Differences

This shows you the differences between two versions of the page.

Link to this comparison view

en:ressources:astuces:kibana4_nginx [2015/02/27 16:07] (current)
julien created
Line 1: Line 1:
 +====== Protect Kibana 4 with Nginx ======
 +
 +Kibana 4 is a great dashboard application,​ but it comes with zero security. If you want to share a dashboard while preventing other people from modifying your data, you need to filter the traffic directed to it.
 +
 +This is hard to do, because kibana uses javascript in the browser that sends queries to elasticsearch (proxied via the /​elasticsearch/​ endpoint of the kibana4 app). Therefore, in order to protect it, we need fine grained query filters in nginx.
 +
 +The configuration sample below assumes that kibana4 is running locally on port 8080.
 +
 +The conf will require a basic auth for operations like saving a search, a dashboard or accessing the settings page.
 +
 +<​code>​
 +server {
 + listen 8000;
 +
 + proxy_redirect off;
 + proxy_set_header Host $http_host;
 +
 + # viewing dashboards is authorized, but saving them requires auth
 + location = "/​elasticsearch/​.kibana/​dashboard/​_search"​ {
 + proxy_pass http://​127.0.0.1:​8080/​$request_uri;​
 + }
 + location ~ /​elasticsearch/​.kibana/​dashboard/​(?<​dashboardname>​.*) {
 + auth_basic "Need user password to save dashboard '​$1'";​
 + auth_basic_user_file /​etc/​nginx/​observer_users.htpasswd;​
 + proxy_pass http://​127.0.0.1:​8080/​$request_uri;​
 + }
 + location = "/​elasticsearch/​.kibana/​search/​_search"​ {
 + proxy_pass http://​127.0.0.1:​8080/​$request_uri;​
 + }
 + location ~ /​elasticsearch/​.kibana/​search/​(.*) {
 + auth_basic "Need user password to save search '​$1'";​
 + auth_basic_user_file /​etc/​nginx/​observer_users.htpasswd;​
 + proxy_pass http://​127.0.0.1:​8080/​$request_uri;​
 + }
 + location ~ "/#/​settings/​.*"​ {
 + auth_basic "Need user password to access settings";​
 + auth_basic_user_file /​etc/​nginx/​observer_users.htpasswd;​
 + proxy_pass http://​127.0.0.1:​8080/​$request_uri;​
 + }
 + location ~ "/​elasticsearch/​logstash.*"​ {
 + auth_basic "Need user password to access settings";​
 + auth_basic_user_file /​etc/​nginx/​observer_users.htpasswd;​
 + proxy_pass http://​127.0.0.1:​8080/​$request_uri;​
 + }
 + location ~ /​elasticsearch/​.kibana {
 + proxy_pass http://​127.0.0.1:​8080/​$request_uri;​
 + }
 + location = "/​elasticsearch/​_nodes"​ {
 + if ($request_method != "​GET"​) {
 + return 403;
 + break;
 + }
 + proxy_pass http://​127.0.0.1:​8080/​$request_uri;​
 + }
 + location ~ /​elasticsearch/​_(.*)$ {
 + set $reject '​false';​
 + set $esmethod $1;
 + if ($esmethod !~ "​^(mget|msearch)$"​) {
 + set $reject '​true';​
 + }
 + if ($request_method != "​POST"​) {
 + set $reject '​true';​
 + }
 + if ($reject = '​true'​) {
 + return 403;
 + break;
 + }
 + proxy_pass http://​127.0.0.1:​8080/​$request_uri;​
 + }
 + location ~ /​elasticsearch/​(.*)/​_search {
 + if ($request_method != "​POST"​) {
 + return 403;
 + break;
 + }
 + proxy_pass http://​127.0.0.1:​8080/​$request_uri;​
 + }
 + location / {
 + if ($request_method != "​GET"​) {
 + return 403;
 + break;
 + }
 + proxy_pass http://​127.0.0.1:​8080/​$request_uri;​
 + }
 +}
 +</​code>​
  
en/ressources/astuces/kibana4_nginx.txt ยท Last modified: 2015/02/27 16:07 by julien
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0