Version: 7.x-41.0.0
This is an older version of Search Guard. Switch to Latest version
This is an older version of Search Guard. Switch to Latest version
Community
Kibana Proxy authentication
Activate proxy authentication by adding the following to kibana.yml
:
searchguard.auth.type: "proxy"
Whitelist the proxy headers
Make sure to whitelist all HTTP headers set by your proxy in the header whitelist in kibana.yml, leaving Authorization
intact:
elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant", "x-forwarded-for", "x-proxy-user", "x-proxy-roles" ]
Note that the Search Guard proxy authenticator requires the x-forwarded-for
header to function properly.
Configuration example
copy
# Enable Proxy
searchguard.auth.type: "proxy"
# Use HTTPS instead of HTTP
elasticsearch.hosts: "https://<hostname>.com:<http port>"
# Configure the Kibana internal server user
elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"
# Disable SSL verification when using self-signed demo certificates
elasticsearch.ssl.verificationMode: none
# Whitelist basic headers and multi tenancy header
elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant", "x-forwarded-for", "x-proxy-user", "x-proxy-roles" ]
Elasticsearch configuration
If you’re using HTTP Basic Authentication and the internal user database for the Kibana server user, make sure that both authentication domains are active in sg_config.yml
:
proxy_auth_domain:
enabled: true
order: 0
http_authenticator:
type: proxy
challenge: false
config:
user_header: "x-proxy-user"
roles_header: "x-proxy-roles"
authentication_backend:
type: noop
basic_internal_auth_domain:
enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
...