I ultimately want to send the X-Forwarded-User value from an NGINX reverse proxy and use it to authenticate via LDAP. So if the X-Forwarded-User exists in LDAP then the user is authenticated and groups are retrieved etc.
Everything is working up to and including LDAP authentication. The only thing that doesn’t work is the passing of the X-Forwarded-User variable and using that to authenticate.
My configuration is as follows…
cluster.initial_master.nodes: ["es-node-01", "es-node-02", "es-node-03"] cluster.name: elasticsearch discovery.seed_hosts: ["es-node-01.com", "es-node-02.com", "es-node-03.com"] node.name: es-node-01 http.port: 9200 transport.port: 9300 network.host: 0.0.0.0 xpack.security.enabled: false http.type: ssl_netty4 transport_type: ror_ssl_internode
readonlyrest: ssl: keystore_file: "keystorefile1.jks" keystore_pass: "examplepw" key_pass: "examplepw" ssl_internode: keystore_file: "keystorefile2.jks" keystore_pass: "examplepw" key_pass: "examplepw" ldaps: - name: myldap host: myldaphost.com port: 389 ssl_enabled: false bind_dn: "cn=appUser,ou=someOU,dc=dcName,dc=com" bind_password: "examplepw" user_id_attribute: cn search_user_base_DN: "dc=dcName,dc=com" search_groups_base_DN: "dc=dcName,dc=com" cache_ttl_in_sec: 3600 access_control_rules: - name: "Allow Test Users" proxy_auth: proxy_auth_config: "proxy1" users: ["*"] ldap_authentication: name: myldap groups: ['testUsers'] - name "All" type: allow indices: ["*"] proxy_auth_configs: - name: "proxy1" user_id_header: "X-Forwarded-User"
(I realise that the “All” block here isn’t good, I have just included it temporarily to minimise other issues while trying to get the authentication via ‘X-Forwarded-User’ working).
elasticsearch.hosts: - https://es-node-01.com:9200 - https://es-node-02.com:9200 - https://es-node-03.com:9200 server.host: 0.0.0.0 server.port: 5601 xpack.security.enabled: false server.ssl.enabled: true server.ssl.certificate: "/path/to/certificate.cer" server.ssl.key: "/path/to/certificate.key" elasticsearch.ssl.certificateAuthorities: ["/path/to/ca.pem"] elasticsearch.requestHeadersWhiteList: ["authorization", "X-Forwarded-User"]
proxy_pass https://kibana.my.org:5601; proxy_set_header X-Forwarded-User $user_id; proxy_pass_request_headers on;
(My nginx.conf is larger than this but these are the relevant lines and looking in the nginx logs I can see that ‘X-Forwarded-User’ is being populated with the correct user information).
I am clearly doing something fundamentally wrong, can you give me any help?
One thing to add is that I can’t copy/paste text from the system that I am working on so apologies I won’t be able to paste long logs etc. I will do all that I can though.