0

We decided to run a self-hosted kibana site with docker image kibana:5.1.1(to be compatible with the AWS elasticsearch version) due to security reasons.

However, after setting everything up, the kibana site is showing blank pages. Kibana log shows no error and curl to elasticsearch from inside the kibana instance gets the normal "you know, for search" response. Does anyone know what I'm missing?

Below is the kibana setting:

server.port: 5601
server.host: "0.0.0.0"
elasticsearch.url: "http://some-es-instance.ap-northeast-1.es.amazonaws.com:80"
elasticsearch.preserveHost: true
kibana.index: ".kibana-dev"
kibana.defaultAppId: "discover"
elasticsearch.ssl.verify: false
elasticsearch.requestTimeout: 300000
elasticsearch.shardTimeout: 0
elasticsearch.startupTimeout: 5000
logging.quiet: true
logging.verbose: false

This instance is hosted in a private subnet behind an oauth2 proxy and elb. enter image description here

lingxiao
  • 1,214
  • 17
  • 33

2 Answers2

1

Turns out the oauth2 proxy is passing authorization headers to kibana and kibana by default passes this to elasticsearch. AWS elasticsearch, upon the existence of the authorization header, requires all requests to be signed with an IAM identity which I am not doing. Everything started working fine after I added the following to my kibana.yml:

elasticsearch.requestHeadersWhitelist: []
lingxiao
  • 1,214
  • 17
  • 33
0

I have been having a similar problem for the last few days. However, I eventually managed to fix the issue using nginx as a reverse proxy. nginx runs on an EC2 instance and connects directly to Kibana on AWS ES.

Try using the following nginx.conf file

worker_processes  1;

events {
    worker_connections  1024;
}

http {
    server {
        listen 80;
        server_name localhost;

        # redirect /
        location = / {
             rewrite ^ /_plugin/kibana/ redirect;
        }

        location / {
            proxy_pass            https://<es-domain-url>.es.amazonaws.com;

            proxy_http_version 1.1;
            proxy_set_header Authorization "";
            proxy_hide_header Authorization;
            proxy_set_header  X-Forwarded-Proto $scheme;

            auth_basic            "Restricted";
            auth_basic_user_file  /etc/nginx/htpasswd.users;
        }
    }
}
Nik Ansell
  • 1