Searchguard setting were not applied in Kibana Error

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version

SG=6.5.1-24.1

ES=6.5.1

  • JVM version and operating system version

JVM=1.8.0_162

OS=Ubuntu 18.04.1 LTS

  • Search Guard configuration files

from elastisearch.yml

searchguard.ssl.transport.pemcert_filepath: es-encr-001.pem

searchguard.ssl.transport.pemkey_filepath: es-encr-001.key

searchguard.ssl.transport.pemkey_password: aqTmoD7aBrpX

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: false

searchguard.ssl.http.pemcert_filepath: es-encr-001_http.pem

searchguard.ssl.http.pemkey_filepath: es-encr-001_http.key

searchguard.ssl.http.pemkey_password: raAtcE0mTfuk

searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem

searchguard.nodes_dn:

searchguard.authcz.admin_dn:

“elasticsearch.yml” 115L, 4129C

sg_config.yml

searchguard:

dynamic:

http:

  anonymous_auth_enabled: false

  xff:

    internalProxies:  '10.xxx.xx.xx' #kibana's IP

    remoteIpHeader:  'x-forwarded-for'

    proxiesHeader:   'x-forwarded-by'

proxy_auth_domain:

http_enabled: true

transport_enabled: true

order: 3

http_authenticator:

type: proxy

challenge: false

config:

user_header: “x-proxy-user”

roles_header: “x-proxy-roles”

authentication_backend:

type: noop

basic_internal_auth_domain:

http_enabled: true

transport_enabled: true

order: 4

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: intern

Kibana.yml:

···

Default Kibana configuration from kibana-docker.

server.port: 5601
server.host: “0.0.0.0”
server.name: “kibana”
elasticsearch.requestTimeout: 100000
elasticsearch.username: “admin”
elasticsearch.password: “admin”
searchguard.auth.type: “proxy”
searchguard.proxycache.user_header: x-proxy-user

The header that identifies the user’s role(s) - (required, no default)

searchguard.proxycache.roles_header: x-proxy-roles

HTTP header field which the proxy uses to forward the IP chain to the endpoint, usually x-forwarded-for.

(optional, default: x-forwarded-for)

#searchguard.proxycache.proxy_header: x-forwarded-for

IP where Kibana is running on - (required, no default)

Used to add it to the x-forwarded-for IP chain (see above)

This IP must be added as trusted IP in sg_config.yml under

searchguard.dynamic.http.xff.internalProxies.

It’s also possible to us a environment variable here like ${IP_ADDRESS}

searchguard.proxycache.proxy_header_ip: “10.xxx.xx.xx”

Redirect to this URL if the user isn’t authenticated - (optional, no default)

#searchguard.proxycache.login_endpoint: “https://login.sso.company.com
searchguard.basicauth.enabled: false
elasticsearch.requestHeadersWhitelist: [ “Authorization”, “sgtenant”, “x-forwarded-for”, “x-proxy-user”, “x-proxy-roles” ]

  • Elasticsearch log messages on debug level

FATAL Error: “searchguard.auth.type”, “searchguard.proxycache.user_header”, “searchguard.proxycache.roles_header”, and “searchguard.proxycache.proxy_header_ip” settings were not applied. Check for spelling errors and ensure that expected plugins are installed.

Hi there,

I installed SG on ELK with the mentioned versions.

It seems working great.

Now, I’m using Lasso (Vouch Proxy) for oauth.

So after authorization via Lasso , I have a pop-up for authorization with SG, and I want to use only Lasso authorization.

I’m receiving this error when running Kibana on K8S - “FATAL Error: “searchguard.auth.type”, “searchguard.proxycache.user_header”, “searchguard.proxycache.roles_header”, and “searchguard.proxycache.proxy_header_ip” settings were not applied. Check for spelling errors and ensure that expected plugins are installed.”

Do I have to install SG plugin for Kibana? If yes, do you have a Dockerfile to install Kibana with SG? Also, does this plugin is a free trial?

Thanks,

Aleksei

Hi,

yes, you need to install the SG Kibana plugin, otherwise there are no security features available.

Search Guard comes with a 60 day trial license which is acticated automatically on startup / SG initialization. All features are fully functioning, and we are happy to send you a trial extension should you need more time for your PoC.

We do not maintain Dockerfiles at the moment, but you can checkout this very good repository here:

Also, if you are running Search Guard on K8S you might be interested in our Helm charts:

They include the Elasticsearch and the Kibana plugin.

···

On Monday, March 11, 2019 at 2:08:00 PM UTC+1, Aleksei Saiko wrote:

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version

SG=6.5.1-24.1

ES=6.5.1

  • JVM version and operating system version

JVM=1.8.0_162

OS=Ubuntu 18.04.1 LTS

  • Search Guard configuration files

from elastisearch.yml

searchguard.ssl.transport.pemcert_filepath: es-encr-001.pem

searchguard.ssl.transport.pemkey_filepath: es-encr-001.key

searchguard.ssl.transport.pemkey_password: aqTmoD7aBrpX

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: false

searchguard.ssl.http.pemcert_filepath: es-encr-001_http.pem

searchguard.ssl.http.pemkey_filepath: es-encr-001_http.key

searchguard.ssl.http.pemkey_password: raAtcE0mTfuk

searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem

searchguard.nodes_dn:

searchguard.authcz.admin_dn:

“elasticsearch.yml” 115L, 4129C

sg_config.yml

searchguard:

dynamic:

http:
  anonymous_auth_enabled: false
  xff:
    internalProxies:  '10.xxx.xx.xx' #kibana's IP
    remoteIpHeader:  'x-forwarded-for'
    proxiesHeader:   'x-forwarded-by'

proxy_auth_domain:

http_enabled: true

transport_enabled: true

order: 3

http_authenticator:

type: proxy

challenge: false

config:

user_header: “x-proxy-user”

roles_header: “x-proxy-roles”

authentication_backend:

type: noop

basic_internal_auth_domain:

http_enabled: true

transport_enabled: true

order: 4

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: intern

Kibana.yml:


Default Kibana configuration from kibana-docker.

server.port: 5601
server.host: “0.0.0.0”
server.name: “kibana”
elasticsearch.requestTimeout: 100000
elasticsearch.username: “admin”
elasticsearch.password: “admin”
searchguard.auth.type: “proxy”
searchguard.proxycache.user_header: x-proxy-user

The header that identifies the user’s role(s) - (required, no default)

searchguard.proxycache.roles_header: x-proxy-roles

HTTP header field which the proxy uses to forward the IP chain to the endpoint, usually x-forwarded-for.

(optional, default: x-forwarded-for)

#searchguard.proxycache.proxy_header: x-forwarded-for

IP where Kibana is running on - (required, no default)

Used to add it to the x-forwarded-for IP chain (see above)

This IP must be added as trusted IP in sg_config.yml under

searchguard.dynamic.http.xff.internalProxies.

It’s also possible to us a environment variable here like ${IP_ADDRESS}

searchguard.proxycache.proxy_header_ip: “10.xxx.xx.xx”

Redirect to this URL if the user isn’t authenticated - (optional, no default)

#searchguard.proxycache.login_endpoint: “https://login.sso.company.com
searchguard.basicauth.enabled: false
elasticsearch.requestHeadersWhitelist: [ “Authorization”, “sgtenant”, “x-forwarded-for”, “x-proxy-user”, “x-proxy-roles” ]

  • Elasticsearch log messages on debug level

FATAL Error: “searchguard.auth.type”, “searchguard.proxycache.user_header”, “searchguard.proxycache.roles_header”, and “searchguard.proxycache.proxy_header_ip” settings were not applied. Check for spelling errors and ensure that expected plugins are installed.

Hi there,

I installed SG on ELK with the mentioned versions.

It seems working great.

Now, I’m using Lasso (Vouch Proxy) for oauth.

So after authorization via Lasso , I have a pop-up for authorization with SG, and I want to use only Lasso authorization.

I’m receiving this error when running Kibana on K8S - “FATAL Error: “searchguard.auth.type”, “searchguard.proxycache.user_header”, “searchguard.proxycache.roles_header”, and “searchguard.proxycache.proxy_header_ip” settings were not applied. Check for spelling errors and ensure that expected plugins are installed.”

Do I have to install SG plugin for Kibana? If yes, do you have a Dockerfile to install Kibana with SG? Also, does this plugin is a free trial?

Thanks,

Aleksei

Hi Jochen,
Thx for your answer.

After the 60 day trial, will Kibana plugin becoming non-free?

Thx

···

вторник, 12 марта 2019 г., 19:30:37 UTC+2 пользователь Jochen Kressin написал:

Hi,

yes, you need to install the SG Kibana plugin, otherwise there are no security features available.

Search Guard comes with a 60 day trial license which is acticated automatically on startup / SG initialization. All features are fully functioning, and we are happy to send you a trial extension should you need more time for your PoC.

We do not maintain Dockerfiles at the moment, but you can checkout this very good repository here:

https://github.com/deviantony/docker-elk/tree/searchguard

Also, if you are running Search Guard on K8S you might be interested in our Helm charts:

https://github.com/floragunncom/search-guard-helm

They include the Elasticsearch and the Kibana plugin.

On Monday, March 11, 2019 at 2:08:00 PM UTC+1, Aleksei Saiko wrote:

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version

SG=6.5.1-24.1

ES=6.5.1

  • JVM version and operating system version

JVM=1.8.0_162

OS=Ubuntu 18.04.1 LTS

  • Search Guard configuration files

from elastisearch.yml

searchguard.ssl.transport.pemcert_filepath: es-encr-001.pem

searchguard.ssl.transport.pemkey_filepath: es-encr-001.key

searchguard.ssl.transport.pemkey_password: aqTmoD7aBrpX

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: false

searchguard.ssl.http.pemcert_filepath: es-encr-001_http.pem

searchguard.ssl.http.pemkey_filepath: es-encr-001_http.key

searchguard.ssl.http.pemkey_password: raAtcE0mTfuk

searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem

searchguard.nodes_dn:

searchguard.authcz.admin_dn:

“elasticsearch.yml” 115L, 4129C

sg_config.yml

searchguard:

dynamic:

http:
  anonymous_auth_enabled: false
  xff:
    internalProxies:  '10.xxx.xx.xx' #kibana's IP
    remoteIpHeader:  'x-forwarded-for'
    proxiesHeader:   'x-forwarded-by'

proxy_auth_domain:

http_enabled: true

transport_enabled: true

order: 3

http_authenticator:

type: proxy

challenge: false

config:

user_header: “x-proxy-user”

roles_header: “x-proxy-roles”

authentication_backend:

type: noop

basic_internal_auth_domain:

http_enabled: true

transport_enabled: true

order: 4

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: intern

Kibana.yml:


Default Kibana configuration from kibana-docker.

server.port: 5601
server.host: “0.0.0.0”
server.name: “kibana”
elasticsearch.requestTimeout: 100000
elasticsearch.username: “admin”
elasticsearch.password: “admin”
searchguard.auth.type: “proxy”
searchguard.proxycache.user_header: x-proxy-user

The header that identifies the user’s role(s) - (required, no default)

searchguard.proxycache.roles_header: x-proxy-roles

HTTP header field which the proxy uses to forward the IP chain to the endpoint, usually x-forwarded-for.

(optional, default: x-forwarded-for)

#searchguard.proxycache.proxy_header: x-forwarded-for

IP where Kibana is running on - (required, no default)

Used to add it to the x-forwarded-for IP chain (see above)

This IP must be added as trusted IP in sg_config.yml under

searchguard.dynamic.http.xff.internalProxies.

It’s also possible to us a environment variable here like ${IP_ADDRESS}

searchguard.proxycache.proxy_header_ip: “10.xxx.xx.xx”

Redirect to this URL if the user isn’t authenticated - (optional, no default)

#searchguard.proxycache.login_endpoint: “https://login.sso.company.com
searchguard.basicauth.enabled: false
elasticsearch.requestHeadersWhitelist: [ “Authorization”, “sgtenant”, “x-forwarded-for”, “x-proxy-user”, “x-proxy-roles” ]

  • Elasticsearch log messages on debug level

FATAL Error: “searchguard.auth.type”, “searchguard.proxycache.user_header”, “searchguard.proxycache.roles_header”, and “searchguard.proxycache.proxy_header_ip” settings were not applied. Check for spelling errors and ensure that expected plugins are installed.

Hi there,

I installed SG on ELK with the mentioned versions.

It seems working great.

Now, I’m using Lasso (Vouch Proxy) for oauth.

So after authorization via Lasso , I have a pop-up for authorization with SG, and I want to use only Lasso authorization.

I’m receiving this error when running Kibana on K8S - “FATAL Error: “searchguard.auth.type”, “searchguard.proxycache.user_header”, “searchguard.proxycache.roles_header”, and “searchguard.proxycache.proxy_header_ip” settings were not applied. Check for spelling errors and ensure that expected plugins are installed.”

Do I have to install SG plugin for Kibana? If yes, do you have a Dockerfile to install Kibana with SG? Also, does this plugin is a free trial?

Thanks,

Aleksei

After the 60 days trial Kibana will warn you that you need to obtain and install a license.
If you do not want to buy the enterprise license that disable the enterprise features and the warning will disappear.

To see which feature is Enterprise or Community pls have a look here:

Kibana Plugin itself is licensed under Apache 2 so the Kibana plugin does never become non-free.
If you disable the enterprise features some menu items will disappear.

Pls refer to https://docs.search-guard.com/latest/search-guard-community-edition how to disable the enterprise features.

···

Am 14.03.2019 um 16:46 schrieb Aleksei Saiko <aleksei.saiko@gmail.com>:

Hi Jochen,
Thx for your answer.
After the 60 day trial, will Kibana plugin becoming non-free?

Thx

вторник, 12 марта 2019 г., 19:30:37 UTC+2 пользователь Jochen Kressin написал:
Hi,

yes, you need to install the SG Kibana plugin, otherwise there are no security features available.

Search Guard comes with a 60 day trial license which is acticated automatically on startup / SG initialization. All features are fully functioning, and we are happy to send you a trial extension should you need more time for your PoC.

We do not maintain Dockerfiles at the moment, but you can checkout this very good repository here:

https://github.com/deviantony/docker-elk/tree/searchguard

Also, if you are running Search Guard on K8S you might be interested in our Helm charts:

https://github.com/floragunncom/search-guard-helm

They include the Elasticsearch and the Kibana plugin.

On Monday, March 11, 2019 at 2:08:00 PM UTC+1, Aleksei Saiko wrote:
When asking questions, please provide the following information:

* Search Guard and Elasticsearch version
SG=6.5.1-24.1
ES=6.5.1

* JVM version and operating system version
JVM=1.8.0_162
OS=Ubuntu 18.04.1 LTS

* Search Guard configuration files
from elastisearch.yml
searchguard.ssl.transport.pemcert_filepath: es-encr-001.pem
searchguard.ssl.transport.pemkey_filepath: es-encr-001.key
searchguard.ssl.transport.pemkey_password: aqTmoD7aBrpX
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: false
searchguard.ssl.http.pemcert_filepath: es-encr-001_http.pem
searchguard.ssl.http.pemkey_filepath: es-encr-001_http.key
searchguard.ssl.http.pemkey_password: raAtcE0mTfuk
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.nodes_dn:
- CN=es-encr-001.XXXX.com,OU=IL,O=xxxx Com\, Inc.,DC=XXXX,DC=com
- CN=es-necr-002.XXXX.com,OU=IL,O=xxxx Com\, Inc.,DC=XXXX,DC=com
- CN=es-necr-003.XXXX.com,OU=IL,O=xxxx Com\, Inc.,DC=XXXX,DC=com
searchguard.authcz.admin_dn:
- CN=kirk.XXXX.com,OU=IL,O=XXXX Com\, Inc.,DC=XXXX,DC=com
"elasticsearch.yml" 115L, 4129C

sg_config.yml

searchguard:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        internalProxies: '10.xxx.xx.xx' #kibana's IP
        remoteIpHeader: 'x-forwarded-for'
        proxiesHeader: 'x-forwarded-by'
       proxy_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 3
        http_authenticator:
          type: proxy
          challenge: false
          config:
            user_header: "x-proxy-user"
            roles_header: "x-proxy-roles"
        authentication_backend:
          type: noop
     basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 4
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: intern

Kibana.yml:
---
# Default Kibana configuration from kibana-docker.
server.port: 5601
server.host: "0.0.0.0"
server.name: "kibana"
elasticsearch.requestTimeout: 100000
elasticsearch.username: "admin"
elasticsearch.password: "admin"
searchguard.auth.type: "proxy"
searchguard.proxycache.user_header: x-proxy-user

# The header that identifies the user's role(s) - (required, no default)
searchguard.proxycache.roles_header: x-proxy-roles

# HTTP header field which the proxy uses to forward the IP chain to the endpoint, usually x-forwarded-for.
# (optional, default: x-forwarded-for)
#searchguard.proxycache.proxy_header: x-forwarded-for

# IP where Kibana is running on - (required, no default)
# Used to add it to the x-forwarded-for IP chain (see above)
# This IP must be added as trusted IP in sg_config.yml under
# searchguard.dynamic.http.xff.internalProxies.
# It's also possible to us a environment variable here like ${IP_ADDRESS}
searchguard.proxycache.proxy_header_ip: "10.xxx.xx.xx"

# Redirect to this URL if the user isn't authenticated - (optional, no default)
#searchguard.proxycache.login_endpoint: "https://login.sso.company.com"
searchguard.basicauth.enabled: false

elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant", "x-forwarded-for", "x-proxy-user", "x-proxy-roles" ]

* Elasticsearch log messages on debug level
FATAL Error: "searchguard.auth.type", "searchguard.proxycache.user_header", "searchguard.proxycache.roles_header", and "searchguard.proxycache.proxy_header_ip" settings were not applied. Check for spelling errors and ensure that expected plugins are installed.

Hi there,
I installed SG on ELK with the mentioned versions.
It seems working great.
Now, I'm using Lasso (Vouch Proxy) for oauth.
So after authorization via Lasso , I have a pop-up for authorization with SG, and I want to use only Lasso authorization.
I'm receiving this error when running Kibana on K8S - "FATAL Error: "searchguard.auth.type", "searchguard.proxycache.user_header", "searchguard.proxycache.roles_header", and "searchguard.proxycache.proxy_header_ip" settings were not applied. Check for spelling errors and ensure that expected plugins are installed."

Do I have to install SG plugin for Kibana? If yes, do you have a Dockerfile to install Kibana with SG? Also, does this plugin is a free trial?

Thanks,

Aleksei

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/baebe650-a760-470f-a128-fb1c8c400172%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Thanks for your answer!

···

вс, 17 мар. 2019 г. в 19:22, SG info@search-guard.com:

After the 60 days trial Kibana will warn you that you need to obtain and install a license.

If you do not want to buy the enterprise license that disable the enterprise features and the warning will disappear.

To see which feature is Enterprise or Community pls have a look here:

https://search-guard.com/product/

Kibana Plugin itself is licensed under Apache 2 so the Kibana plugin does never become non-free.

If you disable the enterprise features some menu items will disappear.

Pls refer to https://docs.search-guard.com/latest/search-guard-community-edition how to disable the enterprise features.

Am 14.03.2019 um 16:46 schrieb Aleksei Saiko aleksei.saiko@gmail.com:

Hi Jochen,

Thx for your answer.

After the 60 day trial, will Kibana plugin becoming non-free?

Thx

вторник, 12 марта 2019 г., 19:30:37 UTC+2 пользователь Jochen Kressin написал:

Hi,

yes, you need to install the SG Kibana plugin, otherwise there are no security features available.

Search Guard comes with a 60 day trial license which is acticated automatically on startup / SG initialization. All features are fully functioning, and we are happy to send you a trial extension should you need more time for your PoC.

We do not maintain Dockerfiles at the moment, but you can checkout this very good repository here:

https://github.com/deviantony/docker-elk/tree/searchguard

Also, if you are running Search Guard on K8S you might be interested in our Helm charts:

https://github.com/floragunncom/search-guard-helm

They include the Elasticsearch and the Kibana plugin.

On Monday, March 11, 2019 at 2:08:00 PM UTC+1, Aleksei Saiko wrote:

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version

SG=6.5.1-24.1

ES=6.5.1

  • JVM version and operating system version

JVM=1.8.0_162

OS=Ubuntu 18.04.1 LTS

  • Search Guard configuration files

from elastisearch.yml

searchguard.ssl.transport.pemcert_filepath: es-encr-001.pem

searchguard.ssl.transport.pemkey_filepath: es-encr-001.key

searchguard.ssl.transport.pemkey_password: aqTmoD7aBrpX

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: false

searchguard.ssl.http.pemcert_filepath: es-encr-001_http.pem

searchguard.ssl.http.pemkey_filepath: es-encr-001_http.key

searchguard.ssl.http.pemkey_password: raAtcE0mTfuk

searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem

searchguard.nodes_dn:

searchguard.authcz.admin_dn:

“elasticsearch.yml” 115L, 4129C

sg_config.yml

searchguard:

dynamic:

http:
  anonymous_auth_enabled: false
  xff:
    internalProxies:  '10.xxx.xx.xx' #kibana's IP
    remoteIpHeader:  'x-forwarded-for'
    proxiesHeader:   'x-forwarded-by'
   proxy_auth_domain:
    http_enabled: true
    transport_enabled: true
    order: 3
    http_authenticator:
      type: proxy
      challenge: false
      config:
        user_header: "x-proxy-user"
        roles_header: "x-proxy-roles"
    authentication_backend:
      type: noop
 basic_internal_auth_domain:
    http_enabled: true
    transport_enabled: true
    order: 4
    http_authenticator:
      type: basic
      challenge: false
    authentication_backend:
      type: intern

Kibana.yml:


Default Kibana configuration from kibana-docker.

server.port: 5601

server.host: “0.0.0.0”

server.name: “kibana”

elasticsearch.requestTimeout: 100000

elasticsearch.username: “admin”

elasticsearch.password: “admin”

searchguard.auth.type: “proxy”

searchguard.proxycache.user_header: x-proxy-user

The header that identifies the user’s role(s) - (required, no default)

searchguard.proxycache.roles_header: x-proxy-roles

HTTP header field which the proxy uses to forward the IP chain to the endpoint, usually x-forwarded-for.

(optional, default: x-forwarded-for)

#searchguard.proxycache.proxy_header: x-forwarded-for

IP where Kibana is running on - (required, no default)

Used to add it to the x-forwarded-for IP chain (see above)

This IP must be added as trusted IP in sg_config.yml under

searchguard.dynamic.http.xff.internalProxies.

It’s also possible to us a environment variable here like ${IP_ADDRESS}

searchguard.proxycache.proxy_header_ip: “10.xxx.xx.xx”

Redirect to this URL if the user isn’t authenticated - (optional, no default)

#searchguard.proxycache.login_endpoint: “https://login.sso.company.com

searchguard.basicauth.enabled: false

elasticsearch.requestHeadersWhitelist: [ “Authorization”, “sgtenant”, “x-forwarded-for”, “x-proxy-user”, “x-proxy-roles” ]

  • Elasticsearch log messages on debug level

FATAL Error: “searchguard.auth.type”, “searchguard.proxycache.user_header”, “searchguard.proxycache.roles_header”, and “searchguard.proxycache.proxy_header_ip” settings were not applied. Check for spelling errors and ensure that expected plugins are installed.

Hi there,

I installed SG on ELK with the mentioned versions.

It seems working great.

Now, I’m using Lasso (Vouch Proxy) for oauth.

So after authorization via Lasso , I have a pop-up for authorization with SG, and I want to use only Lasso authorization.

I’m receiving this error when running Kibana on K8S - “FATAL Error: “searchguard.auth.type”, “searchguard.proxycache.user_header”, “searchguard.proxycache.roles_header”, and “searchguard.proxycache.proxy_header_ip” settings were not applied. Check for spelling errors and ensure that expected plugins are installed.”

Do I have to install SG plugin for Kibana? If yes, do you have a Dockerfile to install Kibana with SG? Also, does this plugin is a free trial?

Thanks,

Aleksei

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/baebe650-a760-470f-a128-fb1c8c400172%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/79A368C3-5759-4DD2-B06A-5382B654A401%40search-guard.com.

For more options, visit https://groups.google.com/d/optout.