Explore the function and security implications of the path white-listing when reverse proxying Kibana from the document root

[cpliakas]

If you proxy Kibana from the document root, it still needs to reach back to a limited subset of endpoint's in Elasticsearch's root.

See #2, specifically the changes in 074c2fa, for the hackery that allows us to proxy Kibana from the document root without getting nasty errors.

[cpliakas]

Copying unique requests so far:

GET     /
GET     /?
GET     /bower_components/font-awesome/fonts/fontawesome-webfont.woff?v=4.2.0
GET     /bower_components/requirejs/require.js?_b=6103
GET     /config?_b=6103
GET     /images/initial_load.gif
GET     /images/no_border.png
GET     /index.js?_b=6103
GET     /.kibana-4/_mapping/*/field/_source
GET     /logstash-*/_mapping/field/*
GET     /_nodes
GET     /plugins/settings/sections/about/barcode.svg
GET     /require.config.js?_b=6103
GET     /styles/main.css?_b=6103
HEAD    /.kibana-4
POST    /.kibana-4/index-pattern/logstash-*
POST    /.kibana-4/index-pattern/_search
POST    /.kibana-4/__kibanaQueryValidator/_validate/query
POST    /.kibana-4/_mget
POST    /.kibana-4/search/_search
POST    /.kibana-4/visualization/_search
POST    /logstash-*/_msearch