Version: 6.x-25
This is an older version of Search Guard. Switch to Latest version
This is an older version of Search Guard. Switch to Latest version
Community
Using Kibana with Proxy authentication
Activate proxy authentication by adding the following to kibana.yml
:
For v13 and below:
searchguard.basicauth.enabled: false
For v14 and above:
searchguard.auth.type: "proxy"
For v17 and above it’s also possible to use:
searchguard.auth.type: "proxycache"
# The header that identifies the user - (required, no default)
searchguard.proxycache.user_header: x-proxy-user
# The header that identifies the user's role(s) - (required, no default)
searchguard.proxycache.roles_header: x-proxy-roles
# HTTP header field which the proxy uses to forward the IP chain to the endpoint, usually x-forwarded-for.
# (optional, default: x-forwarded-for)
#searchguard.proxycache.proxy_header: x-forwarded-for
# IP where Kibana is running on - (required, no default)
# Used to add it to the x-forwarded-for IP chain (see above)
# This IP must be added as trusted IP in sg_config.yml under
# searchguard.dynamic.http.xff.internalProxies.
# It's also possible to us a environment variable here like ${IP_ADDRESS}
searchguard.proxycache.proxy_header_ip: "127.0.0.1"
# Redirect to this URL if the user isn't authenticated - (optional, no default)
#searchguard.proxycache.login_endpoint: "https://login.sso.company.com"
which works similar to “proxy” auth but only transmit the headers once by storing them in a cookie.
Whitelist the proxy headers
Make sure to whitelist all HTTP headers set by your proxy in the header whitelist in kibana.yml, leaving Authorization
intact:
elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant", "x-forwarded-for", "x-proxy-user", "x-proxy-roles" ]
Note that the Search Guard proxy authenticator requires the x-forwarded-for
header to function properly.
Configuration example
copy
# v13 and below: Disable HTTP Basic Authentication
searchguard.basicauth.enabled: false
# v14 and above: Enable Proxy
searchguard.auth.type: "proxy"
# Use HTTPS instead of HTTP
elasticsearch.hosts: ["https://<hostname>.com:<http port>"]
# Configure the Kibana internal server user
elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"
# Disable SSL verification when using self-signed demo certificates
elasticsearch.ssl.verificationMode: none
# Whitelist basic headers and multi tenancy header
elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant", "x-forwarded-for", "x-proxy-user", "x-proxy-roles" ]
Elasticsearch configuration
If you’re using HTTP Basic Authentication and the internal user database for the Kibana server user, make sure that both authentication domains are active in sg_config.yml
:
proxy_auth_domain:
enabled: true
order: 0
http_authenticator:
type: proxy
challenge: false
config:
user_header: "x-proxy-user"
roles_header: "x-proxy-roles"
authentication_backend:
type: noop
basic_internal_auth_domain:
enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
...