Securing Kibana with Nginx Basic Auth

Introduction


If you don't have subscription for elasticsearch there is a better chance your elastic kibana setup for web development is susceptible to attacks with advent of shodan and ransomware it's quite easy these days for some automated attack is gonna affect your development environment.
It's easy to get lazy and dismiss the concern of getting hurt, we have all read stories of some poor company getting attacked or of a security expert blabbering about how easy it is to get access of a targets machine we get amazed by stupidity of victims or cunning whiff of the attacker but whatever the reason for our motivation, It’s easy to dismiss as long as the person or entity is not us.


Bottom line is I cant hold it against any of my readers, as dismissing the threat on account of third person suffering is human nature, I can only do my best to inform them to prevent it from happening in the first place so they can make an educated decision.


Technicalities


Now moving on to actual setup I have tend to keep things primitive so they are easy to adapt, we start with normal kibana and elasticsearch setup in docker compose and then we add nginx reverse proxy with basic auth setup for that we use dtans basic-nginx-auth-proxy.

Inside your development folder create docker-compose.yml file .

version: "3"
services:

  nginx:
    image: quay.io/dtan4/nginx-basic-auth-proxy:latest
    ports:
      - 8080:80
      - 8090:8090
    environment:
      - BASIC_AUTH_USERNAME
      - BASIC_AUTH_PASSWORD
      - PROXY_PASS=http://kibana:5601/
    networks: 
      - kibana

  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.2.4
    hostname: elasticsearch
    container_name: elasticsearch
    environment:
     - discovery.type=single-node
    expose:
     - 9200
    ulimits:
      memlock:
       soft: -1
       hard: -1
    volumes:
     - esdata1:/usr/share/elasticsearch/data
    networks:
     - kibana
    restart: always

  kibana:
    image: docker.elastic.co/kibana/kibana-oss:6.2.4
    container_name: kibana
    expose:
     - 5601
    depends_on:
     - elasticsearch
    networks:
     - kibana

volumes:
  esdata1:
    driver: local

networks:
    kibana: ~

Now next steps are to configure user name and pass by creating .env file in same directory with following contents.

BASIC_AUTH_USERNAME=admin 
BASIC_AUTH_PASSWORD=admin


All of the services are created inside a custom network called kibana if you plan to add your app please don't forget to add it.
You can use following command to spawn the services

docker-compose up -d

To inspect logs of services you can use

docker-compose logs -f --tail=10


After everything is up and running visit http://localhost:8080 to access kibana .

Moreover we are exposing nginx status on port 8090 which can be seen in browser by opening http://localhost:8090/nginx_status.

This can be used to further configure liveliness checks.

If you faced any difficulties following the tutorial you can refer to code on gitlab

kibana-nginx-reverse-proxy

Now your kibana is secure enjoy a good night sleep without worrying about your development infrastructure.