NGINX as reverse proxy and HTTP server to get your infrastructure secured and reachable from Internet.
Kibana does not come with a secure access out of the box (Using the free version). We will use NGINX, one of the most popular reverse proxy system to secure it.
First let’s clean our docker :
$ docker stop $(docker ps -a -q)
$ docker rm $(docker ps -a -q)
Let’s see the docker compose, we’ll run. We first need a Kibana and the Elastic coming with :
############################## esnode1: image: elasticsearch:5 environment: - ES_JAVA_OPTS=-Xmx1g -Xms1g ports: - "9201:9200" - "9301:9300" container_name: esnode1 ############################## kibana: image: kibana:5 ports: - "5601:5601" environment: - ELASTICSEARCH_URL=http://esnode1:9200 container_name: kibana links: - esnode1
We add Cerebro (kopf for Elastic before v5), because life without this great managment tool is always a bit sadder. Many thanks lmenezes !
############################## cerebro: image: snuids/cerebro:latest container_name: cerebro ports: - 9000:9000 links: - esnode1
And Finaly, as you could expect, the NGINX docker :
############################## nginx: image: nginx container_name: nginx ports: - 6601:6601 volumes: - /Users/vmercier/Documents/nginxconfigelk5/:/etc/nginx/conf.d/ - /Users/vmercier/Documents/nginxconfigelk5/:/var/log/nginx links: - kibana
Have a look at this one particulary. We map the port 6601 of our host machine with the NGINX docker, this will be our entry port.
The content of those two folders “/etc/nginx/conf.d/” and “/var/log/nginx” are mapped with my local folder “/Users/vmercier/Documents/nginxconfigelk5/”
The Docker is linked with Kibana while it’s Kibana we want to be reachable through our NGINX.
The configuration isn’t over, our NGINX isn’t configured yet. Move to the folder you choose in your docker-compose file (/Users/vmercier/Documents/nginxconfigelk5 in my case), and create a default.conf file :
server { listen 6601; ssl_certificate /etc/nginx/conf.d/server.crt; ssl_certificate_key /etc/nginx/conf.d/server.key;</pre> ssl on; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; ssl_prefer_server_ciphers on; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-NginX-Proxy true; proxy_http_version 1.1; proxy_set_header Connection ""; auth_basic "Restricted"; #For Basic Auth auth_basic_user_file /etc/nginx/conf.d/.htpasswd; #For Basic Auth proxy_pass http://kibana:5601; proxy_redirect off; } }
Let’s get a quick review of this configuration file :
– line 2, we start a server listening on port 6601 (remember the docker-compose file).
– line 4 and 5 the configuration of the certificate and its key.
– line 20, the password file.
– line 21, what to reply, to a request on port 6601.
As seen below, we have to define a certificate file, a certificate key file and a password file, let’s do that :
$ cd /Users/vmercier/Documents/nginxconfigelk6 $ openssl genrsa -des3 -passout pass:x -out server.pass.key 2048 ... $ openssl rsa -passin pass:x -in server.pass.key -out server.key writing RSA key $ rm server.pass.key $ openssl req -new -key server.key -out server.csr ... Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California ... A challenge password []: ...
$ openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
and the generation of the .htpasswd file :
$ htpasswd -c .htpasswd fucker
Let’s run the docker-compose file :
~/Desktop/Docker $docker-compose up -d Creating esnode1 Creating kibana Creating cerebro Creating nginx
You can now access you kibana with this url : https://YOUR_IP:6601, a pop up like this one should appear :
Type your password and you should be redirected to your Kibana instance!
May 4, 2017 at 9:55 am
This was very helpful. thank you. Diligent and concise. I am goin to keep an eye on this blog
June 2, 2017 at 1:43 pm
Is It Possible the redirection of kibana via Nginx without a certificate and its key, the password file.Because I have done all ways to access kibana via Nginx but all I get is 404 page not found.only I didn’t do is SSL mentioning in nginx.conf file.