Skip to content

Instantly share code, notes, and snippets.

@dmajorel
Created August 7, 2016 22:58
Show Gist options
  • Save dmajorel/7f1eaacfd8c1803be1f1ace842a7d288 to your computer and use it in GitHub Desktop.
Save dmajorel/7f1eaacfd8c1803be1f1ace842a7d288 to your computer and use it in GitHub Desktop.
Nginx configuration for Kibana-ElasticSearch read-only/read-write access
upstream elasticsearch_upstream {
server 127.0.0.1:9200;
keepalive 15;
}
upstream kibana_upstream {
server 127.0.0.1:5601;
}
# Kibana, public access, RO operations
##############################################################################################
server {
listen 443 default_server ssl; # IPv4
server_name _;
ssl_certificate /etc/pki/tls/certs/kibana-unix.crt;
ssl_certificate_key /etc/pki/tls/private/kibana-unix.key;
error_log /var/log/nginx/kibana-errors.log;
access_log /var/log/nginx/kibana.log;
# Read only access to Kibana
# deny other than get/post/options/head
# allow post when used with _search/_msearch/_mget
# allow get/options/head
set $posting 11;
if ( $request_method !~ ^(GET|POST|OPTIONS|HEAD)$ ) { return 405; }
if ( $request_method = POST ) { set $posting 1; }
if ( $request_uri ~ ^/(.+)/(_search|_mget|_msearch|_field_stats)(.*)$ ) { set $posting "${posting}1"; }
if ( $request_method ~ ^(GET|OPTIONS|HEAD)$ ) { set $posting 11; }
if ( $posting != 11 ) { return 403; }
location / {
proxy_pass http://kibana_upstream;
proxy_redirect off;
proxy_http_version 1.1;
add_header Access-Control-Allow-Origin *;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Proxy-Connection "Keep-Alive";
}
}
# Kibana, admin access R/W
##############################################################################################
server {
listen 8443 ssl; # IPv4
server_name _;
ssl_certificate /etc/pki/tls/certs/kibana-unix..crt;
ssl_certificate_key /etc/pki/tls/private/kibana-unix.key;
error_log /var/log/nginx/kibana-admin-errors.log;
access_log /var/log/nginx/kibana-admin.log;
location / {
auth_basic "Kibana Admins";
auth_basic_user_file htpasswd-admins;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Proxy-Connection "Keep-Alive";
proxy_pass http://kibana_upstream;
}
}
# Elasticsearch, admin access
##############################################################################################
server {
listen 8000 ssl; # IPv4
server_name _;
ssl_certificate /etc/pki/tls/certs/kibana-unix.crt;
ssl_certificate_key /etc/pki/tls/private/kibana-unix.key;
error_log /var/log/nginx/elasticsearch-admin-errors.log;
access_log /var/log/nginx/elasticsearch-admin.log;
location / {
auth_basic "Elasticsearch Admins";
auth_basic_user_file htpasswd-admins;
proxy_pass http://elasticsearch_upstream;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Proxy-Connection "Keep-Alive";
}
}
# redirect http to https
server {
listen 80;
server_name _;
rewrite ^.*$ https://$http_host/ permanent;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment