This guide will assume that you already have a running NGINX and Kibana instances and will mainly show you how you can configure a Read-Only Kibana instance/space by making use of NGINX configurations. In Kibana 6.5.4, spaces were introduced which enables the Admin to create different spaces and dashboards for different teams if required.

NGINX is a web server which can be used as a reverse proxy, load balancer, mail proxy and HTTP cache while also giving you the ability to configure some basic authentication to your backend services.

More info can be found at NGINX

Kibana is an open source tool that lets you visualize your Elasticsearch data and navigate the Elastic Stack.

More info can be found at Elastic


Pre-requisites

  • This guide will be using the following:
    • NGINX 1.14.2
    • Kibana 6.5.4

NGINX Configuration for Kibana ReadOnly (Default)

  • The NGINX configuration in itself is quite straight forward but requires viewing of logs to see all the redirections that Kibana does. This allows us to disable the necessary services and only allow what is required.
  • SSH to your NGINX instance and create a custom config file.
touch /etc/nginx/conf.d/kibana-readonly.conf
  • Enabling SSL

    • We will start by configuring the SSL for the backend kibana service. Change the necessary server_name and certificates to match your environment.
####    Start for kibana-readonly       ####

      server {
        listen       443 ssl;
        listen       [::]:443 ssl;
        server_name  kibana-readonly.mintopsblog.com;
        if ($host != $server_name) {
        return 404 $scheme://$server_name$request_uri;
        }

        ssl_password_file       "/opt/ssl/certificate/sslpassword";
        ssl_certificate         "/opt/ssl/certificate/mintopsblog.com.crt";
        ssl_certificate_key     "/opt/ssl/certificate/mintopsblog.com.key";
        ssl_session_cache 	shared:SSL:1m;
        ssl_session_timeout     10m;
        ssl_ciphers 		HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
  • Configuring the redirections

    • The below is the minimum that is needed to make Kibana function properly while using NGINX. This enables the redirections to function whilst also enabling basic HTTP authorization to Kibana.
    • For NGINX authentication, check the following: Basic HTTP Authorization
    • Change proxy_pass hostname to match your kibana instance
location /
{
	auth_basic              "Authentication Required";
	auth_basic_user_file    /etc/nginx/authentication/.kibana-readonly;
	proxy_set_header 	Host $host;
	proxy_set_header 	X-Real-IP $remote_addr;
	proxy_set_header 	X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header 	X-Forwarded-Proto $scheme;
	proxy_pass		http://kibana.mintopsblog.com:5601;
	proxy_set_header        Authorization "";
        proxy_hide_header       Authorization;
}

location ~ (/app/kibana|/bundles|/plugins|/ui|/elasticsearch|/socket.io|/api)
{
	auth_basic              "Authentication Required";
	auth_basic_user_file    /etc/nginx/authentication/.kibana-readonly;
	proxy_set_header 	Host $host;
	proxy_set_header 	X-Real-IP $remote_addr;
	proxy_set_header 	X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header 	X-Forwarded-Proto $scheme;
	proxy_pass 		http://kibana.mintopsblog.com:5601;
	proxy_set_header        Authorization "";
        proxy_hide_header       Authorization;
}

  • Disable Create/Delete of Visualizations and Dashboards

    • This will only enable the GET method to fetch the saved visualizations and dashboards for the user to view while disabling create and delete for these saved objects
### Allow GET on some API
location ~* ^(/api/saved_objects/visualization|/api/index_patterns|/api/saved_objects/dashboard|/api/saved_objects/index-pattern)
{
	limit_except GET
	{
		deny all;
	}
}
  • Disable all other services which are not needed for the read-only users

    • This will redirect the user to a 403 code (Not Authorized) page.
    • The API redirections disable all accesses to the following:
      • Dev Tools (not able to query)
      • Kibana Management (not able to change any settings)
      • Indexes (not able to view indexes)
      • Rollup Jobs (not able to view and create rollup jobs)
    • The APP redirections disable all access to the following:
      • Canvas
      • APM
      • Monitoring
      • Timelion
      • Infrastructure
      • Machine Learning
### Disable Kibana API
location ~* ^(/api/console/proxy|/api/index_management|/api/console/api_server|/api/index_patterns|/api/kibana/management|/api/license|/api/kibana/settings|/api/rollup)
	{
		return 403;
		break;
	}

### Disable Kibana APPs
location ~* ^(/app/canvas|/app/apm|/app/monitoring|/app/timelion|/app/infra|/app/ml|/es_admin)
	{
		return 403;
		break;
	}
  • Custom Error Pages

    • The custom error pages would need to be put inside the a directory (e.g /etc/nginx/html). These will be shown to the user when accessing something depending on the HTTP Code shown.
#### Error Pages ####
error_page 401 403 /401.html;
location = /401.html {
		root /etc/nginx/html;
		internal;
	}

error_page 400 404 /404.html;
location = /404.html {
		root /etc/nginx/html;
		internal;
	}

error_page 500 501 502 503 504 /50x.html;
location = /50x.html {
		root /etc/nginx/html;
		internal;
	}
}
####    End for kibana-readonly     ####

Combine all the above together (in order) to create the NGINX config file and test it out with your Kibana instance.


NGINX Configuration for Kibana ReadOnly (with Spaces)

  • Should you need to create Kibana spaces for different teams in your organization, you would need to configure some extra NGINX configs to keep using the ReadOnly accesses.
  • Most of the config will remain the same as above but, spaces create a different sub-url (e.g. /s/mintopsblog/). This will need to be added in NGINX.
  • The below will completely disable access to the DEFAULT space and enable readonly access to the “mintopsblog” space that was created.
#### Start for kibana-readonly ####

server {
	listen 443 ssl;
	listen [::]:443 ssl;
	server_name kibana-readonly.mintopsblog.com;
	if ($host != $server_name) {
	return 404 $scheme://$server_name$request_uri;
}

	ssl_password_file 	"/opt/ssl/certificate/sslpassword";
	ssl_certificate 	"/opt/ssl/certificate/mintopsblog.com.crt";
	ssl_certificate_key 	"/opt/ssl/certificate/mintopsblog.com.key";
	ssl_session_cache 	shared:SSL:1m;
	ssl_session_timeout 	10m;
	ssl_ciphers 		HIGH:!aNULL:!MD5;
	ssl_prefer_server_ciphers on;

	location /
	{
		proxy_set_header 	Host $host;
		proxy_set_header 	X-Real-IP $remote_addr;
		proxy_set_header 	X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header 	X-Forwarded-Proto $scheme;
		proxy_pass 		http://kibana.mintopsblog.com:5601;
	}

	location ~ (/ui|/bundles|/plugins|/s/mintopsblog/app/kibana|/s/mintopsblog/bundles|/s/mintopsblog/plugins|/s/mintopsblog/ui|/s/mintopsblog/socket.io|/api/spaces/v1/space/mintopsblog|s/mintopsblog/elasticsearch)
	{
		proxy_set_header 	Host $host;
		proxy_set_header 	X-Real-IP $remote_addr;
		proxy_set_header 	X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header 	X-Forwarded-Proto $scheme;
		proxy_pass 		http://kibana.mintopsblog.com:5601;
	}

### Allow GET on some API
	location ~* ^(/s/mintopsblog/api/saved_objects/visualization|/s/mintopsblog/api/saved_objects/dashboard|/s/mintopsblog/api/saved_objects/index-pattern|/s/mintopsblog/api/index_patterns)
	{
		limit_except GET
		{
			deny all;
		}
	}

### Disable Kibana SPACES
	location ~* ^(/api/spaces/v1/space/default)
	{
		return 403;
		break;
	}

### Disable Default API
	location ~* ^(/elasticsearch|/socket.io|/api|/api/console/proxy|/api/index_management|/api/console/api_server|/api/index_patterns|/api/kibana/management|/api/license|/api/kibana/settings|/api/rollup)
	{
		return 403;
		break;
	}

### Disable Default APP
	location ~* ^(/app/kibana|/app/canvas|/app/apm|/app/monitoring|/app/timelion|/app/infra|/app/ml|/es_admin)
	{
		return 403;
		break;
	}

### Disable MintOpsBlog Space API
location ~* ^(/s/mintopsblog/api/console/proxy|/s/mintopsblog/api/index_management|/s/mintopsblog/api/console/api_server|/s/mintopsblog/api/index_patterns|/s/mintopsblog/api/kibana/management|/s/mintopsblog/api/license|/s/mintopsblog/api/kibana/settings|/s/mintopsblog/api/spaces/space|/s/mintopsblog/api/rollup)
	{
		return 403;
		break;
	}

### Disable MintOpsBlog Space APPs
location ~* ^(/s/mintopsblog/app/canvas|/s/mintopsblog/app/apm|/s/mintopsblog/app/monitoring|/s/mintopsblog/app/timelion|/s/mintopsblog/app/infra|/s/mintopsblog/app/ml|/s/mintopsblog/es_admin)
	{
		return 403;
		break;
	}

#### Error Pages ####
	error_page 401 403 /401.html;
	location = /401.html {
		root /etc/nginx/html;
		internal;
	}

	error_page 400 404 /404.html;
	location = /404.html {
		root /etc/nginx/html;
		internal;
	}

	error_page 500 501 502 503 504 /50x.html;
	location = /50x.html {
		root /etc/nginx/html;
		internal;
	}
}

#### End for kibana-readonly ####

Hope this guide helps you out, if you have any difficulties don’t hesitate to post a comment. Also, any needed improvements or mistakes done in the guides feel free to point them out.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s