HugeServer Knowledgebase

How to Secure Kibana using Nginx as a reverse proxy on CentOS 7

Introduction

Kibana is an open-source visualization and analytics platform designed to work with Elasticsearch. Kibana is used to search and view the data that stored in Elasticsearch indices, You can easily visualize your data and create charts, tables, maps, and pie charts with it. Kibana has a dynamic browser-based interface that makes it easy to understand large volumes of data and has the ability to display changes of Elasticsearch queries in real-time.

For now, Kibana has no security or authentication, so if you keep it listen on localhost it may be Ok but what if you want to get access to it over the internet? In this tutorial, we are going to install and configure Nginx as a reverse proxy for Kibana so we can have an authentication prompt using HTTP authentication.

We are assuming that you have root permission, otherwise, you may start commands with “sudo”.

Install Nginx

First of all, we have to install Nginx from EPEL repository:

yum install epel-release

Now you can install Nginx using YUM:

yum install nginx

After the installation is finished, execute the following commands to start your Nginx service and make it run at startup:

systemctl start nginx

systemctl enable nginx

Install and configure “httpd-tools”

For setting up an HTTP authentication we will need the “.htaccess” and “.htpasswd” files, we can get both of them by installing “httpd-tools” package:

yum install httpd-tools

After the installation process finished, we can create a “.htpasswd” file to store our credential data such as Usernames and Passwords in an encrypted format. Using the command below you can create a user with a password (make sure to replace the red part with your preferred values):

htpasswd -c /etc/nginx/ username

Executing the above command will prompt you to choose and verify your password.

Your authentication data is available in the following path, you can open it with the command below:

nano /etc/nginx/.htpasswd

Configuring Nginx

In this section, we are going to configure Nginx to act as a proxy, so it will direct authenticated user to “localhost:5601”

Open the Nginx configuration file with the command below:

nano /etc/nginx/nginx.conf

Find the “server” directive and change it  like below:

server {
  listen *:80;
  server_name _;
  location / {
    proxy_pass http://localhost:5601;
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd;
  }
}

Save and exit.

Check if everything Ok with your configuration:

nginx -t

You should get the following output:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart the Nginx service to take effect:

systemctl restart nginx

Install Kibana

We are going to install the latest stable version of Kibana which is 5.5 at the time of the writing this article. we will download the “RPM” package and install it easily.

wget https://artifacts.elastic.co/downloads/kibana/kibana-5.5.0-x86_64.rpm

Run the following command to install the downloaded package:

rpm -ivh kibana-5.5.0-x86_64.rpm

After the installation is finished, execute the following commands to start Kibana and make is run at the startup:

systemctl daemon-reload

systemctl start kibana

systemctl enable kibana

For accessing the web interface you should enable the default port in the Kibana configuration. Execute the following command to open “kibana.yml” with the text editor:

nano /etc/kibana/kibana.yml

Find the line that refers to “server.port” and uncomment it, then save and exit.

Now you should restart the Kibana service to take effect:

systemctl restart kibana

Finally, you can open your browser and see your Domain or your public IP address through it. you will be prompt for authentication and then you will be direct to the Kibana web panel.

Was this tutorial helpful?

Thank you for your vote.Thank you for your vote.

Similar Posts

4 thoughts on “How to Secure Kibana using Nginx as a reverse proxy on CentOS 7”

  1. You can improve security further more by binding kibana to 127.0.0.1 instead of 0.0.0.0.
    And adversary would either have to ne on the machine to use kibana directly, or tinker with the iptables mangle settings to path through the loopback interface.

  2. Awesome article. FYI for anyone else
    I had to ‘touch /etc/nginx/.htpasswd’ before I ran ‘htpasswd -c /etc/nginx/ username’.
    Also afterwards if I run ‘htpasswd /etc/nginx/ username’ (without -c) you can add multiple users/credentials

Leave a Reply

Your email address will not be published. Required fields are marked *

*