Secure Kibana using OAuth2 Proxy - dcm4che/dcm4chee-arc-light GitHub Wiki

Content

Overview

Run secured archive services and Elastic Stack on a single host explains securing access to Kibana using OAuth2 Proxy which shall allow only authorized users to access the audit messages and system logs with complete stack. Below configurations just highlight the OAuth2 Proxy specific part for independent tests.

Configuration

Oauth2-proxy can be configured via command line options, environment variables or config file (in decreasing order of precedence, i.e. command line options will overwrite environment variables and environment variables will overwrite configuration file settings).

Keycloak

  • Create a Confidential client in Keycloak and note down its Secret which shall be used below in OAuth2 Proxy docker configuration.

    with Audience Token Mapper audience:

OAuth2 Proxy

Configuring proxy for secured http

version: "3"
services:
  kibana-oauth:
    image: dcm4che/oauth2-proxy:7.5.1
    ports:
      - "8643:8643"
    restart: on-failure
    environment:
      OAUTH2_PROXY_HTTPS_ADDRESS: 0.0.0.0:8643
      OAUTH2_PROXY_PROVIDER: keycloak-oidc
      OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true"
      OAUTH2_PROXY_UPSTREAMS: "http://kibana:5601"
      OAUTH2_PROXY_OIDC_ISSUER_URL: "https://<docker-host>:8843/realms/dcm4che"
      OAUTH2_PROXY_REDIRECT_URL: "https://<docker-host>:8643/oauth2/callback"
      OAUTH2_PROXY_ALLOWED_ROLES: auditlog
      OAUTH2_PROXY_CLIENT_ID: kibana
      OAUTH2_PROXY_CLIENT_SECRET: changeit
      OAUTH2_PROXY_EMAIL_DOMAINS: "*"
      OAUTH2_PROXY_OIDC_EMAIL_CLAIM: "preferred_username"
      OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL: "true"
      OAUTH2_PROXY_COOKIE_SECRET: T0F1dGhLaWJhbmFUZXN0cw==
      OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY: "true"
      OAUTH2_PROXY_TLS_CERT_FILE: /etc/certs/cert.pem
      OAUTH2_PROXY_TLS_KEY_FILE: /etc/certs/key.pem
      OAUTH2_PROXY_CUSTOM_TEMPLATES_DIR: /templates
    depends_on:
      - keycloak

Note :

  • OAUTH2_PROXY_OIDC_ISSUER_URL: "https://<docker-host>:8843/realms/dcm4che" applies only for Keycloak v18.0+ and if default KC_HTTP_RELATIVE_PATH is used.

  • If lower versions of Keycloak are used or if KC_HTTP_RELATIVE_PATH is set to /auth for Keycloak v18.0+, then OAUTH2_PROXY_OIDC_ISSUER_URL: "https://<docker-host>:8843/auth/realms/dcm4che"

  • OAUTH2_PROXY_TLS_CERT_FILE and OAUTH2_PROXY_TLS_KEY_FILE specifies path to TLS certificate and private key in Privacy-Enhanced Mail (PEM) format to use for TLS support. To avoid the security warning of Web Browsers connecting to Kibana via OAuth2 Proxy, replace the certificate provided in /etc/certs/cert.pem of the docker image:

    by a certificate whose Common Name and/or Subject Alt Name matches the host name and which is signed by a trusted issuer; bind mount the PEM files with the certificate and corresponding private key and adjust OAUTH2_PROXY_TLS_CERT_FILE and OAUTH2_PROXY_TLS_KEY_FILE to refer their paths inside of the container.

    • OAUTH2_PROXY_PROVIDER specifies the OAuth provider.
    • OAUTH2_PROXY_CLIENT_ID=kibana - specifies the Client ID used to authenticate to the Keycloak Server,
    • OAUTH2_PROXY_CLIENT_SECRET=<kibana-client-secret> - specifies the Client Secret used to authenticate to the Keycloak Authentication Server for Confidential type kibana client. The value should match with that used during keycloak container startup.
    • OAUTH2_PROXY_UPSTREAMS specifies Kibana http URL http://kibana:5601 as upstream endpoint.
    • OAUTH2_PROXY_REDIRECT_URL specifies the redirection URL for the Keycloak Authentication Server callback URL.
    • OAUTH2_PROXY_OIDC_ISSUER_URL specifies OpenID Connect issuer URL, wherein (8843) port refers to KC_HTTPS_PORT used on Keycloak container startup
    • OAUTH2_PROXY_ALLOWED_ROLES=auditlog - (keycloak-oidc) restrict logins to members of these roles (may be given multiple times)
    • OAUTH2_PROXY_EMAIL_DOMAINS as * specifies to authenticate any email.
    • OAUTH2_PROXY_OIDC_EMAIL_CLAIM="preferred_username" which OIDC claim contains the user's email (default "email")
    • OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL="true" specifies to not fail if an email address in an id_token is not verified
    • OAUTH2_PROXY_COOKIE_SECRET specifies the seed string for secure cookies (optionally base64 encoded).
    • OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY as true skip validation of certificates presented when using HTTPS providers. Alternatively, one may set OAUTH2_PROXY_PROVIDER_CA_FILES: /etc/certs/cacert.pem if certificate is to be validated using an authorized CA.
    • OAUTH2_PROXY_SKIP_PROVIDER_BUTTON is optional. If set to true, it will skip sign-in-page specifying Sign-on with Keycloak and directly show the Keycloak login page.
    • OAUTH2_PROXY_CUSTOM_TEMPLATES_DIR specifies the custom templates' directory location which contains the customized forbidden error page shown to unauthorized users on authentication. Note : OAuth2 proxy does not yet have a mechanism to only customize one of the templates (i.e. sign_in or error). Hence, if one wants to customize only one, both templates need to be still provided.

Note : Replace <docker-host> by the hostname of the docker host, which must be resolvable by your DNS server.

Verification

  • Access https://<docker-host>:8643. After accepting and proceeding with the certificate security warnings, this should redirect to Keycloak login page.

  • Login with the desired user credentials.

  • On successful authentication the Kibana home page is displayed.

⚠️ **GitHub.com Fallback** ⚠️