Created
August 7, 2016 22:58
-
-
Save dmajorel/7f1eaacfd8c1803be1f1ace842a7d288 to your computer and use it in GitHub Desktop.
Nginx configuration for Kibana-ElasticSearch read-only/read-write access
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
upstream elasticsearch_upstream { | |
server 127.0.0.1:9200; | |
keepalive 15; | |
} | |
upstream kibana_upstream { | |
server 127.0.0.1:5601; | |
} | |
# Kibana, public access, RO operations | |
############################################################################################## | |
server { | |
listen 443 default_server ssl; # IPv4 | |
server_name _; | |
ssl_certificate /etc/pki/tls/certs/kibana-unix.crt; | |
ssl_certificate_key /etc/pki/tls/private/kibana-unix.key; | |
error_log /var/log/nginx/kibana-errors.log; | |
access_log /var/log/nginx/kibana.log; | |
# Read only access to Kibana | |
# deny other than get/post/options/head | |
# allow post when used with _search/_msearch/_mget | |
# allow get/options/head | |
set $posting 11; | |
if ( $request_method !~ ^(GET|POST|OPTIONS|HEAD)$ ) { return 405; } | |
if ( $request_method = POST ) { set $posting 1; } | |
if ( $request_uri ~ ^/(.+)/(_search|_mget|_msearch|_field_stats)(.*)$ ) { set $posting "${posting}1"; } | |
if ( $request_method ~ ^(GET|OPTIONS|HEAD)$ ) { set $posting 11; } | |
if ( $posting != 11 ) { return 403; } | |
location / { | |
proxy_pass http://kibana_upstream; | |
proxy_redirect off; | |
proxy_http_version 1.1; | |
add_header Access-Control-Allow-Origin *; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header Host $http_host; | |
proxy_set_header Connection "Keep-Alive"; | |
proxy_set_header Proxy-Connection "Keep-Alive"; | |
} | |
} | |
# Kibana, admin access R/W | |
############################################################################################## | |
server { | |
listen 8443 ssl; # IPv4 | |
server_name _; | |
ssl_certificate /etc/pki/tls/certs/kibana-unix..crt; | |
ssl_certificate_key /etc/pki/tls/private/kibana-unix.key; | |
error_log /var/log/nginx/kibana-admin-errors.log; | |
access_log /var/log/nginx/kibana-admin.log; | |
location / { | |
auth_basic "Kibana Admins"; | |
auth_basic_user_file htpasswd-admins; | |
proxy_redirect off; | |
proxy_http_version 1.1; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header Host $http_host; | |
proxy_set_header Connection "Keep-Alive"; | |
proxy_set_header Proxy-Connection "Keep-Alive"; | |
proxy_pass http://kibana_upstream; | |
} | |
} | |
# Elasticsearch, admin access | |
############################################################################################## | |
server { | |
listen 8000 ssl; # IPv4 | |
server_name _; | |
ssl_certificate /etc/pki/tls/certs/kibana-unix.crt; | |
ssl_certificate_key /etc/pki/tls/private/kibana-unix.key; | |
error_log /var/log/nginx/elasticsearch-admin-errors.log; | |
access_log /var/log/nginx/elasticsearch-admin.log; | |
location / { | |
auth_basic "Elasticsearch Admins"; | |
auth_basic_user_file htpasswd-admins; | |
proxy_pass http://elasticsearch_upstream; | |
proxy_redirect off; | |
proxy_http_version 1.1; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header Host $http_host; | |
proxy_set_header Connection "Keep-Alive"; | |
proxy_set_header Proxy-Connection "Keep-Alive"; | |
} | |
} | |
# redirect http to https | |
server { | |
listen 80; | |
server_name _; | |
rewrite ^.*$ https://$http_host/ permanent; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment