Version: 7.x-53.4.0
Community
Kibana Proxy authentication
Activate proxy authentication by adding the following to kibana.yml
:
searchguard.auth.type: "proxy"
Whitelist the proxy headers
Make sure to whitelist all HTTP headers set by your proxy in the header whitelist in kibana.yml, leaving Authorization
intact:
elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant", "x-forwarded-for", "x-proxy-user", "x-proxy-roles" ]
Note that the Search Guard proxy authenticator requires the x-forwarded-for
header to function properly.
Configuration example
copy
# Enable Proxy
searchguard.auth.type: "proxy"
# Use HTTPS instead of HTTP
elasticsearch.hosts: "https://<hostname>.com:<http port>"
# Configure the Kibana internal server user
elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"
# Disable SSL verification when using self-signed demo certificates
elasticsearch.ssl.verificationMode: none
# Whitelist basic headers and multi tenancy header
elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant", "x-forwarded-for", "x-proxy-user", "x-proxy-roles" ]
Elasticsearch configuration
If you’re using HTTP Basic Authentication and the internal user database for the Kibana server user, make sure that both authentication domains are active in sg_config.yml
:
proxy_auth_domain:
enabled: true
order: 0
http_authenticator:
type: proxy
challenge: false
config:
user_header: "x-proxy-user"
roles_header: "x-proxy-roles"
authentication_backend:
type: noop
basic_internal_auth_domain:
enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
...