I would like to require auth_basic nginx authentication to save all kibana 4 dashboards but allow anyone to view dashboards without authentication.
I recently installed an ELK (Elasticsearch 1.4.5, Logstash 1:1.5.2-1, and Kibana 4.1.1) stack on Ubuntu 14.04 using a DigitalOcean tutorial.
Because kibana uses browser based javascript to sends queries to elasticsearch, I'm not sure how to figure out what to secure.
DigitalOcean provides an nginx config to fully secure access to kibana 4.
FILE:/etc/nginx/sites-available/default
server {
listen 80;
return 301 https://logstash.nyc.3top.com;
}
server {
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
server_name logstash.example.com;
access_log /var/log/nginx/kibana.access.log;
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/htpasswd.users;
location / {
proxy_pass http://localhost:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
Elastic provided an nginx sample config to accomplish this for Kibana 3 but not Kibana 4:
server {
listen *:80 ;
server_name kibana.myhost.org;
access_log /var/log/nginx/kibana.myhost.org.access.log;
location / {
root /usr/share/kibana3;
index index.html index.htm;
}
location ~ ^/_aliases$ {
proxy_pass http://127.0.0.1:9200;
proxy_read_timeout 90;
}
location ~ ^/.*/_aliases$ {
proxy_pass http://127.0.0.1:9200;
proxy_read_timeout 90;
}
location ~ ^/_nodes$ {
proxy_pass http://127.0.0.1:9200;
proxy_read_timeout 90;
}
location ~ ^/.*/_search$ {
proxy_pass http://127.0.0.1:9200;
proxy_read_timeout 90;
}
location ~ ^/.*/_mapping {
proxy_pass http://127.0.0.1:9200;
proxy_read_timeout 90;
}
# Password protected end points
location ~ ^/kibana-int/dashboard/.*$ {
proxy_pass http://127.0.0.1:9200;
proxy_read_timeout 90;
limit_except GET {
proxy_pass http://127.0.0.1:9200;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/kibana.myhost.org.htpasswd;
}
}
location ~ ^/kibana-int/temp.*$ {
proxy_pass http://127.0.0.1:9200;
proxy_read_timeout 90;
limit_except GET {
proxy_pass http://127.0.0.1:9200;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/kibana.myhost.org.htpasswd;
}
}
}
Does anyone know how to do this for Kibana 4?
Here is are my config files for elasticsearch and kibana:
/etc/elasticsearch/elasticsearch.yml
network.host: localhost
/opt/kibana/config/kibana.yml
port: 5601
host: "localhost"
elasticsearch_url: "http://localhost:9200"
elasticsearch_preserve_host: true
kibana_index: ".kibana"
default_app_id: "discover"
request_timeout: 300000
shard_timeout: 0
verify_ssl: true
bundled_plugin_ids:
- plugins/dashboard/index
- plugins/discover/index
- plugins/doc/index
- plugins/kibana/index
- plugins/markdown_vis/index
- plugins/metric_vis/index
- plugins/settings/index
- plugins/table_vis/index
- plugins/vis_types/index
- plugins/visualize/index
You might need to leverage nginx's conditional capabilities to achieve this. This gist might be a good starting point. Let me know if this works for you.
Related
I am doing nginx reverse proxy+ kibana , have problem with
location as /kibana, if i am suing location as / , it will work
Any suggestion or feedback ? thanks in advance
server {
listen 443 ssl;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.rsa;
location /kibana/ {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd ;
proxy_pass http://localhost:5601;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
problem i got is as below when i browse https://<nginx_server>/kibana
{"statusCode":404,"error":"Not Found","message":"Not Found"}
I found the solution need to change kibana config, then it will work
server.basePath: "/kibana"
server.rewriteBasePath: true
EDIT: To be more clear, this is nginx version 1.13.8.
Take the following as an example nginx.conf file:
http {
upstream portal_backend {
server pc-loc43-01:15080;
}
upstream auth_backend {
server pc-loc43-01:16080;
}
server {
listen 9080 default_server;
server_name my-reverse-proxy;
location / {
auth_basic off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_pass http://portal_backend/;
}
location /auth {
auth_basic off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_pass http://auth_backend/auth;
}
}
}
I want to configure nginx to default to location / if it is unable to match the request to any of the locations, but I cannot find how to do this.
I don't see anything wrong with your code.
location / { is already the default location block for "unhandled" locations.
This would match all locations:
location / {
# ...
}
This would match the root only:
location = / {
# ...
}
This will match /auth and sub directories:
location /auth {
# ...
}
It must be related to how nginx does request matching -- somehow auth and authorize are too similar and it causes nginx problems (not a great explanation and maybe someone more experienced with nginx internals can chime in). The "solution" was to duplicate location / into location /authorize, so now the config file looks like:
...
location / {
auth_basic off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_pass http://portal_backend/;
}
location /authorize {
auth_basic off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_pass http://portal_backend/;
}
...
All the other routes work as I would have expected, e.g. /users, /customers, /whatever are all handled by location /
I have two websites on a single ubuntu 16 server and I want to make them accessible by network using nginx reverse proxy and gunicorn (Gunicorn internally serves websites on 127.0.0.1:8000 and 127.0.0.1:8001).
Both Websites will never have DNS pointing to my server and both must be running under port 80. So question is, how can I set reverse proxy for these sites? I am in situation where I cant catch hostname or different port in order to user to enter specific site.
My first_website.conf:
upstream first_website {
server unix:/var/www/first_website/first_website_env/run/gunicorn.sock
fail_timeout=0;
}
server {
listen 80;
# normally I would use different host name
# to check, which site user wants to retrieve.
server_name 123.12.34.789;
client_max_body_size 4G;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location / {
proxy_pass http://127.0.0.1:8001;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://127.0.0.1:8001;
break;
}
}
}
an option would be to place the servers on different url locations for example:
upstream first_website {
server unix:/var/www/first_website/first_website_env/run/gunicorn.sock
fail_timeout=0;
}
server {
listen 80;
server_name 123.12.34.789;
client_max_body_size 4G;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location /server1/ {
proxy_pass http://127.0.0.1:8000;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://127.0.0.1:8000;
break;
}
}
location /server2/ {
proxy_pass http://127.0.0.1:8001;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://127.0.0.1:8001;
break;
}
}
}
I believe that does the trick for you.
I am geeting below error while starting Nginx service
"http" directive is not allowed here in /etc/nginx/sites-enabled/abc:1
Here is my abc config
worker_processes 1;
error_log /usr/local/openresty/nginx/logs/lua.log debug;
events {
worker_connections 1024;
}
http {
upstream kibana {
server server1:30001;
server server2:30001;
keepalive 15;
}
server {
listen 8882;
location / {
ssl_certificate /etc/pki/tls/certs/ELK-Stack.crt;
ssl_certificate_key /etc/pki/tls/private/ELK-Stack.key;
ssl_session_cache shared:SSL:10m;
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/htpasswd.users;
proxy_pass http://kibana;
proxy_redirect off;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Proxy-Connection "Keep-Alive";
}
}
}
--> FYI I am creating this file in /etc/nginx/sites-available and linking it to
/etc/nginx/sites-enabled . I am providing a link using following command
sudo ln -s /etc/nginx/sites-available/abc /etc/nginx/sites-enabled/abc
After the above command I can see a link is been created in /etc/nginx/sites-enabled directory .
Please suggest what I am doing wrong ?
Regards,
The http directive dos not belong there.
In the ngnix.conf you have already the http directive
http {
..config logs ...
inclide etc/ngnix/sites-enabled/*; <--- This Line include your files
.. more config...
server {
(..default server ...)
location / {
index
root
}
}
}
The files in your sites enabled must only contain servers, the http directive is in the principal configuration.
I would try:
events {
worker_connections 1024;
}
upstream kibana {
server server1:30001;
server server2:30001;
keepalive 15;
}
error_log /usr/local/openresty/nginx/logs/lua.log debug;
listen 8882;
location / {
basic "Restricted Access";
auth_basic_user_file /etc/nginx/htpasswd.users;
proxy_pass http://kibana;
proxy_redirect off;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Proxy-Connection "Keep-Alive";
}
ssl_certificate /etc/pki/tls/certs/ELK-Stack.crt;
ssl_certificate_key /etc/pki/tls/private/ELK-Stack.key;
ssl_session_cache shared:SSL:10m;
}
Hi i'm trying to use Nginx as a reverse proxy for accessing a Kibana 4 dashboard. The location of the dashboard is not available in the latest kibana but it can be accessed using a URL.
Kibana and Nginx are running both locally and installed on a windows machine installed in C:\
Kibana is running on localhost:5601.
I installed NGinx and configured it to run on port 80. My config file of Nginx looks like this.
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
server {
listen 80;
server_name 127.0.0.1:5601;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
location ~ {
proxy_pass http://127.0.0.1:5601;
#proxy_redirect https://kibana/;
}
}
But when i enter localhost in my browser i see,
"Welcome to nginx!
If you see this page, the nginx web server is successfully installed and working. Further configuration is required.
For online documentation and support please refer to nginx.org.
Commercial support is available at nginx.com.
Thank you for using nginx."
Kibana is working fine with : localhost:5601.
Do i need to make any changes to the Kibana config file also? I want to access the kibana dashboard by localhost:80 through NGinx.
Thanks
Change "server_name 127.0.0.1:5601;" to "server_name localhost:80;"
Add this upstream above "server {" :
upstream kibana {
server localhost:5601;
}
and then replace "location ~" with :
location /kibana/ {
proxy_pass http://kibana/;
}
Use http://localhost/kibana to access Kibana
I have configured my nginx to reverse proxy the kibana-4 dashboard. The following nginx config does the job for me:
server {
listen 80;
#You can add your fqdn, say example.com, if you want to in the next parameter
server_name localhost;
auth_basic off;
location / {
proxy_pass http://localhost:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
here is how you can proxy to kibana through nginx kibana and ES on a remote server with https using letencrypt
server {
listen [some_port] ssl http2;
server_name [server_name];
root /your/root/directoty;
location /app {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/yyyyyyyyy.passwd;
proxy_pass http://example.com:5601;
}
location /bundles {
proxy_pass http://example.com:5601/bundles;
}
location /elasticsearch {
proxy_pass [http://elasticsearch_server:9200;]
}
location /status {
proxy_pass http://example.com:5601/status;
}
location /api {
proxy_pass http://example.com:5601/api;
}
location /plugins {
proxy_pass http://example.com:5601/plugins;
}
location /ui {
proxy_pass http://example.com:5601/ui;
}
location /es_admin {
proxy_pass http://example.com:5601/es_admin;
}
location /built_assets {
proxy_pass http://example.com:5601/built_assets;
}
location /node_modules {
proxy_pass http://example.com:5601/node_modules;
}
location /translations {
proxy_pass http://example.com:5601/translations;
}
location /internal {
proxy_pass http://example.com:5601/internal;
}
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
access_log /var/log/nginx/xxxx.access.log;
error_log /var/log/nginx/xxxxx.error.log;
passenger_enabled on;
passenger_min_instances 1;
client_max_body_size 10m;
}