Hello,
I’ve just installed ES+RoR with apache as a proxy before kibana.
Apache is doing basic auth and proxying all requests to kibana.
Interesting thing is that after first auth I get second prompt. From the log I can see, that apache for some reason doesn’t send Authorization Header with POST requests:
[2018-06-13T09:33:50,285][INFO ][t.b.r.a.ACL ] ALLOWED by { name: '::--DAS--::', policy: ALLOW} req={ ID:1204575917-2041251059#1016, TYP:GetRequest, CGR:N/A, USR:das, BRS:false, KDX:.kibana-das, ACT:indices:data/read/get, OA:127.0.0.1, DA:127.0.0.1, IDX:.kibana, MET:GET, PTH:/.kibana/doc/config%3A6.2.3, CNT:<N/A>, HDR:{authorization=Basic ZGFzOmRhcw==, Connection=keep-alive, Authorization=<OMITTED>, Host=127.0.0.1:9200, Content-Length=0}, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]], [::RW TEST::->[proxy_auth->false]], [::--DAS--::->[indices->true, auth_key->true, kibana_index->true]] }
[2018-06-13T09:33:51,961][INFO ][t.b.r.a.ACL ] FORBIDDEN by default req={ ID:1771917141--941757500#1018, TYP:SearchRequest, CGR:N/A, USR:[no basic auth header], BRS:false, KDX:null, ACT:indices:data/read/search, OA:127.0.0.1, DA:127.0.0.1, IDX:.kibana, MET:POST, PTH:/.kibana/_search?size=10000&from=0, CNT:<OMITTED, LENGTH=80>, HDR:{Connection=keep-alive, Content-Length=80, content-type=application/json, Host=127.0.0.1:9200}, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]], [::RW TEST::->[proxy_auth->false]], [::--DAS--::->[auth_key->false]] }
On the other hand, the same setup with basic auth and proxy on nginx is working as expected:
[2018-06-13T09:33:37,855][INFO ][t.b.r.a.ACL ] ALLOWED by { name: '::--DAS--::', policy: ALLOW} req={ ID:428145596-1064696417#959, TYP:GetRequest, CGR:N/A, USR:das, BRS:false, KDX:.kibana-das, ACT:indices:data/read/get, OA:127.0.0.1, DA:127.0.0.1, IDX:.kibana, MET:GET, PTH:/.kibana/doc/config%3A6.2.3, CNT:<N/A>, HDR:{authorization=Basic ZGFzOmRhcw==, Connection=keep-alive, Authorization=<OMITTED>, Host=127.0.0.1:9200, Content-Length=0}, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]], [::RW TEST::->[proxy_auth->false]], [::--DAS--::->[indices->true, auth_key->true, kibana_index->true]] }
[2018-06-13T09:33:39,475][INFO ][t.b.r.a.ACL ] ALLOWED by { name: '::--DAS--::', policy: ALLOW} req={ ID:685179329--941757500#961, TYP:SearchRequest, CGR:N/A, USR:das, BRS:false, KDX:.kibana-das, ACT:indices:data/read/search, OA:127.0.0.1, DA:127.0.0.1, IDX:.kibana, MET:POST, PTH:/.kibana/_search?size=10000&from=0, CNT:<OMITTED, LENGTH=80>, HDR:{authorization=Basic ZGFzOmRhcw==, Connection=keep-alive, Authorization=<OMITTED>, content-type=application/json, Host=127.0.0.1:9200, Content-Length=80}, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]], [::RW TEST::->[proxy_auth->false]], [::--DAS--::->[indices->true, auth_key->true, kibana_index->true]] }
I’ve tried to several configurations for apache to send this header, but nothing helped…
Could you please advise?
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1,NS]
RequestHeader set X-Forwarded-User %{RU}e
or
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
or
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
RequestHeader set Authorization "%{HTTP_AUTHORIZATION}e"