Support httpsProxy in OpenSearch Dashboards for OIDC support

[sastorsl]

Is your feature request related to a problem? Please describe.
When configuring OIDC OpenSearch Dashboards needs to connect with https to our outside OIDC / OpenID Connect provider.
When / if OpenSearch Dashboards is installed in a closed environment all outside / internet connection has to go through an httpsProxy / SOCKS proxy.

Pr now I have not found / not found documentation to support setting httpsProxy parameters for OpenSearch Dashboards.

Describe the solution you'd like
Add support for setting httpsProxy / httpProxy for OpenSearch Dashboards.
Documentation for the same.

Describe alternatives you've considered
The current workaround we are using are local proxying with netcat + host aliases. Not a very nice sollution, but "works".

Additional context
N/A

[aoguan1990]

@sastorsl Please check the following steps to set up Proxy server for OpenSearch Dashboard using OIDC authentication type.

Environments Used:

• Proxy Server: Nginx version 1.23.0
• Identity Provider: Okta
• OpenSearch: OpenSearch version 2.0

Configuration:

1. Install and Config Proxy Server (Nginx Proxy):

  /* Install Nginx */
  % brew install nginx
  % sudo nginx //Start proxy server to validate proxy server installed properly
  % sudo nginx -s stop //Stop proxy server

  /* Modify proxy configuration (nginx.conf) */
  % cd /usr/local/etc/nginx
  % sudo nano nginx.conf
  ------------------Nginx Configuration Start------------------------
  http {
      upstream opensearch {
        server localhost:5601;
        keepalive 15;
      }
      server {
          listen       8091;
          server_name  localhost;
          location / {
              proxy_pass http://opensearch;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header x-proxy-user test;
              proxy_set_header x-proxy-roles test;
              #proxy_set_header x-proxy-ext-namespace my-namespace;
              root   html;
              index  index.html index.htm;
          }
  ------------------Nginx Configuration Start------------------------

  /* Restart Proxy Server */
  % sudo nginx

2. OpenSearch Dashboard Configuration

   /* Modify Configuration Setting for Config.yml */
      http:
        anonymous_auth_enabled: false
        xff:
          enabled: true
          internalProxies: 'localhost:8091' # Nginx Proxy Server
          remoteIpHeader:  'x-forwarded-for'
        authc:
          basic_internal_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 0
            http_authenticator:
              type: basic
              challenge: false
            authentication_backend:
              type: internal
          proxy_auth_domain:
            description: "Authenticate via proxy"
            http_enabled: true
            transport_enabled: true
            order: 1
            http_authenticator:
              type: proxy
              challenge: false
              config:
                user_header: "x-proxy-user"
                roles_header: "x-proxy-roles"
            authentication_backend:
              type: noop
          openid_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 2
            http_authenticator:
              type: openid
              challenge: false
              config:
                subject_key: email
                roles_key: email
                openid_connect_url: **************
            authentication_backend:
              type: noop
    /* Modify Configuration Setting for opensearch_dashboard.yml */
       opensearch_security.openid.base_redirect_url: "http://localhost:8091" #Ngnix Proxy Server

3. IDP Configuration (IDP: Okta)

    /* Modify ‘Sign-in redirect URIs’ */
    % Sign-in redirect URIs: http://<Proxy Server>/auth/openid/login

[sastorsl]

Sorry for not responding earlier.

We are doing something like this how, only using an socat proxy.
However, I consider this a workaround, not a good solution, so in my mind this issue should not be closed.

A good solution would be that OpenSearch Dashboards supported proxy directly.
And the underlying software for dashboards do have support for proxies.

[kogelc]

Hello,

Some news about the support of these settings ?
This is a blocking point in the use of OIDC for some environments

Thanks

[BornTKill]

Dear,

Have also issue when configuring alert to slack channel. Opensearch Dashboard is ignoring system proxy.
Pretty annoying.

[BornTKill]

If you are behind a proxy you need to add below configs to your “/etc/opensearch/jvm.options” file

-Dhttp.proxyHost=proxy.example.com
-Dhttp.proxyPort=80
-Dhttps.proxyHost=proxy.example.com
-Dhttps.proxyPort=80

notifications works.

[sastorsl]

If you are behind a proxy you need to add below configs to your “/etc/opensearch/jvm.options” file

This will apply to OpenSearch proper, but not to OpenSearch Dashboard which the security-dashboards-plugin / OpenSearch Dashboards Security Plugin

[BlaiseSaunders]

I really need this

[cwperks]

@DavidoRotho This PR was merged recently and will be released in 2.12 in January. #1650

Would this PR solve the issue?

[sastorsl]

https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/auth/types/openid/routes.ts#L90 - setupRoutes, or better yet, a common place, needs to support setting an https_proxy ++ proxy, such as squid and similar.

Again, this is for when OpenSearch Dashboards is installed with no direct internet access, but has to go through a explicitly defined proxy server.

opensearch-dashboards --> https_proxy --> OIDC-provider

There are quite a few issues regarding this floating around, such as nodejs/node#8381

Different software, browsers, etc., have various options for how you configure this as an environment variable

http_proxy=<proxy-host>
https_proxy=<proxy-host>
HTTP_PROXY=<proxy-host>
HTTPS_PROXY=<proxy-host>

http.proxyHost=<proxy-host>  # java

[smbambling]

@sastorsl we are hitting this issue as well. The above solution that was posted by @aoguan1990 is unclear to me.

What is your current work around to allow OIDC to reach out to login.microsoftonline.com when a https_proxy like squid is required ?

[u72z]

+1 we have the same problem here

[sastorsl]

WORKAROUND:

1. Setup an socat proxy as a separate pod / container that proxies requests to your OIDC providers hostname through the company / internal proxy (i.e. squid)
2. Add an entry to hostAliases to OpenSearch Dashboards, see https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/

See i.e. fluxcd/source-controller#131 (comment) for a similar discussion.

[mustafaocak]

+1 we have the same problem here

[uladzimir-tryputska]

To have proxy support this code https://github.com/opensearch-project/security-dashboards-plugin/blob/2.14.0.0/server/auth/types/openid/openid_auth.ts#L179-L190 should you ProxyAgent instead of HTTP.Agent or HTTPs.Agent
In this case proxy env variable will have effect