Kibana 7.9.3 in sublocation in Nginx

Elastic Stack Kibana
1

Since two days I tried several configurations to run Kibana 7.9.3 (via docker-compose) at a sublocation (for developing on my local machine at https://localhost/analytics/) via Nginx, but it do not work. I hope someone can give me a hint what is wrong in my configuration.

Here is my configuration so far:

docker-compose:

elasticsearch:
  build: 
    context: ./ElasticStack/Elasticsearch
  container_name: analytics-elasticsearch
  expose:
    - "9200"

kibana:
  build: 
    context: ./ElasticStack/Kibana
  container_name: analytics-kibana
  expose:
    - "5601"

Dockerfile for Kibana:

FROM docker.elastic.co/kibana/kibana:7.9.3
COPY kibana.yml /usr/share/kibana/config/kibana.yml

kibana.yml:

server.host: kibana
server.basePath: /analytics
server.rewriteBasePath: false
elasticsearch.hosts: ["http://elasticsearch:9200"]

And my nginx.conf:

server {

    listen       80;
    server_name  localhost;

    access_log /var/log/nginx/access.log main_json;

    client_max_body_size 0;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://frontend:80;
        proxy_read_timeout 90;
        proxy_buffering off;
        proxy_request_buffering off;
    }

    location /analytics/ {

        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_set_header        Connection "Keep-Alive";
        proxy_set_header        Proxy-Connection "Keep-Alive";

        rewrite ^/analytics/(.*)$ /$1 break;
        proxy_pass http://kibana:5601/analytics/;

        proxy_read_timeout      90;
        proxy_buffering         off;

        auth_basic "Restricted Content";
        auth_basic_user_file /etc/nginx/.htpasswd;
    
    }

    ...

    listen 443 ssl;

    ssl_certificate /etc/nginx/xxx.crt;
    ssl_certificate_key /etc/nginx/xxx.key;
    
    ssl_session_cache shared:le_nginx_SSL:10m;
    ssl_session_timeout 1440m;
    ssl_session_tickets off;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    }

}

But it ends up with an error page of Kibana:

Bildschirmfoto 2020-10-31 um 22.16.54
Bildschirmfoto 2020-10-31 um 22.16.541662×1572 281 KB

And also shows several errors in the console:

Bildschirmfoto 2020-10-31 um 22.17.45
Bildschirmfoto 2020-10-31 um 22.17.452880×1174 448 KB

I know on my developing machine I can also run at without basepath and without sublocation only via 127.0.0.1:5601 (that works, if I delete the config for basepath), but on my production server I want to have Kibana in a basic auth secured sublocation.

I hope someone can help me for the right configuration :slight_smile:

2

Could you test nginx without this line? It shouldn't be necessary to strip away the prefix in the proxy, Kibana will handle that.

3

After some more hours of testing, I realized I had another mistake in my Nginx config (at a part I didn't mentioned in my previous post).

I had another location part for my own backend server:

location ~ /(auth|api) { ...

And this regex location config also matched for the Kibana api calls and routed them to the wrong location :man_facepalming:

I had to change it to

location ~ ^/(auth|api) { ...

So that the regex for my own api matches only, if the location begins with "api" and not also for the Kibana api.

But you are also right, the rewrite part is not necessary and Kibana will handle it right. And I also needed to set rewriteBasepath to true in kibana.yml.

So my right config now is following:

kibana.yml

server.host: kibana
server.basePath: /analytics
server.rewriteBasePath: true
elasticsearch.hosts: ["http://elasticsearch:9200"]

nginx.conf

location /analytics/ {

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_pass  http://kibana:5601;

    proxy_read_timeout 90;
    proxy_buffering off;
    proxy_request_buffering off;

    auth_basic "Restricted Content";
    auth_basic_user_file /etc/nginx/.htpasswd;

  }

And now it is working :blush:

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.