After some successful setup of Kibana + es for fluentd there’s a need to secure whole website. So I decided to use nginx and basic auth. I assume you have standard configuration – with es running on localhost:9200.
# htpasswd -c /opt/nginx/conf/.htpasswd some_user
and now modify nginx config:
#user nobody;
#group nogroup;
worker_processes 5;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
sendfile on;
keepalive_timeout 65;
gzip on;
server {
# we listen on :8080
listen 8080;
server_name somer.server;
charset utf-8;
access_log logs/host.access.log main;
# root for Kibana installation
location / {
auth_basic "Restricted";
auth_basic_user_file /opt/nginx/conf/.htpasswd;
root /opt/kibana;
index index.html index.htm;
}
# and for elasticsearch
location /es {
auth_basic "Restricted - ES";
auth_basic_user_file /opt/nginx/conf/.htpasswd;
rewrite ^/es/_aliases$ /_aliases break;
rewrite ^/es/_nodes$ /_nodes break;
rewrite ^/es/(.*/_search)$ /$1 break;
rewrite ^/es/(.*/_mapping)$ /$1 break;
rewrite ^/es/(.*/_aliases)$ /$1 break;
rewrite ^/es/(kibana-int/.*)$ /$1 break;
return 403;
# set some headers
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://localhost:9200;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
Hi,
You should restrict access to .htpasswd file.
Other wise users can download the file.
location ~ /\. { deny all; }