Designed to work as a forwardAuth proxy for Traefik (possibly others, like nginx, but not tested) in order to use LDAP/Active Directory for user access in Elasticsearch without paid subscription.
Request goes to Traefik
Traefik proxies it to Authelia in order to verify user
If it receives 200 forwards headers from Authelia to second auth -> kibana-auth-proxy
kibana-proxy-auth:
generates random password for local Kibana user (has nothing to do with LDAP password)
uses information from Authelia headers to create/update local user in Kibana + AD group/kibana roles mappings from config file
generates and passes back to Traefik header:
Authorization: Basic XXXYYYZZZZ
Traefik passes user to Kibana with Authorization header which has password already set by kibana-proxy-pass and logs him/her in :)
Passwords are meant to have short time span of life and are regenerated transparently for user while using Kibana