【转载】Securing Kibana + Elasticsearch

from: http://tom.meinlschmidt.org/2014/05/19/securing-kibana-elasticsearch/

After some successful setup of Kibana + es for fluentd there’s a need to secure whole website.

So I decided to use nginx and basic auth. I assume you have standard configuration – with es running on localhost:9200.

# htpasswd -c /opt/nginx/conf/.htpasswd some_user

and now modify nginx config:

#user  nobody;
#group nogroup;
worker_processes  5;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    sendfile        on;
    keepalive_timeout  65;
    gzip  on;
    server {
        # we listen on :8080
        listen       8080;
        server_name  somer.server;
        charset utf-8;
        access_log  logs/host.access.log  main;
        # root for Kibana installation
        location / {
        auth_basic "Restricted";
            auth_basic_user_file /opt/nginx/conf/.htpasswd;
            root   /opt/kibana;
            index  index.html index.htm;
        }
        # and for elasticsearch
        location /es {
        auth_basic "Restricted - ES";
            auth_basic_user_file /opt/nginx/conf/.htpasswd;
            rewrite ^/es/_aliases$ /_aliases break;
            rewrite ^/es/_nodes$ /_nodes break;
            rewrite ^/es/(.*/_search)$ /$1 break;
            rewrite ^/es/(.*/_mapping)$ /$1 break;
            rewrite ^/es/(.*/_aliases)$ /$1 break;
            rewrite ^/es/(kibana-int/.*)$ /$1 break;
            return 403;
            # set some headers
            proxy_http_version 1.1;
            proxy_set_header  X-Real-IP  $remote_addr;
            proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header  Host $http_host;
            proxy_pass http://localhost:9200;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
}