Is it possible to configure Shield with Nginx?

security

(Cameron McAuley) #1

Previously with my ELK stack solution I had Kibana secured using an Nginx reverse proxy, configured with basic htpasswd authentication.

Recently I have been experimenting with the Shield plugin for both Elasticsearch and Kibana - mostly for some of the extra features it provides for Kibana and the authentication it provides for elasticsearch. I am aware that without a license the functionality is very limited, but I don't think I need this 'extra' functionality anyway.

Is it possible to configure shield with Nginx? When I try to access kibana as I did before it will not function correctly, due to the fact that there is now shield authentication which I presume is blocking it somehow.

Thanks


(Steve Kearns) #2

Hi Cameron,

You do need a license to use Shield - there are no capabilities without a proper license. That said, why do you want/need to use Shield in conjunction with a reverse proxy? What are you trying to accomplish?

Shield provides authentication, role based access control, encrypted communications, field and document-level security, audit logging, API-based configuration, etc.. in most cases, folks using Shield find that they no longer need a reverse proxy, so I'm curious to hear about your use-case.

Thanks,
Steve


(Cameron McAuley) #3

Hi Steve, thanks for replying.

According to the 'Managing Your License' page here, "When your license expires, Shield operates in a degraded mode where access to the Elasticsearch cluster health, cluster stats, and index stats APIs is blocked. Shield keeps on protecting your cluster, but you won’t be able to monitor its operation until you update your license."

Is this not the case that Shield still protects elasticsearch with a degraded license?

The reason I was experimenting with shield was due to the Shield UI plugin for Kibana


(Steve Kearns) #4

Hi Cameron,

Indeed, when the license expires, we do not immediately disable the security capabilities - we didn't want to "fail open," in case your license expires temporarily, for example. When the Shield license expires, we do begin blocking all health and stats APIs, which prevents you from running with unlicensed Shield in production scenarios, in addition to the legal restrictions.

If you need an extended trial license, feel free to reach out to us at info@elastic.co!

Thanks,
Steve


(Cameron McAuley) #5

Ahh ok,

Thanks for clearing that up.


(system) #6