Created
September 20, 2013 16:52
-
-
Save mrichar1/6640485 to your computer and use it in GitHub Desktop.
Apache configuration to set Encryption and Authorisation for Kibana and Elasticsearch queries, with the option to restrict access to different indices.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
######################################################################################### | |
# This configuration is based on that supplied here: | |
# https://github.com/elasticsearch/kibana/blob/master/sample/apache_ldap.conf | |
# | |
# The aim of this config is to set up encryption and authorisation on Kibana access. | |
# It also allows different authorisation rules for certain elasticsearch indexes. | |
# | |
# This config expects you to unpack kibana at /var/www/kibana/ and set config.js to be: | |
# https:// instead of http:// and 443 instead of 9200 | |
# | |
# Configure elasticsearch.yml to only listen on localhost: | |
# network.host: "127.0.0.1" | |
# | |
# Create a users file (/var/www/kibana.htpasswd) and group file (/var/www/kibana.htgroup) | |
# See: https://httpd.apache.org/docs/2.2/howto/auth.html for full details | |
# | |
# NOTE - When creating LocationMatch rules for specific indices, care must be taken | |
# to NOT use patterns that correspond to parts of (non-ES) uri's used by kibana! | |
# | |
# If in doubt find/grep your way through /var/ww/kibana :) | |
# | |
######################################################################################### | |
# authn, authz modules | |
LoadModule authz_host_module /usr/lib64/httpd/modules/mod_authz_host.so | |
LoadModule auth_basic_module /usr/lib64/httpd/modules/mod_auth_basic.so | |
LoadModule auth_digest_module /usr/lib64/httpd/modules/mod_auth_digest.so | |
LoadModule authz_user_module /usr/lib64/httpd/modules/mod_authz_user.so | |
LoadModule authn_file_module /usr/lib64/httpd/modules/mod_authn_file.so | |
LoadModule authz_groupfile_module /usr/lib64/httpd/modules/mod_authz_groupfile.so | |
# SSL and rewrite modules | |
LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so | |
LoadModule rewrite_module /usr/lib64/httpd/modules/mod_rewrite.so | |
# Proxying modules | |
LoadModule proxy_module /usr/lib64/httpd/modules/mod_proxy.so | |
LoadModule proxy_http_module /usr/lib64/httpd/modules/mod_proxy_http.so | |
LoadModule proxy_connect_module /usr/lib64/httpd/modules/mod_proxy_connect.so | |
# Redirect plain http to https | |
<VirtualHost log.host.tld:80> | |
ServerName log.host.tld | |
Redirect permanent / https://log.host.tld/ | |
</VirtualHost> | |
<VirtualHost log.host.tld:443> | |
ServerName log.host.tld | |
DocumentRoot /var/www/kibana | |
# General https (SSL) config | |
SSLEngine On | |
SSLCertificateFile /path/to/certs/log.host.tld.crt | |
SSLCertificateKeyFile /path/to/certs/log.host.tld.key | |
SSLCertificateChainFile /path/to/certs/log.host.tld.chain | |
# Set up general proxying config | |
<Proxy http://127.0.0.1:9200> | |
ProxySet connectiontimeout=5 timeout=90 | |
</Proxy> | |
# Require membership of group kibana to be able to access kibana (and elasticsearch indexes). | |
# To limit access to specific indexes, see the LocationMatch rule below. | |
<Location /> | |
AuthType Basic | |
AuthName Kibana | |
AuthUsersFile /var/www/kibana.htpasswd | |
AuthGroupFile /var/www/kibana.htgroup | |
require group kibana | |
</Location> | |
# Set up proxying for elasticsearch requests | |
<LocationMatch "^(/kibana-int/dashboard/|/kibana-int/temp).*$"> | |
ProxyPassMatch http://127.0.0.1:9200 | |
ProxyPassReverse http://127.0.0.1:9200 | |
</LocationMatch> | |
# More proxying for elasticsearch requests | |
<LocationMatch "^(/_aliases|.*/_search|.*/_mapping)$"> | |
ProxyPassMatch http://127.0.0.1:9200 | |
ProxyPassReverse http://127.0.0.1:9200 | |
</LocationMatch> | |
# Require membership of group thursday to be able to access records from ES index logstash-2013.09.19 | |
<LocationMatch "logstash-2013.09.19"> | |
require group thursday | |
</LocationMatch> | |
# Require membership of group apache to be able to access records from ES indices prefixed with 'apache-' | |
<LocationMatch "apache-"> | |
require group apache | |
</LocationMatch> | |
</VirtualHost> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment