Manneken-Tech

NGINX as reverse proxy and HTTP server to get your infrastructure secured and reachable from Internet.

Kibana does not come with a secure access out of the box (Using the free version). We will use NGINX, one of the most popular reverse proxy system to secure it.

First let’s clean our docker :

$ docker stop $(docker ps -a -q)

$ docker rm $(docker ps -a -q)

Let’s see the docker compose, we’ll run. We first need a Kibana and the Elastic coming with :

##############################

esnode1:
image: elasticsearch:5
environment:
- ES_JAVA_OPTS=-Xmx1g -Xms1g
ports:
- "9201:9200"
- "9301:9300"
container_name: esnode1

##############################

kibana:
image: kibana:5
ports:
- "5601:5601"
environment:
- ELASTICSEARCH_URL=http://esnode1:9200
container_name: kibana
links:
- esnode1

We add Cerebro (kopf for Elastic before v5), because life without this great managment tool is always a bit sadder. Many thanks lmenezes !

##############################

cerebro:
 image: snuids/cerebro:latest
 container_name: cerebro
 ports:
 - 9000:9000
 links:
 - esnode1

And Finaly, as you could expect, the NGINX docker :

##############################
nginx:
image: nginx
container_name: nginx
ports:
- 6601:6601
volumes:
- /Users/vmercier/Documents/nginxconfigelk5/:/etc/nginx/conf.d/
- /Users/vmercier/Documents/nginxconfigelk5/:/var/log/nginx
links:
- kibana

Have a look at this one particulary. We map the port 6601 of our host machine with the NGINX docker, this will be our entry port.

The content of those two folders “/etc/nginx/conf.d/” and “/var/log/nginx” are mapped with my local folder “/Users/vmercier/Documents/nginxconfigelk5/”

The Docker is linked with Kibana while it’s Kibana we want to be reachable through our NGINX.

The configuration isn’t over, our NGINX isn’t configured yet. Move to the folder you choose in your docker-compose file (/Users/vmercier/Documents/nginxconfigelk5 in my case), and create a default.conf file :

server {
listen 6601;

ssl_certificate /etc/nginx/conf.d/server.crt;
ssl_certificate_key /etc/nginx/conf.d/server.key;</pre>
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;

location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-NginX-Proxy true;

proxy_http_version 1.1;
proxy_set_header Connection "";

auth_basic "Restricted"; #For Basic Auth
auth_basic_user_file /etc/nginx/conf.d/.htpasswd; #For Basic Auth
proxy_pass http://kibana:5601;
proxy_redirect off;
}
}

Let’s get a quick review of this configuration file :

– line 2, we start a server listening on port 6601 (remember the docker-compose file).

– line 4 and 5 the configuration of the certificate and its key.

– line 20, the password file.

– line 21, what to reply, to a request on port 6601.

As seen below, we have to define a certificate file, a certificate key file and a password file, let’s do that :

$ cd /Users/vmercier/Documents/nginxconfigelk6

$ openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
...
$ openssl rsa -passin pass:x -in server.pass.key -out server.key
writing RSA key
$ rm server.pass.key
$ openssl req -new -key server.key -out server.csr
...
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
...
A challenge password []:
...

$ openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt

and the generation of the .htpasswd file :

$ htpasswd -c .htpasswd fucker

Let’s run the docker-compose file :

~/Desktop/Docker $docker-compose up -d

Creating esnode1
Creating kibana
Creating cerebro
Creating nginx

You can now access you kibana with this url : https://YOUR_IP:6601, a pop up like this one should appear :

Type your password and you should be redirected to your Kibana instance!