Feb 162014
 

Edit: This post is pretty old and Elasticsearch/Logstash/Kibana have evolved a lot since it was written.

Part 2 of 4 – Part 1Part 3Part 4
This is a continuation from http://www.ragingcomputer.com/2014/02/logstash-elasticsearch-kibana-for-windows-event-logs

The great folks working on Kibana have been so awesome as to provide an example nginx configuration!
https://github.com/elasticsearch/kibana/blob/master/sample/nginx.conf

Kibana prompting for login to save changes to the dashboard
kibana-login

Before I start, I’ve got a tip of the hat to the resources that helped me figure this out
https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-nginx-for-ubuntu-12-04/
http://nginx.org/en/docs/http/configuring_https_servers.html

https://www.digitalocean.com/community/articles/how-to-set-up-http-authentication-with-nginx-on-ubuntu-12-10
http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html

http://stackoverflow.com/questions/15503455/elasticsearch-allow-only-local-requests

INSTALL NGINX

Install nginx and create certificates. I’m only bothering with self-signed.

sudo apt-get install nginx
sudo mkdir /etc/nginx/ssl
cd /etc/nginx/ssl
sudo openssl genrsa -des3 -out server.key 1024
sudo openssl req -new -key server.key -out server.csr
sudo cp server.key server.key.org
sudo openssl rsa -in server.key.org -out server.key
sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Instaling apache2-utils because htpasswd is so easy to use. This section creates kibana.htpassword for access to Kibana / Elasticsearch

sudo apt-get install apache2-utils
sudo htpasswd -c /etc/nginx/conf.d/kibana.htpasswd raging
sudo htpasswd /etc/nginx/conf.d/kibana.htpasswd user

This section creates kibana-write.htpassword for the ability to save dashboards

sudo htpasswd -c /etc/nginx/conf.d/kibana-write.htpasswd raging

Download Kibana, extract, copy to /var/www and set permissions

sudo mkdir /var/www
wget https://download.elasticsearch.org/kibana/kibana/kibana-3.0.0milestone4.tar.gz
tar xzvf kibana-3.0.0milestone4.tar.gz
sudo cp -r kibana-3.0.0milestone4/* /var/www/
sudo chown -r www-data:www-data /var/www

Will need to make the nginx config.
Note: You will need to update the section for redirecting http traffic to https with the IP address or hostname of your Elasticsearch / Kibana / nginx computer.
Note: You will also need to set your server name.

Advertisement:
sudo vi /etc/nginx/sites-available/logcatcher
# Nginx proxy for Elasticsearch + Kibana
#
# In this setup, we are password protecting the saving of dashboards. You may
# wish to extend the password protection to all paths.
#
# Even though these paths are being called as the result of an ajax request, the
# browser will prompt for a username/password on the first request
#
# If you use this, you'll want to point config.js at http://FQDN:80/ instead of
# http://FQDN:9200
#

server {
    listen      80;
    return 301 https://192.168.1.126;
}

server {
  listen                *:443 ;

  ssl on;
  ssl_certificate /etc/nginx/ssl/server.crt;
  ssl_certificate_key /etc/nginx/ssl/server.key;

  server_name           logcatcher.fqdn.example.com;
  access_log            /var/log/nginx/kibana.access.log;

  location / {
    root  /var/www;
    index  index.html  index.htm;

    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;

  }

  location ~ ^/_aliases$ {
    proxy_pass http://127.0.0.1:9200;
    proxy_read_timeout 90;
  }
  location ~ ^/.*/_aliases$ {
    proxy_pass http://127.0.0.1:9200;
    proxy_read_timeout 90;
  }
  location ~ ^/_nodes$ {
    proxy_pass http://127.0.0.1:9200;
    proxy_read_timeout 90;
  }
  location ~ ^/.*/_search$ {
    proxy_pass http://127.0.0.1:9200;
    proxy_read_timeout 90;
  }
  location ~ ^/.*/_mapping$ {
    proxy_pass http://127.0.0.1:9200;
    proxy_read_timeout 90;
  }

  # Password protected end points
  location ~ ^/kibana-int/dashboard/.*$ {
    proxy_pass http://127.0.0.1:9200;
    proxy_read_timeout 90;
    limit_except GET {
      proxy_pass http://127.0.0.1:9200;
      auth_basic "Restricted";
      auth_basic_user_file /etc/nginx/conf.d/kibana-write.htpasswd;
    }
  }
  location ~ ^/kibana-int/temp.*$ {
    proxy_pass http://127.0.0.1:9200;
    proxy_read_timeout 90;
    limit_except GET {
      proxy_pass http://127.0.0.1:9200;
      auth_basic "Restricted";
      auth_basic_user_file /etc/nginx/conf.d/kibana-write.htpasswd;
    }
  }
}

Disable the default configuration for nginx and enable the logcatcher config

sudo rm /etc/nginx/sites-enabled/default
sudo ln -s /etc/nginx/sites-available/logcatcher /etc/nginx/sites-enabled/logcatcher

Restart nginx to make changes take effect

sudo service nginx restart

BIND REDIS TO LOCALHOST

sudo vi /etc/redis/6379.conf

Change the line to

bind 127.0.0.1

Restart the service

sudo service redis_6379 stop
sudo service redis_6379 start

BIND ELASTICSEARCH TO LOCALHOST

sudo vi /etc/elasticsearch/elasticsearch.yml

Uncomment and change the lines to

network.bind_host: 127.0.0.1
network.publish_host: 127.0.0.1
network.host: 127.0.0.1

Restart the service

sudo service elasticsearch restart

CONFIGURE KIBANA TO USE NGINX
Edit the kibana config

sudo vi /var/www/config.js

change the line to

elasticsearch: "https://"+window.location.hostname+":443",

  One Response to “Securing Elasticsearch / Kibana with nginx”

  1. […] the related security advisory to disable dynamic scripting, we found and followed instructions from this blog post to further secure our Elasticsearch installation. We also modified our firewall configuration to […]

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)