Apache configuration to set Encryption and Authorisation for Kibana and Elasticsearch queries, with the option to restrict access to different indices.

httpd.conf

#########################################################################################
# This configuration is based on that supplied here:
# https://github.com/elasticsearch/kibana/blob/master/sample/apache_ldap.conf
#
# The aim of this config is to set up encryption and authorisation on Kibana access.
# It also allows different authorisation rules for certain elasticsearch indexes.
#
# This config expects you to unpack kibana at /var/www/kibana/ and set config.js to be:
#  https:// instead of http:// and 443 instead of 9200
#
# Configure elasticsearch.yml to only listen on localhost:
# network.host: "127.0.0.1"
#
# Create a users file (/var/www/kibana.htpasswd) and group file (/var/www/kibana.htgroup)
# See: https://httpd.apache.org/docs/2.2/howto/auth.html for full details
# 
# NOTE - When creating LocationMatch rules for specific indices, care must be taken
# to NOT use patterns that correspond to parts of (non-ES) uri's used by kibana!
#
# If in doubt find/grep your way through /var/ww/kibana :)
#
#########################################################################################


# authn, authz modules
LoadModule authz_host_module    /usr/lib64/httpd/modules/mod_authz_host.so
LoadModule auth_basic_module    /usr/lib64/httpd/modules/mod_auth_basic.so
LoadModule auth_digest_module   /usr/lib64/httpd/modules/mod_auth_digest.so
LoadModule authz_user_module    /usr/lib64/httpd/modules/mod_authz_user.so
LoadModule authn_file_module    /usr/lib64/httpd/modules/mod_authn_file.so
LoadModule authz_groupfile_module  /usr/lib64/httpd/modules/mod_authz_groupfile.so

# SSL and rewrite modules
LoadModule ssl_module   /usr/lib64/httpd/modules/mod_ssl.so
LoadModule rewrite_module       /usr/lib64/httpd/modules/mod_rewrite.so

# Proxying modules
LoadModule proxy_module            /usr/lib64/httpd/modules/mod_proxy.so
LoadModule proxy_http_module       /usr/lib64/httpd/modules/mod_proxy_http.so
LoadModule proxy_connect_module    /usr/lib64/httpd/modules/mod_proxy_connect.so


# Redirect plain http to https
<VirtualHost log.host.tld:80>
  ServerName log.host.tld
  Redirect permanent / https://log.host.tld/
</VirtualHost>

<VirtualHost log.host.tld:443>
  
  ServerName log.host.tld
  DocumentRoot /var/www/kibana

  # General https (SSL) config
  SSLEngine On
  SSLCertificateFile /path/to/certs/log.host.tld.crt
  SSLCertificateKeyFile /path/to/certs/log.host.tld.key
  SSLCertificateChainFile /path/to/certs/log.host.tld.chain

  # Set up general proxying config
  <Proxy http://127.0.0.1:9200>
  ProxySet connectiontimeout=5 timeout=90
  </Proxy>

  # Require membership of group kibana to be able to access kibana (and elasticsearch indexes).
  # To limit access to specific indexes, see the LocationMatch rule below.
  <Location />
  AuthType Basic
  AuthName Kibana
  AuthUsersFile /var/www/kibana.htpasswd
  AuthGroupFile /var/www/kibana.htgroup
  require group kibana
  </Location>

  # Set up proxying for elasticsearch requests
  <LocationMatch "^(/kibana-int/dashboard/|/kibana-int/temp).*$">
  ProxyPassMatch http://127.0.0.1:9200
  ProxyPassReverse http://127.0.0.1:9200
  </LocationMatch>

  # More proxying for elasticsearch requests
  <LocationMatch "^(/_aliases|.*/_search|.*/_mapping)$">
  ProxyPassMatch http://127.0.0.1:9200
  ProxyPassReverse http://127.0.0.1:9200
  </LocationMatch>

   # Require membership of group thursday to be able to access records from ES index logstash-2013.09.19
  <LocationMatch "logstash-2013.09.19">
  require group thursday
  </LocationMatch>

  # Require membership of group apache to be able to access records from ES indices prefixed with 'apache-'
  <LocationMatch "apache-">
  require group apache
  </LocationMatch>

</VirtualHost>