SG behind a Proxy

Hello there,

I’m new to SG. We have our SG community edition working on development AWS environment without Proxy.

Now we are moving to Production with community edition (will have to upgrade to Enterprise edition once everything runs fine on Production if client is ok with SG).

My questions are:

  1. I read the section on the SG document:

It seems, we need to add to add proxy detection in the xff section of sg_config.yml

  1. We have existing proxy, it seems we can use proxy authentication with Kibana.

Do we have any examples on how to configure the proxy?

  1. How about the roles/permissions for the users, do we have to add the users (in proxy) to SG and map roles to the users?

Thanks

Li

Hi,

what is it exactly that your proxy is doing? Do you use it for authentication/authorization or just for load-balancing?

If you use it for authentication/authorization then yes, you need to configure XFF as described in the article. Regarding the question for an example - I don’t understand exactly what you mean here. The documentation has a complete example on how to set up Proxy auth for Kibana. What are you missing?

  1. How about the roles/permissions for the users, do we have to add the users (in proxy) to SG and map roles to the users?

You do not need to set up users, SG will trust the user and role HTTP header implicitly (that is why you need to configure the list of trusted proxy IPs). You only need to map the users and / or roles to SG roles in sg_roles_mapping.yml.

Hope that helps!

···

On Tuesday, September 11, 2018 at 1:13:09 AM UTC+2, Li Cui wrote:

Hello there,

I’m new to SG. We have our SG community edition working on development AWS environment without Proxy.

Now we are moving to Production with community edition (will have to upgrade to Enterprise edition once everything runs fine on Production if client is ok with SG).

My questions are:

  1. I read the section on the SG document:

https://docs.search-guard.com/latest/proxy-authentication

It seems, we need to add to add proxy detection in the xff section of sg_config.yml

  1. We have existing proxy, it seems we can use proxy authentication with Kibana.

Do we have any examples on how to configure the proxy?

  1. How about the roles/permissions for the users, do we have to add the users (in proxy) to SG and map roles to the users?

Thanks

Li

Jochen,

Thank you very much for your response…

I set the SG with our proxy (for authentication/authorization).

Started Elasticsearch, kibana, and logstash.

On elasticsearch, everything seemed to be fine… but I can not log to kibana.

On the Kibana URL, I got: {“statusCode”:404,“error”:“Not Found”,“message”:“Not Found”}’

I attached the elasticearch.yml, kibana.yml, sgconfig.yml, and the logs for kibana and elasticearch.

Please review and let us know what was wrong and how to fix…

Thank you very much

Li

dev-kibaba.yml (5.72 KB)

dev-elastic.yml (3.97 KB)

elasticsearch.log (11.3 KB)

kibana.log (11.2 KB)

sg_config.yml (2.88 KB)

···

On Mon, Sep 17, 2018 at 8:54 AM Jochen Kressin jkressin@floragunn.com wrote:

Hi,

what is it exactly that your proxy is doing? Do you use it for authentication/authorization or just for load-balancing?

If you use it for authentication/authorization then yes, you need to configure XFF as described in the article. Regarding the question for an example - I don’t understand exactly what you mean here. The documentation has a complete example on how to set up Proxy auth for Kibana. What are you missing?

  1. How about the roles/permissions for the users, do we have to add the users (in proxy) to SG and map roles to the users?

You do not need to set up users, SG will trust the user and role HTTP header implicitly (that is why you need to configure the list of trusted proxy IPs). You only need to map the users and / or roles to SG roles in sg_roles_mapping.yml.

Hope that helps!

On Tuesday, September 11, 2018 at 1:13:09 AM UTC+2, Li Cui wrote:

Hello there,

I’m new to SG. We have our SG community edition working on development AWS environment without Proxy.

Now we are moving to Production with community edition (will have to upgrade to Enterprise edition once everything runs fine on Production if client is ok with SG).

My questions are:

  1. I read the section on the SG document:

https://docs.search-guard.com/latest/proxy-authentication

It seems, we need to add to add proxy detection in the xff section of sg_config.yml

  1. We have existing proxy, it seems we can use proxy authentication with Kibana.

Do we have any examples on how to configure the proxy?

  1. How about the roles/permissions for the users, do we have to add the users (in proxy) to SG and map roles to the users?

Thanks

Li

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/cbcd2ff3-e3ea-41d9-9a75-e9b790a6cef7%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.