Restrict access to kibana by IP

driveirk · September 28, 2022, 10:33pm

Hello, I have 2 bundles
1)nginx-kibana-elasticsearch
2) nginx-elasticsearch

I am using the following config:

    - name: "IP access"
      hosts: ["127.0.0.1"]
      headers: ["remote_ip:10.10.10.10"] #Permitted IP
      type: allow
      ldap_authentication:
        name: "ldap"

I can restrict access to op IP in elasticsearch like this.
But it doesn’t work for Kibana, because she substitutes her IP 127.0.0.1. And they won’t let me. Tell me how to solve this problem?

Version ROR Enterprise-1.39.0_es7.15.1
Version Kibana 7.15.1
Version ElasticSearch 7.15.1

sscarduzio · September 29, 2022, 7:08am

Hi Ilya,

If you have a reverse proxy in front of Kibana which is able to attach headers like x-forwarded-host to incoming requests like, you could configure Kibana to forward headers to Elasticsearch using elasticsearch.requestHeadersWhitelist setting in kibana.yml.

Then in you ACL you would have

...
      headers: ["x-forwarded-host:10.10.10.10"] # Permitted IP
...

driveirk · September 29, 2022, 9:22am

I tried that, but I still can’t login.

elasticsearch.requestHeadersWhitelist: ["authorization", "x-forwarded-for", "x-passed-nginx", "X-Real-IP"]

conf

    - name: "IP access"
      hosts: ["127.0.0.1"]
      headers: ["X-Real-IP:10.10.10.10"]
      type: allow
      ldap_authentication:
        name: "ldap"

log

IP access-> RULES:[ldap_authentication->true, hosts->true, headers_and->false]

or
conf

    - name: "IP access"
      x_forwarded_for: ["10.10.10.10"]
      headers: ["X-Real-IP:10.10.10.10"]
      type: allow
      ldap_authentication:
        name: "ldap"

log

[IP access-> RULES:[ldap_authentication->true, x_forwarded_for->false]

Maybe I didn’t learn something? Does this method work for you?

driveirk · September 29, 2022, 9:27am

I tried that too, didn’t help.

sscarduzio · September 29, 2022, 9:38am

In the ES logs, you can see also a “HDR:” section with all the headers and values received by ES. Have a look at what in there maybe?

driveirk · September 29, 2022, 10:15am

Oh, I don’t see these headers being passed at all.

HDR:Accept-Encoding=gzip,deflate, Accept=*/*, Authorization=<OMITTED>, Connection=close, Host=localhost:9200, User-Agent=node-fetch/1.0 (+https://github.com/bitinn/node-fetch), content-length=0, HIS:[Internal kibana account-> RULES:[auth_key->false]], [IP access-> RULES:[ldap_authentication->true, hosts->true, headers_and->false]

driveirk · September 29, 2022, 10:28am

I see errors in Kibana logs

[ReadonlyREST][preElasticsearchProxy] Could not forward all whitelisted headers, left out: x-forwarded-for,x-passed-nginx,x-real-ip

sscarduzio · September 29, 2022, 10:33am

We don’t have that code anymore in 1.43.0+. Plus, I tested this and it works as intended in the latest ROR. I suggest to upgrade ROR Kibana plugin.

driveirk · September 29, 2022, 10:37am

Ok, let’s try now. I went to ask for the plugin to be sent.

driveirk · September 29, 2022, 2:57pm

Yes, thanks, it really works in the new version.