How to Setup Nginx Reverse proxy for Kibana.
In this demonstration we will see how to setup the reverse proxy using the nginx
webserver to the backend kibana
.
We begin by installing the latest version of nginx server on our centos server:
$ sudo yum install nginx -y
The nginx package is going to be present in the epel-repo and you have to enable it.
$ sudo yum --enablerepo=epel install nginx -y
Once the nginx package is installed we need to enable to Daemon and start it with the following command:
[vamshi@node01 ~]$ sudo systemctl enable nginx --now Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
We now add the create the nginx configuration file for kibana backend, and place it under the location /etc/nginx/conf.d/kibana as shown below:
We can setup the Restricted Access configuration if needed for enhanced security as shown below on the line with auth_basic
and auth_basic_user_file
, You may skip the Restricted Access
configuration if you believe it is now required.
[vamshi@node01 nginx]$ sudo cat conf.d/kibana.conf server { listen 80; server_name localhost; auth_basic "Restricted Access"; auth_basic_user_file /etc/nginx/.htpasswd; location / { proxy_pass http://localhost:5601; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } }
With the configuration in place .. we now check the nginx config syntax using the -t option as shown below:
[vamshi@node01 nginx]$ sudo nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Now restart the nginx server and head over to the browser.
$ sudo systemctl restart nginx
On you Browser enter the server ip or FQDN. and you will be auto redirected to the url http://your-kibana-server.com/app/kibana#/home
Setup htacess authorization config with user details.
We now install the htpasswd tool from the package httpd-tools as follows:
$ sudo yum install httpd-tools -y
Adding the Authorization details to our .htpasswd file.
[vamshi@node01 nginx]$ sudo htpasswd -c /etc/nginx/.htpasswd vamshi New password: Re-type new password: Adding password for user vamshi
So We have now successfully added the Auth configuration
[vamshi@node01 nginx]$ sudo htpasswd -n /etc/nginx/.htpasswd New password: Re-type new password: /etc/nginx/.htpasswd:$apr1$tlinuxcentMY-htpassEsHEEanL21
As the password is 1 way encryption we cannot decode it and are required to generate new hash.
Verifying the htpasswd
configuration logins from the curl command:
$ curl http://kibana-url -u<htpasswd-username>
[vamshi@node01 ~]$ curl kibana.linuxcent.com -uvamshi -I Enter host password for user 'vamshi': HTTP/1.1 302 Found Server: nginx/1.16.1 Date: Thu, 07 Apr 2020 17:48:35 GMT Content-Length: 0 Connection: keep-alive location: /spaces/enter kbn-name: kibana kbn-license-sig: 2778f2f7e07680b7aefa85db2e7ce7bd33da5592b84cefe62efa8 kbn-xpack-sig: ce2a76732a2f58fcf288db70ad3ea cache-control: no-cache
If you tend to enter the invalid credentials you will encounter a 401 http error code Restricting the Unauthorized access.
HTTP/1.1 401 Unauthorized Server: nginx/1.16.1 Date: Thu, 07 Apr 2020 17:51:36 GMT Content-Type: text/html Content-Length: 179 Connection: keep-alive WWW-Authenticate: Basic realm="Restricted Access"
Now we head over to the browser to check the htaccess
login page in action as shows follows:
http://your-kibana-server.com
Conclusion: With the htpasswd in place, it provides an extra layer of authorized access to your sensitive urls.. in effect now you need to enter the htpasswd logins to access the same kibana dashboard.