Using nginx reverse proxy for readonlyrest pro

vannesa · September 27, 2017, 9:35am

I would like to configure reverse proxy for kibana,
and I have installed readonlyrest pro with it.

without ror pro, the proxy goes well.
but when i install ror, it will redirect to /login?nexturl=kiabna…
and return 500 internal server error.
I would like to ask if how should I configure the nginx to make the whole things working… Thanks so much.

    location /kibana {
    	   proxy_pass http://localhost:5601/app/kibana#;
    	   proxy_set_header Upgrade $http_upgrade;
    	   proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
       	proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
      	proxy_cache_bypass $http_upgrade;
    }

sscarduzio · September 27, 2017, 10:40am

Hi @vannesa!

Are you planning to use the login/logout features of ROR PRO at all? Or you delegate the auth entirely to the rev proxy?

garnertb · October 10, 2017, 7:07pm

I have a similar setup and want to delegate everything to the reverse proxy. Is it possible to bypass the login page?

sscarduzio · October 11, 2017, 12:27pm

Not yet, but it’s a really good to have. It will end up in the next release most likely!

sscarduzio · October 24, 2017, 2:24pm

UPDATE: The new release is going to be out before the weekend.

jchop01 · October 28, 2017, 5:14am

Hi @sscarduzio, I’ve installed the new enterprise version. Do you have an example or new documentation on how to disable the Kibana login screen, so we can delegate everything to reverse proxy.

sscarduzio · October 30, 2017, 4:45am

Hi @jchop01!
Documentation is on its way. Meanwhile, you simply should add this to kibana.yml

readonlyrest_kbn.proxy_auth_passthrough: true 
readonlyrest_kbn.custom_logout_link: "http://..."

jchop01 · November 1, 2017, 1:01am

@sscarduzio I’ve been doing some testing with the new enterprise version. Using your suggested config, I’m seeing this:

ValidationError: child “readonlyrest_kbn” fails because [child “custom_logout_link” fails because [“custom_logout_link” must only contain alpha-numeric characters]]

I’m running…

elasticsearch-5.5.3
kibana-5.5.3-darwin-x86_64
readonlyrest-1.16.12_es5.5.3.zip
readonlyrest_kbn_enterprise-1.16.12_es5.5.3.zip

Commenting out the readonlyrest_kbn.custom_logout_link will start Kibana.

sscarduzio · November 1, 2017, 1:14am

Yep this is the settings validator being too tight. Will fix tomorrow morning and come back to you with a build.

jchop01 · November 1, 2017, 2:17am

Thanks for the update. Moving on with my testing, I was trying to setup basic static users to group mapping w/ reverse proxy. I’m setting the X-Forwarded-User header, and the login is being bypassed as expected! Thanks for that!

However, I’m seeing groups I’m not suppose to see.

For example, when admin logs in, I’m seeing simone’s group that admin doesn’t belong too (InfoSec).
Is this a configuration issue, or a bug?

Sample configuration:

readonlyrest:
  enable: true
  prompt_for_basic_auth: false

  audit_collector: true

  access_control_rules:

  # MACHINES ##################
  - name: "::Kafka::"
    auth_key: kafka:kafka123

  - name: "::LOGSTASH::"
    auth_key: logstash:logstash
    actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
    indices: ["logstash-*"]

  - name: "::KIBANA-SRV::"
    auth_key: kibana:kibana
    verbosity: error


  # GROUPS ####################

  - name: "::PERSONAL_GRP::"
    groups: ["Personal"]
    kibana_access: rw
    kibana_hide_apps: ["readonlyrest_kbn", "timelion"]
    kibana_index: ".kibana_@{user}"

  - name: "::ADMIN_GRP::"
    groups: ["ROR (admin)"]
    kibana_access: admin

  - name: "::Infosec::"
    groups: ["Infosec"]
    kibana_access: rw
    kibana_hide_apps: ["readonlyrest_kbn", "timelion"]
    kibana_index: ".kibana_infosec"


  # USERS TO GROUPS ############
  users:
  - username: admin
    proxy_auth: ["*"]
    groups: ["ROR (admin)", "Infosec"]

  - username: simone
    proxy_auth: ["*"]
    groups: ["ROR (admin)", "Personal", "Infosec"]

Kibana
elasticsearch.username: "kibana" elasticsearch.password: "kibana" elasticsearch.requestHeadersWhitelist: [ authorization, "X-Forwarded-User" ]

GoVale · November 2, 2017, 7:59pm

Sorry,
I do not want to create another topic and think that here is the most suitable place for my newbie question)
Want/trying to use Okta SAML SSO with ROR and for this I’m using okta-auth-proxy with Nginx (with similar example provided in repo) and Kibana on single instance.
So the main question is it correct ROR config/rule to allow access for any user which goes from proxy side?

  - name: "ROOT"
    auth_key_sha256: 82b...3452c
    verbosity: error
  - name: "LOGSTASH"
    auth_key_sha256: bbd...903e
    actions: ["cluster:monitor/main","indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
    indices: ["logs-*"]
    verbosity: error
  - name: "KIBANA-RW"
    auth_key_sha256: 5057...4602
    kibana_access: rw
    indices: [".kibana*", "logs-*"]
    verbosity: error
  - name: "KIBANA-RO"
    auth_key_sha256: 926b...94dd
    kibana_access: ro
    indices: [".kibana*", "logs-*"]
    verbosity: error
  - name: "OKTA"
    type: allow
    proxy_auth: "*"

Because ATM it looks like does not want to work (infinite redirects loop)
Here okta-auth-proxy out:

I, [2017-11-02T19:47:46.880127 #5122]  INFO -- omniauth: (saml) Request phase initiated.
D, [2017-11-02T19:47:46.880956 #5122] DEBUG -- : Created AuthnRequest: <samlp:AuthnRequest AssertionConsumerServiceURL='http://kibana.example.com/auth/saml/callback?redirectUrl=/elasticsearch/_msearch' Destination='https://example.okta.com/app/example_kibana_1/exkh9f8pwn4SZI2pe0x7/sso/saml' ID='_8a9dcbab-db17-471a-b6a9-307ab18285b4' IssueInstant='2017-11-02T19:47:46Z' Version='2.0' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'/></samlp:AuthnRequest>

And from Nginx:

[error] 5091#5091: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.44.254, server: _, request: "POST /elasticsearch/_msearch HTTP/1.1", upstream: "http://127.0.0.1:3311/elasticsearch/_msearch", host: "kibana.example.com", referrer: "http://kibana.example.com/app/kibana"

access.log:

192.168.44.254 - - [02/Nov/2017:19:53:51 +0000] "GET /auth/saml?redirectUrl=/elasticsearch/_msearch HTTP/1.1" 302 631 "http://kibana.example.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
192.168.44.254 - elastic [02/Nov/2017:19:54:52 +0000] "POST /elasticsearch/_msearch HTTP/1.1" 302 0 "http://kibana.example.com/app/kibana" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"

ROR/ES/KIBANA version - 5.6.3

sscarduzio · November 2, 2017, 8:03pm

Nginx says connection refused, the thing does not even reach elasticsearch.

GoVale · November 3, 2017, 3:12pm

Ok, looks like were issues with okta-auth-proxy. It works now.