-
-
Save jerrac/0a8bd96e6c42eb84b6f2 to your computer and use it in GitHub Desktop.
Elasticsearch and Kibana vhost that doesn't let me view logs from a computer without access to the elasticsearch server's port 9200
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<VirtualHost *:80> | |
ServerAdmin admin@email.tld | |
ServerName elasticsearch.domain.tld | |
ServerAlias kibana.domain.tld | |
DocumentRoot /var/www/log-elasticsearch/docroot | |
<Directory /> | |
Options FollowSymLinks | |
AllowOverride None | |
</Directory> | |
<Directory /var/www/log-elasticsearch/docroot> | |
Options -Indexes FollowSymLinks -MultiViews | |
AllowOverride all | |
Order allow,deny | |
allow from all | |
</Directory> | |
ErrorLog ${APACHE_LOG_DIR}/elasticsearch.domain.tld.error.log | |
# Possible values include: debug, info, notice, warn, error, crit, | |
# alert, emerg. | |
LogLevel warn | |
CustomLog ${APACHE_LOG_DIR}/elasticsearch.domain.tld.log combined | |
# To redirect all Traffic to SSL uncomment the following lines. | |
RewriteEngine On | |
RewriteCond %{HTTPS} off | |
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} | |
</VirtualHost> | |
#If you have SSL enabled for this host, uncomment the following vhost declaration | |
<IfModule mod_ssl.c> | |
<VirtualHost _default_:443> | |
ServerAdmin admin@email.tld | |
ServerName elasticsearch.domain.tld | |
ServerAlias kibana.domain.tld | |
DocumentRoot /var/www/log-elasticsearch/docroot | |
<Directory /> | |
Options FollowSymLinks | |
AllowOverride None | |
</Directory> | |
<Directory /var/www/log-elasticsearch/docroot> | |
Options -Indexes FollowSymLinks -MultiViews | |
AllowOverride All | |
Order allow,deny | |
allow from all | |
</Directory> | |
# SSL Info | |
SSLEngine on | |
SSLCertificateFile /etc/apache2/ssl/CERT | |
SSLCertificateKeyFile /etc/apache2/ssl/KEY | |
SSLCACertificateFile /etc/apache2/ssl/CA | |
<FilesMatch "\.(cgi|shtml|phtml|php)$"> | |
SSLOptions +StdEnvVars | |
</FilesMatch> | |
<Directory /usr/lib/cgi-bin> | |
SSLOptions +StdEnvVars | |
</Directory> | |
BrowserMatch "MSIE [2-6]" \ | |
nokeepalive ssl-unclean-shutdown \ | |
downgrade-1.0 force-response-1.0 | |
# MSIE 7 and newer should be able to use keepalive | |
BrowserMatch "MSIE [7-9]" ssl-unclean-shutdown | |
ErrorLog ${APACHE_LOG_DIR}/ssl-elasticsearch.domain.tld.error.log | |
# Possible values include: debug, info, notice, warn, error, crit, | |
# alert, emerg. | |
LogLevel warn | |
CustomLog ${APACHE_LOG_DIR}/ssl-elasticsearch.domain.tld.log combined | |
ProxyRequests Off | |
SSLProxyEngine On | |
# Set global proxy timeouts | |
<Proxy http://elasticsearch.domain.tld:9200> | |
# <Proxy http://127.0.0.1:9200> | |
ProxySet connectiontimeout=5 timeout=90 | |
</Proxy> | |
# Proxy for _aliases and .*/_search | |
<LocationMatch "^(/_aliases|.*/_search)$"> | |
ProxyPassMatch http://127.0.0.1:9200 | |
ProxyPassReverse http://127.0.0.1:9200 | |
</LocationMatch> | |
# Proxy for kibana-int/{dashboard,temp} stuff (if you don't want auth on /, then you will want these to be protected) | |
<LocationMatch "^(/kibana-int/dashboard/|/kibana-int/temp).*$"> | |
ProxyPassMatch http://127.0.0.1:9200 | |
ProxyPassReverse http://127.0.0.1:9200 | |
</LocationMatch> | |
<Location /> | |
#Allow from 5.6.7.8 | |
#Deny from all | |
#Satisfy any | |
AuthLDAPBindDN "BINDUSER" | |
AuthLDAPBindPassword "PASSWORD" | |
AuthLDAPURL LDAPURL | |
AuthType Basic | |
AuthBasicProvider ldap | |
AuthName "Please authenticate for kibana" | |
AuthzLDAPAuthoritative on | |
Require ldap-user userid | |
Require ldap-user userid | |
Require ldap-user userid | |
Require ldap-user userid | |
Require ldap-user userid | |
Require ldap-user userid | |
Require ldap-user userid | |
Require ldap-user userid | |
Require ldap-user userid | |
Require ldap-user userid | |
</Location> | |
</VirtualHost> | |
</IfModule> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment