driveirk
(Ilya)
September 28, 2022, 10:33pm
1
Hello, I have 2 bundles
1)nginx-kibana-elasticsearch
2) nginx-elasticsearch
I am using the following config:
- name: "IP access"
hosts: ["127.0.0.1"]
headers: ["remote_ip:10.10.10.10"] #Permitted IP
type: allow
ldap_authentication:
name: "ldap"
I can restrict access to op IP in elasticsearch like this.
But it doesn’t work for Kibana, because she substitutes her IP 127.0.0.1. And they won’t let me. Tell me how to solve this problem?
Version ROR Enterprise-1.39.0_es7.15.1
Version Kibana 7.15.1
Version ElasticSearch 7.15.1
sscarduzio
(Simone Scarduzio)
September 29, 2022, 7:08am
2
Hi Ilya,
If you have a reverse proxy in front of Kibana which is able to attach headers like x-forwarded-host
to incoming requests like, you could configure Kibana to forward headers to Elasticsearch using elasticsearch.requestHeadersWhitelist setting in kibana.yml.
Then in you ACL you would have
...
headers: ["x-forwarded-host:10.10.10.10"] # Permitted IP
...
driveirk
(Ilya)
September 29, 2022, 9:22am
3
I tried that, but I still can’t login.
elasticsearch.requestHeadersWhitelist: ["authorization", "x-forwarded-for", "x-passed-nginx", "X-Real-IP"]
conf
- name: "IP access"
hosts: ["127.0.0.1"]
headers: ["X-Real-IP:10.10.10.10"]
type: allow
ldap_authentication:
name: "ldap"
log
IP access-> RULES:[ldap_authentication->true, hosts->true, headers_and->false]
or
conf
- name: "IP access"
x_forwarded_for: ["10.10.10.10"]
headers: ["X-Real-IP:10.10.10.10"]
type: allow
ldap_authentication:
name: "ldap"
log
[IP access-> RULES:[ldap_authentication->true, x_forwarded_for->false]
Maybe I didn’t learn something? Does this method work for you?
driveirk
(Ilya)
September 29, 2022, 9:27am
4
I tried that too, didn’t help.
sscarduzio
(Simone Scarduzio)
September 29, 2022, 9:38am
5
In the ES logs, you can see also a “HDR:” section with all the headers and values received by ES. Have a look at what in there maybe?
driveirk
(Ilya)
September 29, 2022, 10:15am
6
Oh, I don’t see these headers being passed at all.
HDR:Accept-Encoding=gzip,deflate, Accept=*/*, Authorization=<OMITTED>, Connection=close, Host=localhost:9200, User-Agent=node-fetch/1.0 (+https://github.com/bitinn/node-fetch), content-length=0, HIS:[Internal kibana account-> RULES:[auth_key->false]], [IP access-> RULES:[ldap_authentication->true, hosts->true, headers_and->false]
1 Like
driveirk
(Ilya)
September 29, 2022, 10:28am
7
I see errors in Kibana logs
[ReadonlyREST][preElasticsearchProxy] Could not forward all whitelisted headers, left out: x-forwarded-for,x-passed-nginx,x-real-ip
sscarduzio
(Simone Scarduzio)
September 29, 2022, 10:33am
8
We don’t have that code anymore in 1.43.0+. Plus, I tested this and it works as intended in the latest ROR. I suggest to upgrade ROR Kibana plugin.
1 Like
driveirk
(Ilya)
September 29, 2022, 10:37am
9
Ok, let’s try now. I went to ask for the plugin to be sent.
driveirk
(Ilya)
September 29, 2022, 2:57pm
10
Yes, thanks, it really works in the new version.