Closed sastorsl closed 3 months ago
@sastorsl Please check the following steps to set up Proxy server for OpenSearch Dashboard using OIDC authentication type.
1. Install and Config Proxy Server (Nginx Proxy):
/* Install Nginx */
% brew install nginx
% sudo nginx //Start proxy server to validate proxy server installed properly
% sudo nginx -s stop //Stop proxy server
/* Modify proxy configuration (nginx.conf) */
% cd /usr/local/etc/nginx
% sudo nano nginx.conf
------------------Nginx Configuration Start------------------------
http {
upstream opensearch {
server localhost:5601;
keepalive 15;
}
server {
listen 8091;
server_name localhost;
location / {
proxy_pass http://opensearch;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header x-proxy-user test;
proxy_set_header x-proxy-roles test;
#proxy_set_header x-proxy-ext-namespace my-namespace;
root html;
index index.html index.htm;
}
------------------Nginx Configuration Start------------------------
/* Restart Proxy Server */
% sudo nginx
2. OpenSearch Dashboard Configuration
/* Modify Configuration Setting for Config.yml */
http:
anonymous_auth_enabled: false
xff:
enabled: true
internalProxies: 'localhost:8091' # Nginx Proxy Server
remoteIpHeader: 'x-forwarded-for'
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
proxy_auth_domain:
description: "Authenticate via proxy"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: proxy
challenge: false
config:
user_header: "x-proxy-user"
roles_header: "x-proxy-roles"
authentication_backend:
type: noop
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 2
http_authenticator:
type: openid
challenge: false
config:
subject_key: email
roles_key: email
openid_connect_url: **************
authentication_backend:
type: noop
/* Modify Configuration Setting for opensearch_dashboard.yml */
opensearch_security.openid.base_redirect_url: "http://localhost:8091" #Ngnix Proxy Server
3. IDP Configuration (IDP: Okta)
/* Modify âSign-in redirect URIsâ */
% Sign-in redirect URIs: http://<Proxy Server>/auth/openid/login
Sorry for not responding earlier.
We are doing something like this how, only using an socat
proxy.
However, I consider this a workaround, not a good solution, so in my mind this issue should not be closed.
A good solution would be that OpenSearch Dashboards supported proxy directly. And the underlying software for dashboards do have support for proxies.
Hello,
Some news about the support of these settings ? This is a blocking point in the use of OIDC for some environments
Thanks
Dear,
Have also issue when configuring alert to slack channel. Opensearch Dashboard is ignoring system proxy. Pretty annoying.
If you are behind a proxy you need to add below configs to your â/etc/opensearch/jvm.optionsâ file
-Dhttp.proxyHost=proxy.example.com -Dhttp.proxyPort=80 -Dhttps.proxyHost=proxy.example.com -Dhttps.proxyPort=80
notifications works.
If you are behind a proxy you need to add below configs to your â/etc/opensearch/jvm.optionsâ file
This will apply to OpenSearch proper, but not to OpenSearch Dashboard which the security-dashboards-plugin
/ OpenSearch Dashboards Security Plugin
I really need this
@DavidoRotho This PR was merged recently and will be released in 2.12 in January. https://github.com/opensearch-project/security-dashboards-plugin/pull/1650
Would this PR solve the issue?
https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/auth/types/openid/routes.ts#L90 - setupRoutes
, or better yet, a common place, needs to support setting an https_proxy
++ proxy, such as squid and similar.
Again, this is for when OpenSearch Dashboards is installed with no direct internet access, but has to go through a explicitly defined proxy server.
opensearch-dashboards --> https_proxy --> OIDC-provider
There are quite a few issues regarding this floating around, such as https://github.com/nodejs/node/issues/8381
Different software, browsers, etc., have various options for how you configure this as an environment variable
http_proxy=<proxy-host>
https_proxy=<proxy-host>
HTTP_PROXY=<proxy-host>
HTTPS_PROXY=<proxy-host>
http.proxyHost=<proxy-host> # java
@sastorsl we are hitting this issue as well. The above solution that was posted by @aoguan1990 is unclear to me.
What is your current work around to allow OIDC to reach out to login.microsoftonline.com when a https_proxy like squid is required ?
+1 we have the same problem here
WORKAROUND:
hostAliases
to OpenSearch Dashboards, see https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ See i.e. https://github.com/fluxcd/source-controller/issues/131#issuecomment-769419918 for a similar discussion.
+1 we have the same problem here
To have proxy support this code https://github.com/opensearch-project/security-dashboards-plugin/blob/2.14.0.0/server/auth/types/openid/openid_auth.ts#L179-L190 should you ProxyAgent instead of HTTP.Agent or HTTPs.Agent In this case proxy env variable will have effect
Is your feature request related to a problem? Please describe. When configuring OIDC OpenSearch Dashboards needs to connect with https to our outside OIDC / OpenID Connect provider. When / if OpenSearch Dashboards is installed in a closed environment all outside / internet connection has to go through an httpsProxy / SOCKS proxy.
Pr now I have not found / not found documentation to support setting httpsProxy parameters for OpenSearch Dashboards.
Describe the solution you'd like Add support for setting httpsProxy / httpProxy for OpenSearch Dashboards. Documentation for the same.
Describe alternatives you've considered The current workaround we are using are local proxying with netcat + host aliases. Not a very nice sollution, but "works".
Additional context N/A