Comments (3)
Hi,
To access Amazon ElasticSearch, you need to sign your request and add an authorization header before you send the request to your ES cluster. The service will check the request headers and will either accept or reject the request.
If you are using only ElasticSearch (no Kibana), then this is an easy process because ES is based on APIs and accept CURL requests, so it is easy to sign the request before sending it to the service.
Now things become complicated when we want to use Kibana, because Kibana is a webapp that is downloaded to your browser and runs from it.
Basically, you cannot pre-sign every request for Kibana because these requests are being generated from your browser, which makes it difficult to modify the request and add the authorization header.
In this case, aws-es-proxy becomes very handy, because all your requests go to the proxy, and the proxy takes care of the signing process. However, if you're using Kibana directly without the proxy, then you can't pre-sign the requests from your browser.
The documentation you pointed to, is trying to mitigate this by whitelisting Kibana access from specific IPs (regardless the IP is from a machine you use, or from a NAT-GW). If you check the examples mentioned in the documentation, you can see that it is whitelisting only Kibana resource:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-west-2:123456789012:domain/mydomain/_plugin/kibana",
"Condition": {
"IpAddress": {
"aws:SourceIp": "198.51.100.4"
}
}
}
]
}
The above means that if you access "https:///_plugin/kibana" from 198.51.100.4, then you can pass through even without signing your requests. However, the above will not allow you to access ElasticSearch, so if you try to do the below, it should fail.
curl -s "https:///_cat/indices?v"
I hope the above answers your question, if not, please feel free to reply back.
Kind regards,
from aws-es-proxy.
@abutaha hello and thanks for your response... My first language is not english so I think you misunderstood some of my inquiry sorry :).
The way we have it now, works for curl and command requests, but what we need is KIBANA, not the other pieces.. this is working ok if we put the TLS termination on the nginx instance... but what we did in production is to put it in docker and have the termination on a aws ALB load balancer.. so we strip the TLS part of nginx and left everything else... but unfortunately kibana is not working that way... we do also added another proxy in front of aws-es-proxy for okta.. the point here is:
users auth with okta.. then and only then they can access aws-es-proxy to get to kibana..
this last piece also works if the okta proxy and aws-es-proxy are in the same ec2 instance.. on docker we have it on two containers..(we using aws ECS)
this is our okta proxy:
https://github.com/dalehamel/okta-auth-proxy
so that is what is passing to aws-es-proxy
here is similar nginx config.
https://github.com/dalehamel/okta-auth-proxy/blob/master/example/nginx.conf.example
cheers
from aws-es-proxy.
Too old to verify. Please open a new issue if this is still required.
from aws-es-proxy.
Related Issues (20)
- Feature request: endpoint IP and port config
- Allowing securitytenant header HOT 2
- Received 403 from AWSAuth, invalidating credentials for retrial... /_bulk?timeout=1m; ; 403; 0.210s HOT 3
- Missing osd-version, osd-xsrf passthrough in headers HOT 10
- Got 404 error when try to access Notebooks by http://opensearch.aws.com/_plugin/kibana/app/opendistro-notebooks-kibana#/
- API request to Kibana not including osd-xsrf header HOT 1
- 4 CRITICAL, 29 HIGH, 13 MEDIUM, 3 LOW, 5 UNKNOWN CVEs on latest image HOT 2
- `go.sum` is missing HOT 2
- AOSS gw-helper-deny HOT 1
- We are having performance issue in Elasticsearch/Kibana after migrating to another server host. HOT 4
- Log JWT token in headers returned from AWS Cognito HOT 1
- Method for terminating the proxy remotely
- Getting net/http: TLS handshake timeout while accessing AWS managed Elasticsearch service HOT 1
- Using aws-es-proxy in conjunction with elasticdump HOT 2
- Certificate validation fails for CNAME record HOT 1
- AWS ES Custom Endpoint does not work with AWS SignV4
- New release, update Docker container? HOT 7
- aws-es-proxy works in HTTPS?
- 400 status when _plugin/kibana/api/v1/multitenancy/tenant HOT 1
- CORS preflight requests fail if basic auth is in use on the proxy HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-es-proxy.