-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configuring Reporting when behind a reverse-proxy #18782
Comments
Feel free to close this issue if you feel it's wise to go the course of no longer recommending all users with Kibana hosted behind a reverse-proxy configure these settings to make Reporting go through the same reverse proxy. For us to without a doubt ensure that Reporting works when Kibana is behind a reverse-proxy, we should also be going through the reverse proxy. |
I can confirm it is possible to run Kibana behind a reverse proxy and use reporting without touching the When I first tried it (Kibana 7.0.0-snapshot, docker image), jobs were failing and I could tell by the awesome new logging that I was hitting the
I set the following environment variable for the Kibana service:
That gets Reporting to send the authentication headers to the Kibana host properly. |
In this comment, did you mean we should work with reverse proxy in a dev environment? |
I was trying to say that there are certain configurations of Kibana behind a reverse-proxy that require us to go through the reverse proxy for Reporting to work properly, so the safest definitive way to recommend that Reporting is configured in these scenarios is for us to set the xpack.reporting.kibanaServer.* settings. Otherwise, we'll likely want to enumerate the potential configurations that require this. |
Pinging @elastic/kibana-reporting-services (Team:Reporting Services) |
I think this is ready to close
I don't think this would work in all proxy and network configurations. The The way we've been tackling issues like this is to run self-checks at server startup, and log a descriptive warning or error if we find any problems. See for example: #53975 I've thought about having a server host check that actually would use Chromium to resolve the address, but it wasn't added because my implementation was a bad race-condition problem with the the legacy platform. |
When Kibana is hosted behind a reverse proxy, the administrator is required to input the proxy's hostname, protocol and port via the respective
xpack.reporting.server.*
kibana.yml settings. We need this information to generate the URL that we should visit from Reporting's headless browser to generate the necessary reports. Manually requiring users to input this information has been problematic, and mis-configuration is rather common.There's potential for us to provide the hostname, protocol and port via the job parameters when generating the report, but this opens us up to end-users being able to control the URL that the headless browser visits when generating the report, where they could potentially exploit a browser vulnerability to compromise the server that Kibana is running on.
A compromise between these two approaches would be to provide the hostname, protocol and port via the job parameters which are then validated via a white-list or the existing configuration options and throw an informative error message if these values don't match with the specific settings that the user must change.
The text was updated successfully, but these errors were encountered: