I ultimately want to send the X-Forwarded-User value from an NGINX reverse proxy and use it to authenticate via LDAP. So if the X-Forwarded-User exists in LDAP then the user is authenticated and groups are retrieved etc.
Everything is working up to and including LDAP authentication. The only thing that doesn’t work is the passing of the X-Forwarded-User variable and using that to authenticate.
My configuration is as follows…
elasticsearch.yml:
cluster.initial_master.nodes: ["es-node-01", "es-node-02", "es-node-03"]
cluster.name: elasticsearch
discovery.seed_hosts: ["es-node-01.com", "es-node-02.com", "es-node-03.com"]
node.name: es-node-01
http.port: 9200
transport.port: 9300
network.host: 0.0.0.0
xpack.security.enabled: false
http.type: ssl_netty4
transport_type: ror_ssl_internode
readonlyrest.yml:
readonlyrest:
ssl:
keystore_file: "keystorefile1.jks"
keystore_pass: "examplepw"
key_pass: "examplepw"
ssl_internode:
keystore_file: "keystorefile2.jks"
keystore_pass: "examplepw"
key_pass: "examplepw"
ldaps:
- name: myldap
host: myldaphost.com
port: 389
ssl_enabled: false
bind_dn: "cn=appUser,ou=someOU,dc=dcName,dc=com"
bind_password: "examplepw"
user_id_attribute: cn
search_user_base_DN: "dc=dcName,dc=com"
search_groups_base_DN: "dc=dcName,dc=com"
cache_ttl_in_sec: 3600
access_control_rules:
- name: "Allow Test Users"
proxy_auth:
proxy_auth_config: "proxy1"
users: ["*"]
ldap_authentication:
name: myldap
groups: ['testUsers']
- name "All"
type: allow
indices: ["*"]
proxy_auth_configs:
- name: "proxy1"
user_id_header: "X-Forwarded-User"
(I realise that the “All” block here isn’t good, I have just included it temporarily to minimise other issues while trying to get the authentication via ‘X-Forwarded-User’ working).
kibana.yml:
elasticsearch.hosts:
- https://es-node-01.com:9200
- https://es-node-02.com:9200
- https://es-node-03.com:9200
server.host: 0.0.0.0
server.port: 5601
xpack.security.enabled: false
server.ssl.enabled: true
server.ssl.certificate: "/path/to/certificate.cer"
server.ssl.key: "/path/to/certificate.key"
elasticsearch.ssl.certificateAuthorities: ["/path/to/ca.pem"]
elasticsearch.requestHeadersWhiteList: ["authorization", "X-Forwarded-User"]
nginx.conf:
proxy_pass https://kibana.my.org:5601;
proxy_set_header X-Forwarded-User $user_id;
proxy_pass_request_headers on;
(My nginx.conf is larger than this but these are the relevant lines and looking in the nginx logs I can see that ‘X-Forwarded-User’ is being populated with the correct user information).
I am clearly doing something fundamentally wrong, can you give me any help?
One thing to add is that I can’t copy/paste text from the system that I am working on so apologies I won’t be able to paste long logs etc. I will do all that I can though.