Version: 7.x-35.0.0

Using Kibana with Proxy authentication

Activate proxy authentication by adding the following to kibana.yml:

searchguard.auth.type: "proxy"

It’s also possible to use:

searchguard.auth.type: "proxycache"

# The header that identifies the user - (required, no default)
searchguard.proxycache.user_header: x-proxy-user

# The header that identifies the user's role(s) - (required, no default)
searchguard.proxycache.roles_header: x-proxy-roles

# HTTP header field which the proxy uses to forward the IP chain to the endpoint, usually x-forwarded-for. 
# (optional, default: x-forwarded-for)
#searchguard.proxycache.proxy_header: x-forwarded-for

# IP where Kibana is running on - (required, no default)
# Used to add it to the x-forwarded-for IP chain (see above)
# This IP must be added as trusted IP in sg_config.yml under 
# searchguard.dynamic.http.xff.internalProxies. 
# It's also possible to us a environment variable here like ${IP_ADDRESS}
searchguard.proxycache.proxy_header_ip: ""

# Redirect to this URL if the user isn't authenticated - (optional, no default)
#searchguard.proxycache.login_endpoint: ""

which works similar to “proxy” auth but only transmit the headers once by storing them in a cookie.

Whitelist the proxy headers

Make sure to whitelist all HTTP headers set by your proxy in the header whitelist in kibana.yml, leaving Authorizationintact:

elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant", "x-forwarded-for", "x-proxy-user", "x-proxy-roles" ]

Note that the Search Guard proxy authenticator requires the x-forwarded-forheader to function properly.

Configuration example


# Enable Proxy
searchguard.auth.type: "proxy"

# Use HTTPS instead of HTTP
elasticsearch.hosts: "https://<hostname>.com:<http port>"

# Configure the Kibana internal server user
elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"

# Disable SSL verification when using self-signed demo certificates
elasticsearch.ssl.verificationMode: none

# Whitelist basic headers and multi tenancy header
elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant", "x-forwarded-for", "x-proxy-user", "x-proxy-roles" ]

Elasticsearch configuration

If you’re using HTTP Basic Authentication and the internal user database for the Kibana server user, make sure that both authentication domains are active in sg_config.yml:

  enabled: true
  order: 0
    type: proxy
    challenge: false
      user_header: "x-proxy-user"
      roles_header: "x-proxy-roles"
    type: noop
  enabled: true
  order: 1
    type: basic
    challenge: false

Not what you were looking for? Try the search.