Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to access kibana with /_plugin/kibana path #15

Closed
nikhilo opened this issue Apr 29, 2020 · 5 comments
Closed

Unable to access kibana with /_plugin/kibana path #15

nikhilo opened this issue Apr 29, 2020 · 5 comments

Comments

@nikhilo
Copy link

nikhilo commented Apr 29, 2020

I'm trying to access an ES domain inside of a VPC. I'm running this proxy on one of hosts which has a public IP and is inside of the same VPC.

docker run --rm -p 5601:8080 --name aws-sigv4-proxy kaggggggga/aws-sigv4-proxy -v

following paths work,

  • /
  • /_cat/indices
  • /_plugin/kibana/app/kibana#/home?_g=()

But this path doesn't work (which is supposed to take you to _plugin/kibana/app/kibana#/home?_g=()

  • `/_plugin/kibana/

I get following error

time="2020-04-29T17:13:44Z" level=error msg="error proxying request" message="{\"message\":\"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.\"}"

Any idea what could be the problem ?
@bandesz
Copy link

bandesz commented Sep 14, 2020
edited
Loading

This is caused by the default http client following redirects and each new http call should be separately signed.

One way to fix this is to create a client with redirect handling disabled in main.go:

client := &http.Client{
  CheckRedirect: func(req *http.Request, via []*http.Request) error {
    return http.ErrUseLastResponse
  },
}

log.Fatal(
  http.ListenAndServe(*port, &handler.Handler{
    ProxyClient: &handler.ProxyClient{
      Signer: signer,
      Client: client,
      StripRequestHeaders: *strip,
      SigningNameOverride: *signingNameOverride,
      HostOverride: *hostOverride,
      RegionOverride: *regionOverride,
    },
  }),
)

@dfontenot
Copy link

Is it possible to get this update merged into mainline? I'm running into this same issue as well with the latest version. This proxy would be very helpful in accessing the Kibana instance that is set up with AWS Elasticsearch service instances.

@dekimsey
Copy link
Contributor

I too was hoping to use this to access the Elasticsearch Service. It works great for hitting ES from dumb (non-AWS signing aware) clients, but the Kibana access being broken is an issue. If this is an issue specifically for redirects, it sounds like a legitimate bug in the way signatures are being calculated by the sig proxy.

@dekimsey
Copy link
Contributor

Just confirming, I built a fork and the suggested solution by @bandesz works.

I know nothing about the implementation to recommend if it's a good solution, but it is a solution that works.

dekimsey added a commit to dekimsey/aws-sigv4-proxy that referenced this issue Feb 25, 2021
@dekimsey
Disable redirect handling
a101184 
This addresses the issue where a signed response may be a redirect.

Fixes awslabs#15
@dekimsey dekimsey mentioned this issue Feb 25, 2021
Merged
@ycourtois
Copy link

ycourtois commented Sep 7, 2021
edited
Loading

I have the same issue. Even if the suggested fix did the job, it would be great if it could be merged.

@sedflix sedflix mentioned this issue Aug 12, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dekimsey @dfontenot @bandesz @nikhilo @ycourtois