Version: 6.x-23
Community

Using Kibana with Proxy authentication

Activate proxy authentication by adding the following to kibana.yml:

For v13 and below:

searchguard.basicauth.enabled: false

For v14 and above:

searchguard.auth.type: "proxy"

Whitelist the proxy headers

Make sure to whitelist all HTTP headers set by your proxy in the header whitelist in kibana.yml, leaving Authorizationintact:

elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant", "x-forwarded-for", "x-proxy-user", "x-proxy-roles" ]

Note that the Search Guard proxy authenticator requires the x-forwarded-forheader to function properly.

Configuration example

copy


# v13 and below: Disable HTTP Basic Authentication
searchguard.basicauth.enabled: false

# v14 and above: Enable Proxy
searchguard.auth.type: "proxy"

# Use HTTPS instead of HTTP
elasticsearch.url: "https://<hostname>.com:<http port>"

# Configure the Kibana internal server user
elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"

# Disable SSL verification when using self-signed demo certificates
elasticsearch.ssl.verificationMode: none

# Whitelist basic headers and multi tenancy header
elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant", "x-forwarded-for", "x-proxy-user", "x-proxy-roles" ]

Elasticsearch configuration

If you’re using HTTP Basic Authentication and the internal user database for the Kibana server user, make sure that both authentication domains are active in sg_config.yml:

proxy_auth_domain:
  enabled: true
  order: 0
  http_authenticator:
    type: proxy
    challenge: false
    config:
      user_header: "x-proxy-user"
      roles_header: "x-proxy-roles"
  authentication_backend:
    type: noop
basic_internal_auth_domain: 
  enabled: true
  order: 1
  http_authenticator:
    type: basic
    challenge: false
    ...

Not what you were looking for? Try the search.