Using nginx reverse proxy for readonlyrest pro


#1

I would like to configure reverse proxy for kibana,
and I have installed readonlyrest pro with it.

without ror pro, the proxy goes well.
but when i install ror, it will redirect to /login?nexturl=kiabna…
and return 500 internal server error.
I would like to ask if how should I configure the nginx to make the whole things working… Thanks so much.

    location /kibana {
    	   proxy_pass http://localhost:5601/app/kibana#;
    	   proxy_set_header Upgrade $http_upgrade;
    	   proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
       	proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
      	proxy_cache_bypass $http_upgrade;
    }

(Simone Scarduzio) #2

Hi @vannesa!

Are you planning to use the login/logout features of ROR PRO at all? Or you delegate the auth entirely to the rev proxy?


(Tyler Garner) #3

I have a similar setup and want to delegate everything to the reverse proxy. Is it possible to bypass the login page?


(Simone Scarduzio) #4

Not yet, but it’s a really good to have. It will end up in the next release most likely!


(Simone Scarduzio) #5

UPDATE: The new release is going to be out before the weekend.


(Joe Chop) #6

Hi @sscarduzio, I’ve installed the new enterprise version. Do you have an example or new documentation on how to disable the Kibana login screen, so we can delegate everything to reverse proxy.


(Simone Scarduzio) #7

Hi @jchop01!
Documentation is on its way. Meanwhile, you simply should add this to kibana.yml

readonlyrest_kbn.proxy_auth_passthrough: true 
readonlyrest_kbn.custom_logout_link: "http://..."

(Joe Chop) #8

@sscarduzio I’ve been doing some testing with the new enterprise version. Using your suggested config, I’m seeing this:

ValidationError: child “readonlyrest_kbn” fails because [child “custom_logout_link” fails because [“custom_logout_link” must only contain alpha-numeric characters]]

I’m running…

  • elasticsearch-5.5.3
  • kibana-5.5.3-darwin-x86_64
  • readonlyrest-1.16.12_es5.5.3.zip
  • readonlyrest_kbn_enterprise-1.16.12_es5.5.3.zip

Commenting out the readonlyrest_kbn.custom_logout_link will start Kibana.


(Simone Scarduzio) #9

Yep this is the settings validator being too tight. Will fix tomorrow morning and come back to you with a build.


(Joe Chop) #10

Thanks for the update. Moving on with my testing, I was trying to setup basic static users to group mapping w/ reverse proxy. I’m setting the X-Forwarded-User header, and the login is being bypassed as expected! Thanks for that!

However, I’m seeing groups I’m not suppose to see.

For example, when admin logs in, I’m seeing simone’s group that admin doesn’t belong too (InfoSec).
Is this a configuration issue, or a bug?

Sample configuration:

readonlyrest:
  enable: true
  prompt_for_basic_auth: false

  audit_collector: true

  access_control_rules:

  # MACHINES ##################
  - name: "::Kafka::"
    auth_key: kafka:kafka123

  - name: "::LOGSTASH::"
    auth_key: logstash:logstash
    actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
    indices: ["logstash-*"]

  - name: "::KIBANA-SRV::"
    auth_key: kibana:kibana
    verbosity: error


  # GROUPS ####################

  - name: "::PERSONAL_GRP::"
    groups: ["Personal"]
    kibana_access: rw
    kibana_hide_apps: ["readonlyrest_kbn", "timelion"]
    kibana_index: "[email protected]{user}"

  - name: "::ADMIN_GRP::"
    groups: ["ROR (admin)"]
    kibana_access: admin

  - name: "::Infosec::"
    groups: ["Infosec"]
    kibana_access: rw
    kibana_hide_apps: ["readonlyrest_kbn", "timelion"]
    kibana_index: ".kibana_infosec"


  # USERS TO GROUPS ############
  users:
  - username: admin
    proxy_auth: ["*"]
    groups: ["ROR (admin)", "Infosec"]

  - username: simone
    proxy_auth: ["*"]
    groups: ["ROR (admin)", "Personal", "Infosec"]

Kibana
elasticsearch.username: "kibana" elasticsearch.password: "kibana" elasticsearch.requestHeadersWhitelist: [ authorization, "X-Forwarded-User" ]


#11

Sorry,
I do not want to create another topic and think that here is the most suitable place for my newbie question)
Want/trying to use Okta SAML SSO with ROR and for this I’m using okta-auth-proxy with Nginx (with similar example provided in repo) and Kibana on single instance.
So the main question is it correct ROR config/rule to allow access for any user which goes from proxy side?

  - name: "ROOT"
    auth_key_sha256: 82b...3452c
    verbosity: error
  - name: "LOGSTASH"
    auth_key_sha256: bbd...903e
    actions: ["cluster:monitor/main","indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
    indices: ["logs-*"]
    verbosity: error
  - name: "KIBANA-RW"
    auth_key_sha256: 5057...4602
    kibana_access: rw
    indices: [".kibana*", "logs-*"]
    verbosity: error
  - name: "KIBANA-RO"
    auth_key_sha256: 926b...94dd
    kibana_access: ro
    indices: [".kibana*", "logs-*"]
    verbosity: error
  - name: "OKTA"
    type: allow
    proxy_auth: "*"

Because ATM it looks like does not want to work (infinite redirects loop)
Here okta-auth-proxy out:

I, [2017-11-02T19:47:46.880127 #5122]  INFO -- omniauth: (saml) Request phase initiated.
D, [2017-11-02T19:47:46.880956 #5122] DEBUG -- : Created AuthnRequest: <samlp:AuthnRequest AssertionConsumerServiceURL='http://kibana.example.com/auth/saml/callback?redirectUrl=/elasticsearch/_msearch' Destination='https://example.okta.com/app/example_kibana_1/exkh9f8pwn4SZI2pe0x7/sso/saml' ID='_8a9dcbab-db17-471a-b6a9-307ab18285b4' IssueInstant='2017-11-02T19:47:46Z' Version='2.0' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'/></samlp:AuthnRequest>

And from Nginx:

[error] 5091#5091: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.44.254, server: _, request: "POST /elasticsearch/_msearch HTTP/1.1", upstream: "http://127.0.0.1:3311/elasticsearch/_msearch", host: "kibana.example.com", referrer: "http://kibana.example.com/app/kibana"

access.log:

192.168.44.254 - - [02/Nov/2017:19:53:51 +0000] "GET /auth/saml?redirectUrl=/elasticsearch/_msearch HTTP/1.1" 302 631 "http://kibana.example.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
192.168.44.254 - elastic [02/Nov/2017:19:54:52 +0000] "POST /elasticsearch/_msearch HTTP/1.1" 302 0 "http://kibana.example.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"

ROR/ES/KIBANA version - 5.6.3


(Simone Scarduzio) #12

Nginx says connection refused, the thing does not even reach elasticsearch.


#13

Ok, looks like were issues with okta-auth-proxy. It works now.