Skip to content

Instantly share code, notes, and snippets.

@fktkrt

fktkrt/Elasticsearch + Kibana behind NGINX.MD reverse proxy with TLS.md

Last active September 27, 2023 19:15
Show Gist options
  • Save fktkrt/334b3de718b479c7126023abd784327d to your computer and use it in GitHub Desktop.
Save fktkrt/334b3de718b479c7126023abd784327d to your computer and use it in GitHub Desktop.
Download ZIP
Elasticsearch + Kibana behind NGINX reverse proxy with TLS
Raw
Elasticsearch + Kibana behind NGINX.MD reverse proxy with TLS.md

Prerequirements:

  • Have Elasticseach + Kibana installed
  • Have server.basePath: "/kibana" option configured in your kibana.yml file

i. Install NGINX apt install nginx

ii. Modify nginx.conf

In /etc/nginx/nginx.conf you should have a similar setup:

user  www-data;
worker_processes 4;
worker_rlimit_nofile 65535;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
  use epoll;
  worker_connections 16384;
}

http {
  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;

  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

  access_log  /var/log/nginx/access.log  main;

  sendfile       on;
  tcp_nopush     on;

  keepalive_timeout  65;

  include /etc/nginx/sites-enabled/*.conf;

}

The main logic is in the included .conf files in the sites-enabled folder.

ii. Creating the logging.conf logic

First, you define two upstreams for your services, one for accessing Elasticsearch and one for the Kibana interface:

upstream elasticsearch {
    server 172.18.3.14:9200;
    keepalive 15;
  }

upstream kibana {
    server 172.18.3.14:5601;
    keepalive 15;
  }

After this comes your server block, defining the listening address, server name and setting up SSL:

server {

  listen 172.18.3.14:443;
  server_name logger.yoursetup.com;

  ssl on;
  ssl_certificate /path/to/your/certificate.crt;
  ssl_certificate_key /path/to/your/certificate_key.key;

  ssl_protocols TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_ciphers 'YOUR-CHIPER-SUITE'
  ssl_dhparam /etc/nginx/dhparam.pem;

  auth_basic "Your Company Restricted Area";
  auth_basic_user_file /path/to/your/basicauth.htpasswd;

Define the locations of your services:

 # Elasticsearch
  location / {

    proxy_pass http://elasticsearch;
    proxy_redirect off;
    proxy_buffering off;

    proxy_http_version 1.1;
    proxy_set_header Connection "Keep-Alive";
    proxy_set_header Proxy-Connection "Keep-Alive";

  }

  # Kibana
  location /kibana/ {

    proxy_pass http://kibana;
    proxy_redirect off;
    proxy_buffering off;

    proxy_http_version 1.1;
    proxy_set_header Connection "Keep-Alive";
    proxy_set_header Proxy-Connection "Keep-Alive";

    rewrite ^/kibana/(.*)$ /$1 break;

  }
@botanegg
Copy link

botanegg commented Jul 4, 2022
edited
Loading

You can change your location to /kibana and rewrite to rewrite /kibana\/?(.*)$ /$1 break; to better handling with/without trailing slash
It also related to elastic/kibana#62144

@boringtechnology1
Copy link

I had similar issue but fixed it other way. I have written whole blog post about it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment