readonlyrest-docs
readonlyrest-docs copied to clipboard
Include limitations of proxy_auth directive for ES 6.1.0
It would be useful to include the limitations of using a Nginx proxy + Kibana setup with the open source version for ES 6.1.0. According to what I've seen, even when Kibana is configured to keep the x-forwarded-user header [1], it won't reach the ES server in all scenarios. E.g when saving a visualization:
- browser sends a POST petition to /api/saved_objects/visualization/blahblahblah
- nginx redirects the petition to Kibana with the authentication header (after asking for user:pass)
- Kibana sends a PUT petition to ES with the path /_template/kibana_index_template%3A.kibana and without the authentication header
- user (header) does not reach ES so the content is not loaded due to wrong permissions
[1] kibana parameter elasticsearch.requestHeadersWhitelist: [ authorization, x-forwarded-user ]
Best, Luis