Skip to content

Instantly share code, notes, and snippets.

@barseghyanartur
Forked from r0mdau/Kibana-readonly.md
Created September 8, 2017 13:07
Show Gist options
  • Save barseghyanartur/50e1018404366c0e20283d5487992ad5 to your computer and use it in GitHub Desktop.
Save barseghyanartur/50e1018404366c0e20283d5487992ad5 to your computer and use it in GitHub Desktop.
Kibana readonly over internet

#Kibana Readonly

With this tip, kibana can't be modified. So you can share the uri to anyone on the internet. It's a network method to protect kibana from changes of anonymous.

##Quick start

  1. You need to have a working kibana exposed over http on internet
  2. On the same elasticsearch server, install nginx : apt-get install nginx
  3. In the directory /etc/nginx/sites-available, create a new file and edit it, for example : vi /etc/nginx/sites-available/kibana-readonly
  4. Write the following configuration :
server {
    listen   80;
    server_name _URI_;

    set $posting 11;
    if ( $request_method !~ ^(GET|POST|OPTIONS)$ ) {
        return 405;
    }

    if ( $request_method = POST ) {
        set $posting 1;
    }

    if ( $request_uri ~ ^/(.+)/_search(.*)$ ){
        set $posting "${posting}1";
    }

    if ( $request_method = OPTIONS ) {
        set $posting 11;
    }

    if ( $request_method = GET ) {
        set $posting 11;
    }

    if ( $posting != 11 ){
        return 400;
    }

    location / {
        proxy_pass http://localhost:9200/;
    }
}
  1. You have to replace _URI_ by the public URI of elasticsearch. You can modify the port too (next to listen)
  2. Then add this file to enabled sites ln -s /etc/nginx/sites-available/kibana-readonly /etc/nginx/sites-enabled
  3. Reload Nginx service nginx reload
  4. Go to kibana root directory, in the file config.js, in the elasticsearch attribute, use the good port number to specify in kibana-readonly file. Example : elasticsearch: "http://"+window.location.hostname+":80"
  5. You're done, your kibana view is readonly ;)

##Addons ###Drop or filter access from internet to elasticsearch We use Netfilter with iptables command to restrict access to localhost only.

####Quick method

  1. Execute the following lines with root access :
iptables -A INPUT -p tcp -s localhost --dport 9200 -j ACCEPT
iptables -A INPUT -p tcp -s localhost --dport 9300 -j ACCEPT
iptables -A INPUT -p tcp --dport 9200 -j DROP
iptables -A INPUT -p tcp --dport 9300 -j DROP

####Durable method after reboots

  1. Create a init script : vi /etc/init.d/myIptables and write the following lines into it :
#! /bin/sh
### BEGIN INIT INFO
# Provides:          skeleton
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Example initscript
# Description:       This file should be used to construct scripts to be
#                    placed in /etc/init.d.
### END INIT INFO
iptables -A INPUT -p tcp -s localhost --dport 9200 -j ACCEPT
iptables -A INPUT -p tcp -s localhost --dport 9300 -j ACCEPT
iptables -A INPUT -p tcp --dport 9200 -j DROP
iptables -A INPUT -p tcp --dport 9300 -j DROP
  1. Make it executable, like this for example : chmod 755 /etc/init.d/myIptables
  2. Make it launchable after each reboot : update-rc.d myIptables defaults

####Or drastic method, local elasticsearch

  1. vi /etc/elasticsearch/elasticsearch.yml : uncomment and change the lines to
network.bind_host: 127.0.0.1
network.publish_host: 127.0.0.1
network.host: 127.0.0.1
  1. Restart the service : sudo service elasticsearch restart

Hope there is no security breach, otherwise please send your feedback to kibana-readonly@romaindauby.fr

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment