-requests”:“1”,“user-agent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36”,“accept”:“text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3”,“accept-encoding”:“gzip, deflate”,“accept-language”:“en-GB,en;q=0.9,en-US;q=0.8,th;q=0.7”},“remoteAddress”:“127.0.0.1”,“userAgent”:“127.0.0.1”},“res”:{“statusCode”:302,“responseTime”:2,“contentLength”:9},“message”:“GET / 302 2ms - 9.0B”}

{“type”:“response”,“@timestamp”:“2019-07-24T07:42:25Z”,“tags”:,“pid”:10177,“method”:“get”,“statusCode”:401,“req”:{“url”:“/app/kibana”,“method”:“get”,“headers”:{“x-forwarded-for”:“10.49.112.166”,“x-proxy-user”:“8015996”,“x-proxy-roles”:“kibanauser,a202667”,“host”:“localhost:5601”,“connection”:“close”,“x-forwarded-proto”:“http”,“x-forwarded-port”:“80”,“x-amzn-trace-id”:“Root=1-5d380be1-8ece69a47bb70b00d1da6c24”,“pragma”:“no-cache”,“cache-control”:“no-cache”,“upgrade-insecure-requests”:“1”,“user-agent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36”,“accept”:“text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3”,“accept-encoding”:“gzip, deflate”,“accept-language”:“en-GB,en;q=0.9,en-US;q=0.8,th;q=0.7”},“remoteAddress”:“127.0.0.1”,“userAgent”:“127.0.0.1”},“res”:{“statusCode”:401,“responseTime”:40,“contentLength”:9},“message”:“GET /app/kibana 401 40ms - 9.0B”}

login_dialog1966×666 52.9 KB

My authentication workflow.

image768×435 27.8 KB

I tried to call Kibana directly. It requires Basic Authorization when it requests to /app/kibana.

[root@ip-10-49-112-166 sites]# curl -vv -H “x-forwarded-for: 10.49.112.166” -H “x-proxy-user: admin” -H “x-proxy-roles: admin” -XGET “http://localhost:5601”

Note: Unnecessary use of -X or --request, GET is already inferred.
* Rebuilt URL to: http://localhost:5601/
* Trying 127.0.0.1…
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 5601 (#0)
> GET / HTTP/1.1
> Host: localhost:5601
> User-Agent: curl/7.61.1
> Accept: /
> x-forwarded-for: 10.49.112.166
> x-proxy-user: admin
> x-proxy-roles: admin
< HTTP/1.1 302 Found
< location: /app/kibana
< kbn-name: kibana
< kbn-xpack-sig: 3a891d2ef1be0f21deac2039a6a9a620
< content-type: text/html; charset=utf-8
< cache-control: no-cache
< set-cookie: searchguard_authentication=Fe26.28ef47e27a8c1042fc89b99e8a2dbfc0061da835bdc9450a4f3eef76931cbc9337bpcp6RsAV0D7mcGrCaIcA3vG5TlfAuDDvqfh6Y4vx2XRLz9v2SnjmYRbR4HicFRdAdLMnkgLJkDmLncL566doauBKl8p3_On5rY80Qi0twIbVnbFrD2whkwfn9t9dlInKchje97qLX7rGBq56WlNZgQCU6U25pz5-eFZRReFD3G53XugKtlQPpHTAypsJ4Tj_hFv-tUXV4ZhgnKAmUk7AVqxa1z-YHo9WO_4Ab0hRBDTCmyEtG5aFzA1PYpqsDx878f7881492bed64f24a3f8b2ee9258243bd474fabdc9f405a9656454df8ef87eRa7CtbIevKkuH6bFmw1WQucsocivNNvewcahL9-JEKk; Max-Age=3600; Expires=Wed, 24 Jul 2019 08:59:41 GMT; HttpOnly; Path=/
< set-cookie: searchguard_storage=Fe26.2**cfdc5c85715c7b1242afe58af57b4a46978fe6b1464d000a13694165f60b8bfd9ROJd3-xf6lNu9cbBfq09g5qQiUMDrTow3zeJOTpjIpeW06c-5OtyP5BQ1LBhos_xyj0m8fQB7N5M2GKJYL7LD7hNGZp6WqEhXOVsHlIAXGAi5O_bLWb-aaXf-xhsHG7qrbgw_rXWXLBpx8j5MRPN-1O3I6zKbCPxDVdtEKQc7Kv-B2WMXY4CQXHd886hg2DisnrtX23j2beaILdY8LVCtt4vi6OHfhv5T0b3pQMucMQbw4h7wN52t9YNrVlsxbAXcPR1YH2BWWjrD74KtTLOI8Pd1AgXFWoN8BUjDWu_AY9avPFZmhDMEF9wXGdqPfOaursRRtMmTKHJe4ZTu4AA_**81b813c017b1d41bbd441122eb91b3d4b942728e1cb37a3533de102affcba5bbSo3obYyYupF9emN6dZKYreTLXzIEQbvD7HNuNk7VtPY; HttpOnly; Path=/
< content-length: 0
< connection: close
< Date: Wed, 24 Jul 2019 07:59:41 GMT
<
* Closing connection 0
[root@ip-10-49-112-166 sites]#
[root@ip-10-49-112-166 sites]# curl -vv -H “x-forwarded-for: 10.49.112.166” -H “x-proxy-user: admin” -H “x-proxy-roles: admin” -XGET “http://localhost:5601/app/kibana”
Note: Unnecessary use of -X or --request, GET is already inferred.
* Trying 127.0.0.1…
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 5601 (#0)
> GET /app/kibana HTTP/1.1
> Host: localhost:5601
> User-Agent: curl/7.61.1
> Accept: /
> x-forwarded-for: 10.49.112.166
> x-proxy-user: admin
> x-proxy-roles: admin
< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Basic realm=“Authorization Required”
< kbn-name: kibana
< kbn-xpack-sig: 3a891d2ef1be0f21deac2039a6a9a620
< content-type: application/json; charset=utf-8
< cache-control: no-cache
< set-cookie: searchguard_authentication=Fe26.2d5c12712c720b1e040a802675b3af0ad49440fa468725fe5abed6d2f71b31049LlF6anLUAo-QzEoGk7snLAeUVcrX6S7FDhx6oWJbFJ5HWmFZ3bW8g_8f_hmsh9TPJBPezvpzcCrPuS9yi0D1pQMAL7n0pZR6payXNFIHPDPrIUjclIU-WZBvSBx8rdTq7TMNazGzbnY598HBaDwsz5G9qPK9OZKrKvYNBta3_9BMdU8KjhVsHVwXZi0eTy1Sb6dSh4NhDMj4wI_amtY7QXfMTQ10dlxsIvDfaPXA2YjVRdTSY3Vor9KhRLHor_Rfs9c2aa73566faf23febce66afa0607bd8875623ae065a70b11bad2008c4d2d43fKlkB0QkTufI9w9an1plzV6vTIJ_p64c7ntN3QzIxhrQ; Max-Age=3600; Expires=Wed, 24 Jul 2019 08:59:50 GMT; HttpOnly; Path=/
< set-cookie: searchguard_storage=Fe26.2**af75de7b33e86c779736df3e1cf791bc6e2904938fc1c50643719cf1c1d9546eB7FpDGPHuFP7mnggdqoh2QWZHhFTgbMBcbZIl9H4FjoiLZpNcnkcogMFAdFxhj0t53BqHY000UIcY8Hm4tnJQS1RM3iVaVwoEsRDQ7n3R9mzMrccRrgoNaLI1J046W4polA3uqgERTTqyOfDvEvSP5U7xnFz50bfDI5vT9Kd-pBzAhP_reOD-oPvUSXVntdYndem1zPqosa7SB9hov3XBi6BnmpelaN6UiuRd_tblclldo_YWjnhO6_PTSAo1Tz9di41rIutnJdnhmsdW2371t5DTa0-0lUroARzd3hYRul2XHaDZiit1saEwHX_yiVGTAYlbUdehDpwnH1wlXj3_A**4f159f2537dad73cfda11584ef7c83fa78d2e5de14eaa5ff88e0c61ebbf923b4oz7eX6TMr4Cpz3iObQ6_TXOjF07wbfXD9KIevNGZB78; HttpOnly; Path=/
< content-length: 78
< connection: close
< Date: Wed, 24 Jul 2019 07:59:50 GMT
* Closing connection 0

Can you please post your kibana.yml?

kibana.yml (757 Bytes)

Here is my Kibana config.

I think you are missing

x-forwarded-for

in your headers whitelist.

Thanks. What’s the value? Should be an IP address of Kibana host?

There’s no value, you just need to add it in kibana.yml to the list of whitelisted headers:

elasticsearch.requestHeadersWhitelist:
  - authorization
  - sgtenant
  - x-proxy-user
  - x-proxy-roles
  - x-forwarded-for

And in the posted kibana.yml there is also no entry for the authentication type. You need:

searchguard.auth.type: "proxy"

Sorry, it works now. I forgot to set searchguard.auth.type: proxy in Kibana.yml

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.