Kibana is logging basic authorzation header

[jcollie]

I'm reverse proxying Kibana behind nginx so that I can add SSL and basic authorization. Unless told otherwise, nginx will pass the authorzation header to Kibana, which will then log it. This can be avoided by telling nginx not to pass the authorization header (although in nginx there's a quirk in how the authorization header is handled which makes preventing the authorization header from being forwarded unintuitive). However, I think that Kibana should still avoid logging this header in case the person that configures the reverse proxy doesn't know to block that header.

[rashidkpc]

What version? Pretty sure this is fix in 4.2?

kibana/src/server/logging/index.js

Lines 46 to 52 in 209951b

	// I'm adding the default here because if you add another filter
	// using the commandline it will remove authorization. I want users
	// to have to explicitly set --logging.filter.authorization=none to
	// have it show up int he logs.
	filter: _.defaults(config.get('logging.filter'), {
	authorization: 'remove'
	})

[jcollie]

I'm using 4.2

[jcollie]

I checked my copy of the code and that block is missing.

[jcollie]

Looking at the history, it definitely appears that the patch that you mention did not make it into the 4.2.0 release. Around the time of 4.2.0-beta1 it looks like a 4.2 branch was created so patches applied to master after that didn't automatically make it into 4.2.

[jcollie]

Looks like this is addressed in #5036 , unfortunately the patches didn't make it into 4.2.

[rashidkpc]

Totally correct, doh!

[epixa]

This fix is now backported, so it's ready for 4.2.1.