Clever Geek Handbook

Kibana 4, Logstash dashboard: how do I require Nginx authentication on save, but allow anonymous views?

I would like to require auth_basic nginx authentication to keep all kibana 4 dashboards, but allow anyone to view the dashboards without being authenticated.

I recently installed ELK stacks (Elasticsearch 1.4.5, Logstash 1: 1.5.2-1 and Kibana 4.1.1) on Ubuntu 14.04 using the DigitalOcean tutorial .

Since kibana uses browser based javascript to send requests to elasticsearch, I'm not sure how to determine what to protect.

DigitalOcean provides nginx configuration to fully provide access to kibana 4.

FILE:/etc/nginx/sites-available/default
server {
    listen      80;
    return 301 https://logstash.nyc.3top.com;
}
server {
    listen 443;

    ssl on;
    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;

    server_name logstash.example.com;
    access_log /var/log/nginx/kibana.access.log;

    auth_basic "Restricted Access";
    auth_basic_user_file /etc/nginx/htpasswd.users;

    location / {
        proxy_pass http://localhost:5601;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

Elastic provided nginx with a sample configuration to accomplish this for Kibana 3 but not Kibana 4:

server {
  listen                *:80 ;

  server_name           kibana.myhost.org;
  access_log            /var/log/nginx/kibana.myhost.org.access.log;

  location / {
    root  /usr/share/kibana3;
    index  index.html  index.htm;
  }

  location ~ ^/_aliases$ {
    proxy_pass http://127.0.0.1:9200;
    proxy_read_timeout 90;
  }
  location ~ ^/.*/_aliases$ {
    proxy_pass http://127.0.0.1:9200;
    proxy_read_timeout 90;
  }
  location ~ ^/_nodes$ {
    proxy_pass http://127.0.0.1:9200;
    proxy_read_timeout 90;
  }
  location ~ ^/.*/_search$ {
    proxy_pass http://127.0.0.1:9200;
    proxy_read_timeout 90;
  }
  location ~ ^/.*/_mapping {
    proxy_pass http://127.0.0.1:9200;
    proxy_read_timeout 90;
  }

  # Password protected end points
  location ~ ^/kibana-int/dashboard/.*$ {
    proxy_pass http://127.0.0.1:9200;
    proxy_read_timeout 90;
    limit_except GET {
      proxy_pass http://127.0.0.1:9200;
      auth_basic "Restricted";
      auth_basic_user_file /etc/nginx/conf.d/kibana.myhost.org.htpasswd;
    }
  }
  location ~ ^/kibana-int/temp.*$ {
    proxy_pass http://127.0.0.1:9200;
    proxy_read_timeout 90;
    limit_except GET {
      proxy_pass http://127.0.0.1:9200;
      auth_basic "Restricted";
      auth_basic_user_file /etc/nginx/conf.d/kibana.myhost.org.htpasswd;
    }
  }
}

Does anyone know how to do this for Kibana 4?

Here are my config files for elasticsearch and kibana:

/etc/elasticsearch/elasticsearch.yml

network.host: localhost

/opt/kibana/config/kibana.yml

port: 5601
host: "localhost"
elasticsearch_url: "http://localhost:9200"
elasticsearch_preserve_host: true
kibana_index: ".kibana"
default_app_id: "discover"
request_timeout: 300000
shard_timeout: 0
verify_ssl: true
bundled_plugin_ids:
 - plugins/dashboard/index
 - plugins/discover/index
 - plugins/doc/index
 - plugins/kibana/index
 - plugins/markdown_vis/index
 - plugins/metric_vis/index
 - plugins/settings/index
 - plugins/table_vis/index
 - plugins/vis_types/index
 - plugins/visualize/index
+3


source to share


1 answer


You may need to use nginx conditional constraint to achieve this goal . This sense can be a good starting point. Let me know if this works for you.



0


source






More articles:


All Articles