Securing Elasticsearch / Kibana with nginx

Edit: This post is pretty old and Elasticsearch/Logstash/Kibana have evolved a lot since it was written.

Part 2 of 4 – Part 1Part 3Part 4
This is a continuation from http://www.ragingcomputer.com/2014/02/logstash-elasticsearch-kibana-for-windows-event-logs

The great folks working on Kibana have been so awesome as to provide an example nginx configuration!
https://github.com/elasticsearch/kibana/blob/master/sample/nginx.conf

Kibana prompting for login to save changes to the dashboard
kibana-login

Before I start, I’ve got a tip of the hat to the resources that helped me figure this out
https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-nginx-for-ubuntu-12-04/
http://nginx.org/en/docs/http/configuring_https_servers.html

https://www.digitalocean.com/community/articles/how-to-set-up-http-authentication-with-nginx-on-ubuntu-12-10
http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html

http://stackoverflow.com/questions/15503455/elasticsearch-allow-only-local-requests

INSTALL NGINX

Install nginx and create certificates. I’m only bothering with self-signed.

[text]
sudo apt-get install nginx
sudo mkdir /etc/nginx/ssl
cd /etc/nginx/ssl
sudo openssl genrsa -des3 -out server.key 1024
sudo openssl req -new -key server.key -out server.csr
sudo cp server.key server.key.org
sudo openssl rsa -in server.key.org -out server.key
sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
[/text]

Instaling apache2-utils because htpasswd is so easy to use. This section creates kibana.htpassword for access to Kibana / Elasticsearch
[text]
sudo apt-get install apache2-utils
sudo htpasswd -c /etc/nginx/conf.d/kibana.htpasswd raging
sudo htpasswd /etc/nginx/conf.d/kibana.htpasswd user
[/text]

This section creates kibana-write.htpassword for the ability to save dashboards
[text]
sudo htpasswd -c /etc/nginx/conf.d/kibana-write.htpasswd raging
[/text]

Download Kibana, extract, copy to /var/www and set permissions
[text]
sudo mkdir /var/www
wget https://download.elasticsearch.org/kibana/kibana/kibana-3.0.0milestone4.tar.gz
tar xzvf kibana-3.0.0milestone4.tar.gz
sudo cp -r kibana-3.0.0milestone4/* /var/www/
sudo chown -r www-data:www-data /var/www
[/text]

Will need to make the nginx config.
Note: You will need to update the section for redirecting http traffic to https with the IP address or hostname of your Elasticsearch / Kibana / nginx computer.
Note: You will also need to set your server name.
[text]
sudo vi /etc/nginx/sites-available/logcatcher
[/text]

[text]
# Nginx proxy for Elasticsearch + Kibana
#
# In this setup, we are password protecting the saving of dashboards. You may
# wish to extend the password protection to all paths.
#
# Even though these paths are being called as the result of an ajax request, the
# browser will prompt for a username/password on the first request
#
# If you use this, you’ll want to point config.js at http://FQDN:80/ instead of
# http://FQDN:9200
#

server {
listen 80;
return 301 https://192.168.1.126;
}

server {
listen *:443 ;

ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;

server_name logcatcher.fqdn.example.com;
access_log /var/log/nginx/kibana.access.log;

location / {
root /var/www;
index index.html index.htm;

auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;

}

location ~ ^/_aliases$ {
proxy_pass http://127.0.0.1:9200;
proxy_read_timeout 90;
}
location ~ ^/.*/_aliases$ {
proxy_pass http://127.0.0.1:9200;
proxy_read_timeout 90;
}
location ~ ^/_nodes$ {
proxy_pass http://127.0.0.1:9200;
proxy_read_timeout 90;
}
location ~ ^/.*/_search$ {
proxy_pass http://127.0.0.1:9200;
proxy_read_timeout 90;
}
location ~ ^/.*/_mapping$ {
proxy_pass http://127.0.0.1:9200;
proxy_read_timeout 90;
}

# Password protected end points
location ~ ^/kibana-int/dashboard/.*$ {
proxy_pass http://127.0.0.1:9200;
proxy_read_timeout 90;
limit_except GET {
proxy_pass http://127.0.0.1:9200;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/kibana-write.htpasswd;
}
}
location ~ ^/kibana-int/temp.*$ {
proxy_pass http://127.0.0.1:9200;
proxy_read_timeout 90;
limit_except GET {
proxy_pass http://127.0.0.1:9200;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/kibana-write.htpasswd;
}
}
}
[/text]

Disable the default configuration for nginx and enable the logcatcher config
[text]
sudo rm /etc/nginx/sites-enabled/default
sudo ln -s /etc/nginx/sites-available/logcatcher /etc/nginx/sites-enabled/logcatcher
[/text]

Restart nginx to make changes take effect
[text]
sudo service nginx restart
[/text]

BIND REDIS TO LOCALHOST
[text]
sudo vi /etc/redis/6379.conf
[/text]
Change the line to
[text]
bind 127.0.0.1
[/text]
Restart the service
[text]
sudo service redis_6379 stop
sudo service redis_6379 start
[/text]

BIND ELASTICSEARCH TO LOCALHOST

[text]
sudo vi /etc/elasticsearch/elasticsearch.yml
[/text]
Uncomment and change the lines to
[text]
network.bind_host: 127.0.0.1
network.publish_host: 127.0.0.1
network.host: 127.0.0.1
[/text]

Restart the service
[text]
sudo service elasticsearch restart
[/text]

CONFIGURE KIBANA TO USE NGINX
Edit the kibana config
[text]
sudo vi /var/www/config.js
[/text]
change the line to
[text]
elasticsearch: "https://"+window.location.hostname+":443",
[/text]

One thought on “Securing Elasticsearch / Kibana with nginx

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: