Securing Kibana with Nginx Basic Auth
If you don't have subscription for elasticsearch there is a better chance your elastic kibana setup for web development is susceptible to attacks with advent of shodan and ransomware it's quite easy these days for some automated attack is gonna affect your development environment.
It's easy to get lazy and dismiss the concern of getting hurt, we have all read stories of some poor company getting attacked or of a security expert blabbering about how easy it is to get access of a targets machine we get amazed by stupidity of victims or cunning whiff of the attacker but whatever the reason for our motivation, It’s easy to dismiss as long as the person or entity is not us.
Bottom line is I cant hold it against any of my readers as dismissing the threat on account of third person suffering is human nature, I can only do my best to inform them to prevent it from happening in the first place so they can make an educated decision.
Now moving on to actual setup I have tend to keep things primitive so they are easy to adapt, we start with normal kibana and elasticsearch setup in docker compose and then we add nginx reverse proxy with basic auth setup for that we use dtans basic-nginx-auth-proxy.
Inside your development folder create docker-compose.yml file .
version: "3" services: nginx: image: quay.io/dtan4/nginx-basic-auth-proxy:latest ports: - 8080:80 - 8090:8090 environment: - BASIC_AUTH_USERNAME - BASIC_AUTH_PASSWORD - PROXY_PASS=http://kibana:5601/ networks: - kibana elasticsearch: image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.2.4 hostname: elasticsearch container_name: elasticsearch environment: - discovery.type=single-node expose: - 9200 ulimits: memlock: soft: -1 hard: -1 volumes: - esdata1:/usr/share/elasticsearch/data networks: - kibana restart: always kibana: image: docker.elastic.co/kibana/kibana-oss:6.2.4 container_name: kibana expose: - 5601 depends_on: - elasticsearch networks: - kibana volumes: esdata1: driver: local networks: kibana: ~
Now next steps are to configure user name and pass by creating .env file in same directory with following contents.
All of the services are created inside a custom network called kibana if you plan to add your app please don't forget to add it.
You can use following command to spawn the services
docker-compose up -d
To inspect logs of services you can use
docker-compose logs -f --tail=10
After everything is up and running visit http://localhost:8080 to access kibana .
Moreover we are exposing nginx status on port 8090 which can be seen in browser by opening http://localhost:8090/nginx_status.
This can be used to further configure liveliness checks.
If you faced any difficulties following the tutorial you can refer to code on gitlab
Now your kibana is secure enjoy a good night sleep without worrying about your development infrastructure.