Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ES Proxy passing origin header #6484

Closed
w33ble opened this issue Mar 9, 2016 · 0 comments · Fixed by #6896
Closed

ES Proxy passing origin header #6484

w33ble opened this issue Mar 9, 2016 · 0 comments · Fixed by #6896
Assignees
Labels
bug Fixes for quality problems that affect the customer experience

Comments

@w33ble
Copy link
Contributor

w33ble commented Mar 9, 2016

Part of the reason we have the /elasticsearch proxy in the first place is to avoid issues with CORS. However, we're passing the client's origin header along with the request, so CORS must still be configured on the ES side to handle requests, even those coming from through the proxy.

I think we should probably be stripping the origin header at the very least.

To test this, simply enable CORS on the ES instance by adding the following to the elasticsearch.yml (or via config in esvm):

http.cors.enabled: true

Now requests from Kibana in dev mode will fail at the couier, because the origin header is not allowed (nothing is allowed by default).

screenshot 2016-03-08 13 27 51

The request fails because the client is https, and the server is http, and the origins no longer match. Setting http.cors.allow-origin: '*' in ES will fix this, but it shouldn't be required - the proxy should Just Work (tm).

@w33ble w33ble added bug Fixes for quality problems that affect the customer experience P1 labels Mar 9, 2016
@ycombinator ycombinator self-assigned this Apr 12, 2016
ycombinator added a commit to ycombinator/kibana that referenced this issue Apr 15, 2016
ycombinator added a commit that referenced this issue Apr 19, 2016
Only proxy whitelisted request headers to ES server upstream
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants