search

opensearch-project / security-dashboards-plugin

🔐 Manage your internal users, roles, access control, and audit logs from OpenSearch Dashboards
https://opensearch.org/docs/latest/security-plugin/index/
Apache License 2.0
71 stars 158 forks source link

Support httpsProxy in OpenSearch Dashboards for OIDC support #911

Closed sastorsl closed 3 months ago

sastorsl commented 2 years ago

Is your feature request related to a problem? Please describe. When configuring OIDC OpenSearch Dashboards needs to connect with https to our outside OIDC / OpenID Connect provider. When / if OpenSearch Dashboards is installed in a closed environment all outside / internet connection has to go through an httpsProxy / SOCKS proxy.

Pr now I have not found / not found documentation to support setting httpsProxy parameters for OpenSearch Dashboards.

Describe the solution you'd like Add support for setting httpsProxy / httpProxy for OpenSearch Dashboards. Documentation for the same.

Describe alternatives you've considered The current workaround we are using are local proxying with netcat + host aliases. Not a very nice sollution, but "works".

Additional context N/A

aoguan1990 commented 2 years ago

@sastorsl Please check the following steps to set up Proxy server for OpenSearch Dashboard using OIDC authentication type.

Environments Used:

Configuration:

1. Install and Config Proxy Server (Nginx Proxy):

  /* Install Nginx */
  % brew install nginx
  % sudo nginx //Start proxy server to validate proxy server installed properly
  % sudo nginx -s stop //Stop proxy server

  /* Modify proxy configuration (nginx.conf) */
  % cd /usr/local/etc/nginx
  % sudo nano nginx.conf
  ------------------Nginx Configuration Start------------------------
  http {
      upstream opensearch {
        server localhost:5601;
        keepalive 15;
      }
      server {
          listen       8091;
          server_name  localhost;
          location / {
              proxy_pass http://opensearch;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header x-proxy-user test;
              proxy_set_header x-proxy-roles test;
              #proxy_set_header x-proxy-ext-namespace my-namespace;
              root   html;
              index  index.html index.htm;
          }
  ------------------Nginx Configuration Start------------------------

  /* Restart Proxy Server */
  % sudo nginx

2. OpenSearch Dashboard Configuration

   /* Modify Configuration Setting for Config.yml */
      http:
        anonymous_auth_enabled: false
        xff:
          enabled: true
          internalProxies: 'localhost:8091' # Nginx Proxy Server
          remoteIpHeader:  'x-forwarded-for'
        authc:
          basic_internal_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 0
            http_authenticator:
              type: basic
              challenge: false
            authentication_backend:
              type: internal
          proxy_auth_domain:
            description: "Authenticate via proxy"
            http_enabled: true
            transport_enabled: true
            order: 1
            http_authenticator:
              type: proxy
              challenge: false
              config:
                user_header: "x-proxy-user"
                roles_header: "x-proxy-roles"
            authentication_backend:
              type: noop
          openid_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 2
            http_authenticator:
              type: openid
              challenge: false
              config:
                subject_key: email
                roles_key: email
                openid_connect_url: **************
            authentication_backend:
              type: noop
    /* Modify Configuration Setting for opensearch_dashboard.yml */
       opensearch_security.openid.base_redirect_url: "http://localhost:8091" #Ngnix Proxy Server

3. IDP Configuration (IDP: Okta)

    /* Modify ‘Sign-in redirect URIs’ */
    % Sign-in redirect URIs: http://<Proxy Server>/auth/openid/login
sastorsl commented 1 year ago

Sorry for not responding earlier.

We are doing something like this how, only using an socat proxy. However, I consider this a workaround, not a good solution, so in my mind this issue should not be closed.

A good solution would be that OpenSearch Dashboards supported proxy directly. And the underlying software for dashboards do have support for proxies.

kogelc commented 1 year ago

Hello,

Some news about the support of these settings ? This is a blocking point in the use of OIDC for some environments

Thanks

BornTKill commented 1 year ago

Dear,

Have also issue when configuring alert to slack channel. Opensearch Dashboard is ignoring system proxy. Pretty annoying.

BornTKill commented 1 year ago

If you are behind a proxy you need to add below configs to your “/etc/opensearch/jvm.options” file

-Dhttp.proxyHost=proxy.example.com -Dhttp.proxyPort=80 -Dhttps.proxyHost=proxy.example.com -Dhttps.proxyPort=80

notifications works.

sastorsl commented 1 year ago

If you are behind a proxy you need to add below configs to your “/etc/opensearch/jvm.options” file

This will apply to OpenSearch proper, but not to OpenSearch Dashboard which the security-dashboards-plugin / OpenSearch Dashboards Security Plugin

BlaiseSaunders commented 10 months ago

I really need this

cwperks commented 10 months ago

@DavidoRotho This PR was merged recently and will be released in 2.12 in January. https://github.com/opensearch-project/security-dashboards-plugin/pull/1650

Would this PR solve the issue?

sastorsl commented 9 months ago

https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/auth/types/openid/routes.ts#L90 - setupRoutes, or better yet, a common place, needs to support setting an https_proxy ++ proxy, such as squid and similar.

Again, this is for when OpenSearch Dashboards is installed with no direct internet access, but has to go through a explicitly defined proxy server.

opensearch-dashboards --> https_proxy --> OIDC-provider

There are quite a few issues regarding this floating around, such as https://github.com/nodejs/node/issues/8381

Different software, browsers, etc., have various options for how you configure this as an environment variable

http_proxy=<proxy-host>
https_proxy=<proxy-host>
HTTP_PROXY=<proxy-host>
HTTPS_PROXY=<proxy-host>

http.proxyHost=<proxy-host>  # java
smbambling commented 9 months ago

@sastorsl we are hitting this issue as well. The above solution that was posted by @aoguan1990 is unclear to me.

What is your current work around to allow OIDC to reach out to login.microsoftonline.com when a https_proxy like squid is required ?

u72z commented 6 months ago

+1 we have the same problem here

sastorsl commented 6 months ago

WORKAROUND:

  1. Setup an socat proxy as a separate pod / container that proxies requests to your OIDC providers hostname through the company / internal proxy (i.e. squid)
  2. Add an entry to hostAliases to OpenSearch Dashboards, see https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/

See i.e. https://github.com/fluxcd/source-controller/issues/131#issuecomment-769419918 for a similar discussion.

mustafaocak commented 6 months ago

+1 we have the same problem here

uladzimir-tryputska commented 4 months ago

To have proxy support this code https://github.com/opensearch-project/security-dashboards-plugin/blob/2.14.0.0/server/auth/types/openid/openid_auth.ts#L179-L190 should you ProxyAgent instead of HTTP.Agent or HTTPs.Agent In this case proxy env variable will have effect