-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Issues with ELK behind Google Auth Proxy (double reverse proxies) #62
Comments
How about [nginx] > [GAP] > [Kibana]? Nginx will then be the SSL termination and that should fix your unsafe script error? Each reverse proxy doesn't really care of you send them to another proxy, it just adds more jumps and processing for each connection. |
There have been a few options recently added to google-auth-proxy to make its proxying more flexible, but the way to do whatever you want (without re-implementing nginx in google-auth-proxy) is The first NGINX listen port can terminate ssl, and proxy some un-authed requests directly to various upstreams (or serve files directly) based on various rules nginx supports, and proxy all other requests to google-auth-proxy. The second NGINX listen port receives authed requests from google-auth-proxy, and can proxy them to various upstreams (or serve files directly) based on various rules nginx supports. |
The question is, what is nginx actually doing for you here? If it is just so you don't have 2 processes listening on :80 and you can have a nice host just follow the implementation in the Readme.md and that should be fine. (Put nginx at the front and then have GAP and finally whatever backend!) |
Hi everyone, thanks so much for the multiple responses! Really appreciate it. The standard Elasticsearch + Fluentd + Kibana (EFK) stack does not offer Encryption or authorization, so that is why the Google Auth Proxy makes a perfect fit to place in front of EFK. If you start from scratch with a very basic design it would look something like this (Copied from Digital Ocean's guide: https://www.digitalocean.com/community/tutorials/elasticsearch-fluentd-and-kibana-open-source-log-search-and-visualization so basically adding https://github.com/bitly/google_auth_proxy in front of this EFK tutorial as a means of authorization, authentication and encryption with SSL ): General Flow: Google Auth Config: include_recipe "google_auth_proxy" Nginx Configs: server { access_log /var/log/nginx/kibana.log; server { listen 8081; access_log /var/log/nginx/kibana.log; location / { location ~ ^/aliases$ { Password protected end pointslocation ~ ^/kibana-int/dashboard/.$ { |
Hm any idea? "Double Reverse SSL Proxy with Nginx"... impossible? Or just insanely frustrating... |
I just went through this exact debug process and got it working. Here's how:
This works great for me. If you try to do the URL filtering before GAP you'll run into all sorts of problems. |
thanks for the clear description on how to set this up @kcampos |
Hi,
Thank you very much for providing the Google Auth Proxy code here on github. I have things working pretty well for simple services, but it looks like things get a lot more complicated when you are trying to place a Google Auth Proxy in front of a service that already functions as a Reverse Proxy.
In my example, I created a new Elasticsearch, Fluentd and Kibana stack (EFK). This is very similar to ELK for those that do not know. Well, EFK actually uses Nginx as a reverse proxy so you can visit myexample.com via port 80 and get content back from Elasticsearch which runs on 9200.
Does anyone have experience adding a Google Auth Proxy in front of another service like ELK/EFK that already uses nginx as a reverse proxy? I'm not sure of the exact wording, but this sounds like "double reverse" proxying to me? What is the recommended way ahead for this? I can get the Auth Proxy to function (with SSL), however when the Kibana dashboard loads after successful oAuth you are required to click "load unsafe scripts" in order to get real EFK content....
I'd like to have the Google Auth Proxy configured with HTTPS and my EFK stack configured with HTTP if that makes sense.
Any help would be appreciated, thanks!
Matthew
The text was updated successfully, but these errors were encountered: