Apache httpd: no basic auth header with POST

krisko · June 13, 2018, 7:45am

Hello,
I’ve just installed ES+RoR with apache as a proxy before kibana.
Apache is doing basic auth and proxying all requests to kibana.

Interesting thing is that after first auth I get second prompt. From the log I can see, that apache for some reason doesn’t send Authorization Header with POST requests:

[2018-06-13T09:33:50,285][INFO ][t.b.r.a.ACL              ] ALLOWED by { name: '::--DAS--::', policy: ALLOW} req={ ID:1204575917-2041251059#1016, TYP:GetRequest, CGR:N/A, USR:das, BRS:false, KDX:.kibana-das, ACT:indices:data/read/get, OA:127.0.0.1, DA:127.0.0.1, IDX:.kibana, MET:GET, PTH:/.kibana/doc/config%3A6.2.3, CNT:<N/A>, HDR:{authorization=Basic ZGFzOmRhcw==, Connection=keep-alive, Authorization=<OMITTED>, Host=127.0.0.1:9200, Content-Length=0}, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]], [::RW TEST::->[proxy_auth->false]], [::--DAS--::->[indices->true, auth_key->true, kibana_index->true]] } 
[2018-06-13T09:33:51,961][INFO ][t.b.r.a.ACL              ] FORBIDDEN by default req={ ID:1771917141--941757500#1018, TYP:SearchRequest, CGR:N/A, USR:[no basic auth header], BRS:false, KDX:null, ACT:indices:data/read/search, OA:127.0.0.1, DA:127.0.0.1, IDX:.kibana, MET:POST, PTH:/.kibana/_search?size=10000&from=0, CNT:<OMITTED, LENGTH=80>, HDR:{Connection=keep-alive, Content-Length=80, content-type=application/json, Host=127.0.0.1:9200}, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]], [::RW TEST::->[proxy_auth->false]], [::--DAS--::->[auth_key->false]] }

On the other hand, the same setup with basic auth and proxy on nginx is working as expected:

[2018-06-13T09:33:37,855][INFO ][t.b.r.a.ACL              ] ALLOWED by { name: '::--DAS--::', policy: ALLOW} req={ ID:428145596-1064696417#959, TYP:GetRequest, CGR:N/A, USR:das, BRS:false, KDX:.kibana-das, ACT:indices:data/read/get, OA:127.0.0.1, DA:127.0.0.1, IDX:.kibana, MET:GET, PTH:/.kibana/doc/config%3A6.2.3, CNT:<N/A>, HDR:{authorization=Basic ZGFzOmRhcw==, Connection=keep-alive, Authorization=<OMITTED>, Host=127.0.0.1:9200, Content-Length=0}, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]], [::RW TEST::->[proxy_auth->false]], [::--DAS--::->[indices->true, auth_key->true, kibana_index->true]] } 
[2018-06-13T09:33:39,475][INFO ][t.b.r.a.ACL              ] ALLOWED by { name: '::--DAS--::', policy: ALLOW} req={ ID:685179329--941757500#961, TYP:SearchRequest, CGR:N/A, USR:das, BRS:false, KDX:.kibana-das, ACT:indices:data/read/search, OA:127.0.0.1, DA:127.0.0.1, IDX:.kibana, MET:POST, PTH:/.kibana/_search?size=10000&from=0, CNT:<OMITTED, LENGTH=80>, HDR:{authorization=Basic ZGFzOmRhcw==, Connection=keep-alive, Authorization=<OMITTED>, content-type=application/json, Host=127.0.0.1:9200, Content-Length=80}, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]], [::RW TEST::->[proxy_auth->false]], [::--DAS--::->[indices->true, auth_key->true, kibana_index->true]] }

I’ve tried to several configurations for apache to send this header, but nothing helped…
Could you please advise?

RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1,NS]
RequestHeader set X-Forwarded-User %{RU}e
  or
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  or
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
RequestHeader set Authorization "%{HTTP_AUTHORIZATION}e"

askids · June 14, 2018, 10:30pm

I think that you have unfortunately entered the long outstanding Kibana header hell I am 99% sure, but have either @sscarduzio or @ld57 confirm it.

If that is the case, go through the below links.
Kibana sometimes sends HTTP requests to Elasticsearch without credentials

Temp relief can be achieved through below approach. See the warning also.
Hack ACL Rule for Kibana

sscarduzio · June 14, 2018, 10:36pm

I would say the same, but the fact that Nginx works leaves me perplexed. @krisko can you share the Nginx settings?