Protect Kibana 4 with Nginx

Kibana 4 is a great dashboard application, but it comes with zero security. If you want to share a dashboard while preventing other people from modifying your data, you need to filter the traffic directed to it.

This is hard to do, because kibana uses javascript in the browser that sends queries to elasticsearch (proxied via the /elasticsearch/ endpoint of the kibana4 app). Therefore, in order to protect it, we need fine grained query filters in nginx.

The configuration sample below assumes that kibana4 is running locally on port 8080.

The conf will require a basic auth for operations like saving a search, a dashboard or accessing the settings page.

server {
	listen 8000;

	proxy_redirect off;
	proxy_set_header Host $http_host;

	# viewing dashboards is authorized, but saving them requires auth
	location = "/elasticsearch/.kibana/dashboard/_search" {
		proxy_pass http://127.0.0.1:8080/$request_uri;
	}
	location ~ /elasticsearch/.kibana/dashboard/(?<dashboardname>.*) {
		auth_basic "Need user password to save dashboard '$1'";
		auth_basic_user_file /etc/nginx/observer_users.htpasswd;
		proxy_pass http://127.0.0.1:8080/$request_uri;
	}
	location = "/elasticsearch/.kibana/search/_search" {
		proxy_pass http://127.0.0.1:8080/$request_uri;
	}
	location ~ /elasticsearch/.kibana/search/(.*) {
		auth_basic "Need user password to save search '$1'";
		auth_basic_user_file /etc/nginx/observer_users.htpasswd;
		proxy_pass http://127.0.0.1:8080/$request_uri;
	}
	location ~ "/#/settings/.*" {
		auth_basic "Need user password to access settings";
		auth_basic_user_file /etc/nginx/observer_users.htpasswd;
		proxy_pass http://127.0.0.1:8080/$request_uri;
	}
	location ~ "/elasticsearch/logstash.*" {
		auth_basic "Need user password to access settings";
		auth_basic_user_file /etc/nginx/observer_users.htpasswd;
		proxy_pass http://127.0.0.1:8080/$request_uri;
	}
	location ~ /elasticsearch/.kibana {
		proxy_pass http://127.0.0.1:8080/$request_uri;
	}
	location = "/elasticsearch/_nodes" {
		if ($request_method != "GET") {
			return 403;
			break;
		}
		proxy_pass http://127.0.0.1:8080/$request_uri;
	}
	location ~ /elasticsearch/_(.*)$ {
		set $reject 'false';
		set $esmethod $1;
		if ($esmethod !~ "^(mget|msearch)$") {
			set $reject 'true';
		}
		if ($request_method != "POST") {
			set $reject 'true';
		}
		if ($reject = 'true') {
			return 403;
			break;
		}
		proxy_pass http://127.0.0.1:8080/$request_uri;
	}
	location ~ /elasticsearch/(.*)/_search {
		if ($request_method != "POST") {
			return 403;
			break;
		}
		proxy_pass http://127.0.0.1:8080/$request_uri;
	}
	location / {
		if ($request_method != "GET") {
			return 403;
			break;
		}
		proxy_pass http://127.0.0.1:8080/$request_uri;
	}
}
en/ressources/astuces/kibana4_nginx.txt · Last modified: 2015/02/27 17:07 by julien
CC Attribution-Noncommercial-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0