Kibana Behind NGINX Proxy for Reporting (Failed Reporting with Security Enabled)

[ylasri]

I have deployed a local instance of Elasticsearch & Kibana (v7.10.0), OpenDistro (1.12.0)
I configured Kibana as follow :

server.host: "localhost"
server.port: 5601
server.name: "kibana-opendistro"
server.basePath: "/kibana"
server.rewriteBasePath: false

The the following configuration is used for NGINX

server {
    listen       80;
    server_name hostname;
      location /kbn {
	  proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_cache_bypass $http_upgrade;
	    proxy_pass  http://localhost:5601;
	    rewrite  /kbn/(.*)$ /$1 break;
	 }
}

I did some changes on the code (Forked from dev branch) to fix the issue #98 and i was able to get reporting working fine but only if securty is disabled

  log   [04:42:32.599] [info][opendistroReportsKibana][plugins] domain enables security, use session cookie to access
  log   [04:42:32.617] [info][opendistroReportsKibana][plugins] original queryUrl http://proxy_url/kbn/app/dashboards#/view/b95242e0-6358-11eb-910b-552879
6d05f3?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:'2020-02-01T04:42:47.894Z',to:'2021-02-01T04:42:47.895Z'))&_a=(description:'',filters:!(),fullScreenMode:!f,opt
ions:(hidePanelTitles:!f,useMargins:!t),query:(language:kuery,query:''),timeRestore:!t,title:TB,viewMode:view)
respons [04:42:32.638]  GET /app/dashboards 200 34ms - 9.0B
respons [04:42:32.697] [api] GET /bootstrap.js 200 35ms - 9.0B

If i enable security, the process through an timeout, in server side i get define a custom URL for proxy in kibana.ymk and that URL is used by headless chromium to get the report, but when security is enabled, the process does not work (Error 401)

Does anyone was able to get Reporting working when Kibana is behind a proxy like NGINGX and security is enabled ?

Regards

[ylasri]

Here is the error showing in Kibana console when security is enabled

  log   [05:07:49.841] [debug][server][Kibana][cookie-session-storage][http] Error: Unauthorized
respons [05:07:49.821]  POST /api/ui_metric/report 401 30ms - 9.0B
  log   [05:07:52.215] [debug][metrics] Refreshing metrics
  log   [05:07:52.428] [debug][server][Kibana][cookie-session-storage][http] Error: Unauthorized
respons [05:07:52.425]  POST /api/ui_metric/report 401 9ms - 9.0B

[ylasri]

  log   [05:11:30.554] [info][opendistroReportsKibana][plugins] domain enables security, use session cookie to access
  log   [05:11:30.570] [info][opendistroReportsKibana][plugins] original queryUrl http://proxy_url/kbn/app/visualize#/edit/d62e8a80-63ef-11eb-8197-7f757c6
d6e6d?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:'2020-02-01T05:11:45.797Z',to:'2021-02-01T05:11:45.798Z'))&_a=(filters:!(),linked:!f,query:(language:kuery,query
:''),uiState:(),vis:(aggs:!((enabled:!t,id:'1',params:(),schema:metric,type:count),(enabled:!t,id:'2',params:(field:payment_type,missingBucket:!f,missingBucketLabel:Missing,order:d
esc,orderBy:'1',otherBucket:!f,otherBucketLabel:Other,size:5),schema:segment,type:terms)),params:(addLegend:!t,addTooltip:!t,isDonut:!t,labels:(last_level:!t,show:!f,truncate:100,v
alues:!t),legendPosition:right,type:pie),title:save,type:pie))
respons [05:11:30.601]  GET /app/visualize 200 37ms - 9.0B
  log   [05:11:31.697] [debug][server][Kibana][cookie-session-storage][http] Clearing invalid session cookie
  log   [05:11:31.700] [debug][server][Kibana][cookie-session-storage][http] Error: Unauthorized
respons [05:11:31.694] [api] GET /bootstrap.js 200 21ms - 9.0B

[zhongnansu]

Hi,

• When security is enabled, reporting grabs the session cookie to access the url(dashboard, visulization), then genreate a report. You may try print some logs to see where went wrong. Related code

  kibana-reports/kibana-reports/server/routes/lib/createReport.ts

  Line 94 in b17f359

  let cookieObject: SetCookie | undefined;

• Could you share your idea or branch/code snippet on how do you resolve Access kibana.yml from plugin to read server.host, server.port and server.basePath #98 , we can probabaly work together to merge your code change into Open Distro.

[ylasri]

I did some debugging and i can see that the cookie is propagated to pupeeter process, but not sure what happen

I got this error

Failed to generate report: TimeoutError: waiting for selector ".visEditor__content" failed: timeout 600000ms exceeded

[zhongnansu]

That usually means it's not landing on the correct page, so puppeteer couldn't find the html element to do the screenshot.
There could be two causes for the issue.

1. someting is still wrong with passign the cookie, or the cookie expired so puppeteer redirects to the login page of Kibana.
2. Puppeteer starts doing screenshot before the correct page is fully loaded. Puppeteer needs to wait longer.

My suggestion is turn off the headless mode, so you can monitor how puppeteer launches a chromium and access the page, to see where it went wrong. Note: this requires the Choromium binary to support UI, currently only mac-version Chromium we released has UI. If you are not working on Mac, just try print more info while puppeteer is running

kibana-reports/kibana-reports/server/routes/utils/visual_report/visualReportHelper.ts

Line 63 in b17f359

const browser = await puppeteer.launch({

Mac-Chromium: https://github.com/opendistro-for-elasticsearch/kibana-reports/releases/download/chromium-1.12.0.0/chromium-macos-x64.zip

Change this to false to enable Chromium UI.

kibana-reports/kibana-reports/server/routes/utils/visual_report/visualReportHelper.ts

Line 64 in b17f359

headless: true,

[ylasri]

Thanks @zhongnansu for the hint
I managed to get it worked, it was an issue with the cookie, i had to add basePath to the path of the cookie

[zhongnansu]

@synapticiel No problem! Do you mind sharing some ideas on how you enabled the customized server.basePath, port and host, for reporting?

[ylasri]

HI @zhongnansu
Yes sure, I added my comments to #245 (comment)

[zhongnansu]

Thank you for your contribution. We just delivered a fix w.r.t #98. Please take a look