How do I use an NGINX proxy to access OpenSearch Dashboards from outside a VPC that's using Amazon Cognito authentication?

6 minute read
1

My Amazon OpenSearch Service cluster is in a virtual private cloud (VPC). I want to use an NGINX proxy to access OpenSearch Dashboards from outside of the VPC with Amazon Cognito authentication. How can I do this?

Short description

Use NGINX to configure an Amazon Elastic Compute Cloud (Amazon EC2) instance as a proxy server. The proxy server then forwards browser requests to Amazon Cognito and OpenSearch Dashboards.

Note: This solution works for native Amazon Cognito users only.

You can also use an SSH tunnel or Client VPN to access OpenSearch Dashboards from outside a VPC with Amazon Cognito authentication. For more information, see How can I access OpenSearch Dashboards from outside of a VPC using Amazon Cognito authentication?

Resolution

Important: Your OpenSearch Service domain is more secure when you restrict access to users in the VPC. Before you continue, be sure that this procedure doesn't violate your organization's security requirements.

1.    Create an Amazon Cognito user pool.

2.    Configure a hosted user pool domain.

3.    In the Amazon Cognito console navigation pane, choose Users and groups.

4.    Choose Create user and then complete the fields. Be sure to enter an email address, and then select the Mark email as verified check box.

5.    Choose the Groups tab and then choose Create group. For Precedence, enter 0. For more information, see Creating a new group in the AWS Management Console.

6.    Open the Amazon Cognito console again.

7.    Choose Manage Identity Pools, and then choose Create new identity pool.

8.    Enter a name for your identity pool, select the check box to Enable access to unauthenticated identities, and then choose Create Pool.

9.    When you're prompted for access to your AWS resources, choose Allow to create the two default roles associated with your identity pool. Create one default role for unauthenticated users, and then create the other default role for authenticated users.

10.    Configure your OpenSearch Service domain to use Amazon Cognito authentication for OpenSearch Dashboards: For Cognito User Pool, choose the user pool that you created. For Cognito Identity Pool, choose the identity pool that you created. For more information, see Get started with OpenSearch Service: Use Amazon Cognito for OpenSearch Dashboards access control.

11.    Configure your access policy so that it is a resource-based policy like the following:

{
     "Version": "2012-10-17",
     "Statement": [{
          "Effect": "Allow",
          "Principal": {
               "AWS": "arn:aws:iam::account-id:role/Cognito_identity-nameAuth_Role"
          },
          "Action": "es:*",
          "Resource": "arn:aws:es:region:aws-account-id:domain/domain-name/*"
     }]
}

You must update these values:
account-id: your AWS account ID
identity-name: the name of your Amazon Cognito identity pool
domain-name: the name of your OpenSearch Service domain
region: the Region where your OpenSearch Service domain resides, such as us-east-1

Note: The settings in this example apply to Amazon Linux 2 AMI. If you're using a different AMI, you might need to adjust your specific settings.

12.    Launch an EC2 instance into a public subnet of the same VPC of your OpenSearch Service domain. Make sure that the instance uses the same security group as your domain.

13.    (Optional) If you're not using a test environment, then allocate an Elastic IP address to associate with the instance that you created. For more information about allocating Elastic IP addresses, see Work with Elastic IP addresses.

14.    (Optional) If you're not using a test environment, then configure your DNS to resolve requests to the Elastic IP address. For more information about how to resolve requests with Amazon Route 53, see Configuring Route 53 to route traffic to an EC2 instance.

15.    Connect to your instance, and then install NGINX.

For instances launched with an Amazon Linux 2 AMI, use the following command:

$ sudo amazon-linux-extras install nginx1

16.    Get an SSL certificate from a certificate authority (CA) to configure SSL for NGINX.

Note: If you're using a test environment, generate a self-signed certificate instead. Note that it's a best practice to use only SSL certificates signed by a third-party certificate authority in your production environment.

17.    (Optional) If you're using a test environment with a self-signed certificate, then use the OpenSSL x509 command to generate a private key:

$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/cert.key -out /etc/nginx/cert.crt

This command syntax generates cert.key, a private key for the self-signed SSL certificate.

18.    Navigate to the /etc/nginx/conf.d directory, and then create a file called default.conf. Modify the file with the following values: /etc/nginx/cert.crt: the path to your SSL certificate /etc/nginx/cert.key: the path to the private key that you generated for the SSL certificate my_domain_host: your OpenSearch Service endpoint my_cognito_host: your Amazon Cognito user pool domain (that you configured in Step 2).

You can use the sed command to assign my_cognito_host and my_domain_host as variables, instead of replacing them directly in the default.conf file. Also, make sure to use HTTPS, or you might encounter an error.

In this example, be aware of the following:

  • If your Amazon OpenSearch Service domain is running OpenSearch Service version 1.0+, then use the _dashboards endpoint.
  • If your Amazon OpenSearch Service domain is running Elasticsearch versions 5.x-7.x, then use the _plugin/kibana endpoint.

Important: The resolver parameter changes according to your VPC settings. The DNS resolver is located at your primary CIDR block's base IP plus two. For example, if you create a VPC with CIDR block 10.0.0.0/24, then your DNS resolver is located at 10.0.0.2.

server {
  listen 443;
  server_name $host;
  rewrite ^/$ https://$host/_dashboards redirect;
  resolver 10.0.0.2 ipv6=off valid=5s;
  set $domain_endpoint my_domain_host;
  set $cognito_host my_cognito_host;

  ssl_certificate           /etc/nginx/cert.crt;
  ssl_certificate_key       /etc/nginx/cert.key;

  ssl on;
  ssl_session_cache  builtin:1000  shared:SSL:10m;
  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
  ssl_prefer_server_ciphers on;

  location ^~ /_dashboards {

    # Forward requests to Dashboards
    proxy_pass https://$domain_endpoint;

    # Handle redirects to Cognito
    proxy_redirect https://$cognito_host https://$host;

    # Handle redirects to Dashboards
    proxy_redirect https://$domain_endpoint https://$host;

    # Update cookie domain and path
    proxy_cookie_domain $domain_endpoint $host;
    proxy_cookie_path ~*^/$ /_dashboards/;

    # Response buffer settings
    proxy_buffer_size 128k;
    proxy_buffers 4 256k;
    proxy_busy_buffers_size 256k;
  } 

  location ~ \/(log|sign|fav|forgot|change|saml|oauth2|confirm) {

    # Forward requests to Cognito
    proxy_pass https://$cognito_host;

    # Handle redirects to Dashboards
    proxy_redirect https://$domain_endpoint https://$host;

    # Handle redirects to Cognito
    proxy_redirect https://$cognito_host https://$host;

    proxy_cookie_domain $cognito_host $host;
  }
}

19.    (Optional) Use the sed command to assign the my_domain_host and my_cognito_host variables:

sudo sed -i 's/my_domain_host/vpc-cognito-private-xxxxxxxxxx.us-east-1.es.amazonaws.com/' /etc/nginx/conf.d/default.conf
sudo sed -i 's/my_cognito_host/dean-kumo-xxxxxxx.auth.us-east-1.amazoncognito.com/' /etc/nginx/conf.d/default.conf

Note: You don't have to replace my_domain_host and my_cognito_host in the /etc/nginx/conf.d/default.conf file.

20.    Use this command to restart NGINX.

$ sudo systemctl restart nginx.service

21.    Use your browser to access the NGINX IP or the DNS name. You're redirected to the Amazon Cognito log-in page.

22.    To log in to Dashboards, enter your user name and temporary password. Then, change your password when prompted, and log in again.


Related information

Using a proxy to access OpenSearch Service from Dashboards

How do I troubleshoot Amazon Cognito authentication issues with OpenSearch Dashboards?

I get a "User: anonymous is not authorized" error when I try to access my Amazon OpenSearch Service cluster

AWS OFFICIAL
AWS OFFICIALUpdated a year ago
2 Comments

Hi

Is this still working ? I've done all steps but when I sign in It will be redirected to the private domain's endpoint again, this address : vpc-XXXXXX.ap-southeast-2.es.amazonaws.com

is there any I can fix this issue?

Best Regards

replied 9 months ago