Confused, kibana. about aws-es-proxy HOT 3 CLOSED

Hi,

To access Amazon ElasticSearch, you need to sign your request and add an authorization header before you send the request to your ES cluster. The service will check the request headers and will either accept or reject the request.

If you are using only ElasticSearch (no Kibana), then this is an easy process because ES is based on APIs and accept CURL requests, so it is easy to sign the request before sending it to the service.

Now things become complicated when we want to use Kibana, because Kibana is a webapp that is downloaded to your browser and runs from it.
Basically, you cannot pre-sign every request for Kibana because these requests are being generated from your browser, which makes it difficult to modify the request and add the authorization header.

In this case, aws-es-proxy becomes very handy, because all your requests go to the proxy, and the proxy takes care of the signing process. However, if you're using Kibana directly without the proxy, then you can't pre-sign the requests from your browser.

The documentation you pointed to, is trying to mitigate this by whitelisting Kibana access from specific IPs (regardless the IP is from a machine you use, or from a NAT-GW). If you check the examples mentioned in the documentation, you can see that it is whitelisting only Kibana resource:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-west-2:123456789012:domain/mydomain/_plugin/kibana",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "198.51.100.4"
        }
      }
    }
  ]
}

The above means that if you access "https:///_plugin/kibana" from 198.51.100.4, then you can pass through even without signing your requests. However, the above will not allow you to access ElasticSearch, so if you try to do the below, it should fail.

curl -s "https:///_cat/indices?v"

I hope the above answers your question, if not, please feel free to reply back.

Kind regards,

from aws-es-proxy.

@abutaha hello and thanks for your response... My first language is not english so I think you misunderstood some of my inquiry sorry :).
The way we have it now, works for curl and command requests, but what we need is KIBANA, not the other pieces.. this is working ok if we put the TLS termination on the nginx instance... but what we did in production is to put it in docker and have the termination on a aws ALB load balancer.. so we strip the TLS part of nginx and left everything else... but unfortunately kibana is not working that way... we do also added another proxy in front of aws-es-proxy for okta.. the point here is:
users auth with okta.. then and only then they can access aws-es-proxy to get to kibana..

this last piece also works if the okta proxy and aws-es-proxy are in the same ec2 instance.. on docker we have it on two containers..(we using aws ECS)
this is our okta proxy:
https://github.com/dalehamel/okta-auth-proxy
so that is what is passing to aws-es-proxy
here is similar nginx config.
https://github.com/dalehamel/okta-auth-proxy/blob/master/example/nginx.conf.example
cheers

from aws-es-proxy.

Too old to verify. Please open a new issue if this is still required.

from aws-es-proxy.