readonlyrest-docs icon indicating copy to clipboard operation
readonlyrest-docs copied to clipboard

Published 20 hours ago verified publisher icon beshu-tech

Include limitations of proxy_auth directive for ES 6.1.0

Open canasdiaz opened this issue 6 years ago • 0 comments

It would be useful to include the limitations of using a Nginx proxy + Kibana setup with the open source version for ES 6.1.0. According to what I've seen, even when Kibana is configured to keep the x-forwarded-user header [1], it won't reach the ES server in all scenarios. E.g when saving a visualization:

  • browser sends a POST petition to /api/saved_objects/visualization/blahblahblah
  • nginx redirects the petition to Kibana with the authentication header (after asking for user:pass)
  • Kibana sends a PUT petition to ES with the path /_template/kibana_index_template%3A.kibana and without the authentication header
  • user (header) does not reach ES so the content is not loaded due to wrong permissions

[1] kibana parameter elasticsearch.requestHeadersWhitelist: [ authorization, x-forwarded-user ]

Best, Luis

canasdiaz avatar Feb 15 '18 00:02 canasdiaz