Kibana readonly over internet

Kibana-readonly.md

Kibana Readonly

With this tip, kibana can't be modified. So you can share the uri to anyone on the internet. It's a network method to protect kibana from changes of anonymous.

Quick start

1. You need to have a working kibana exposed over http on internet
2. On the same elasticsearch server, install nginx : apt-get install nginx
3. In the directory /etc/nginx/sites-available, create a new file and edit it, for example : vi /etc/nginx/sites-available/kibana-readonly
4. Write the following configuration :

server {
    listen   80;
    server_name _URI_;

    set $posting 11;
    if ( $request_method !~ ^(GET|POST|OPTIONS)$ ) {
        return 405;
    }

    if ( $request_method = POST ) {
        set $posting 1;
    }

    if ( $request_uri ~ ^/(.+)/_search(.*)$ ){
        set $posting "${posting}1";
    }

    if ( $request_method = OPTIONS ) {
        set $posting 11;
    }

    if ( $request_method = GET ) {
        set $posting 11;
    }

    if ( $posting != 11 ){
        return 400;
    }

    location / {
        proxy_pass http://localhost:9200/;
    }
}

5. You have to replace _URI_ by the public URI of elasticsearch. You can modify the port too (next to listen)
6. Then add this file to enabled sites ln -s /etc/nginx/sites-available/kibana-readonly /etc/nginx/sites-enabled
7. Reload Nginx service nginx reload
8. Go to kibana root directory, in the file config.js, in the elasticsearch attribute, use the good port number to specify in kibana-readonly file. Example : elasticsearch: "http://"+window.location.hostname+":80"
9. You're done, your kibana view is readonly ;)

Addons

Drop or filter access from internet to elasticsearch

We use Netfilter with iptables command to restrict access to localhost only.

Quick method

1. Execute the following lines with root access :

iptables -A INPUT -p tcp -s localhost --dport 9200 -j ACCEPT
iptables -A INPUT -p tcp -s localhost --dport 9300 -j ACCEPT
iptables -A INPUT -p tcp --dport 9200 -j DROP
iptables -A INPUT -p tcp --dport 9300 -j DROP

Durable method after reboots

1. Create a init script : vi /etc/init.d/myIptables and write the following lines into it :

#! /bin/sh
### BEGIN INIT INFO
# Provides:          skeleton
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Example initscript
# Description:       This file should be used to construct scripts to be
#                    placed in /etc/init.d.
### END INIT INFO
iptables -A INPUT -p tcp -s localhost --dport 9200 -j ACCEPT
iptables -A INPUT -p tcp -s localhost --dport 9300 -j ACCEPT
iptables -A INPUT -p tcp --dport 9200 -j DROP
iptables -A INPUT -p tcp --dport 9300 -j DROP

2. Make it executable, like this for example : chmod 755 /etc/init.d/myIptables
3. Make it launchable after each reboot : update-rc.d myIptables defaults

Or drastic method, local elasticsearch

1. vi /etc/elasticsearch/elasticsearch.yml : uncomment and change the lines to

network.bind_host: 127.0.0.1
network.publish_host: 127.0.0.1
network.host: 127.0.0.1

2. Restart the service : sudo service elasticsearch restart

Hope there is no security breach, otherwise please send your feedback to kibana-readonly@romaindauby.fr

Nice ! It's exactly what I've been looking for

Some errors appear with this nginx configuration.

With this update, everything's fine :

...
if ( $request_method !~ ^(GET|POST|OPTIONS|HEAD)$ ) {
return 405;
}
...
if ( $request_uri ~ ^/(.+)/(_search|_mget|_msearch)(.*)$ ){
set $posting "${posting}1";
}
...
if ( $request_method = HEAD ) {
set $posting 11;
}
...

Thank you @openhoat for your feedback.

I wrote this for Kibana v3, I don't know if it fits good for kibana v4.

This is very hacky. I encourage you to try the Elasticsearch plugin I wrote to address this specific use case in a secure way. https://github.com/sscarduzio/elasticsearch-readonlyrest-plugin