Kibana Proxy authentication
Proxy authentication depends on a proxy running in front of Kibana and adding the necessary authentication and authorization information to the headers of the HTTP requests.
To securely use proxy authentication with Kibana, you must ensure that Kibana is only available via the proxy and not via direct connections. If Kibana were available via direct connections, users could spoof authentication or authorization information.
To use proxy authentication, you need a proxy in front of Kibana, which adds authentication information to the HTTP requests.
Search Guard Backend Setup
To use proxy authentication with Kibana, you have to also set up a suitable authentication mechanism in the Search Guard backend configuration
The type of the setup depends on the information provided by the proxy in the HTTP headers:
- If the proxy transmits username and role information as plain headers, go for a trusted_origin authenticator in the backend. When configuring
sg_authc.yml, you need to make sure that you both include the IP of the outer proxy and the IP of Kibana, which also acts as a proxy in this case.
- If the proxy transmits authorization as a JWT in a header, go for a JWT authenticator in the backend.
Additionally, you need to edit the file
- Add the line
- Make sure to whitelist all HTTP headers set by your proxy in the header whitelist:
elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant", "x-proxy-user", "x-proxy-roles" ]
You do not need to add the
x-forwarded-for header, as this is automatically handled by the Search Guard plugin. The Search Guard plugin acts here like Kibana is a proxy. This means:
- If there is no
x-forwarded-forheader, the Search Guard plugin adds the header and adds the IP of the host connecting to Kibana to the header value.
- If there is an
x-forwarded-forheader, the Search Guard plugin appends the IP of the host connecting to Kibana to the end of the header value.