Kibana behind ngix... proxying challenge?

Elastic Stack Kibana
1

Hi forum...

I'm playing around with elk, and once I start having nice dashboards there appears the question of proxy them in a controllable manner to some people.
Most of the doc around treats the nginx/kibana proxy matter as a same-host approach... but I'm truly wondering wether proxying from nginx public web server to an internal kibana stats server would be reachable.

This is something hard... I'm not an expert but when I tried the same thing with munin/rrd graphs it took me a lot of time to figure out the correct setup, as it involved the usage of nginx subs_filter in order to translate relative path replies coming from the server to understandable paths to the proxy/web client... no one at the munin comunity seemed to have done that before... it was hard but it finally worked.

Has anyone ever succeeded in proxying a remote, external, kibana dashboard (ie. a remote ELK stack server), form a front nginx server?

Thank you very much... best regards!

2

I'm getting closer... but still don't work

location /kibana/ {
subs_filter_types text/html text/css text/xml;
subs_filter href=" href="http://publicwebserver.example.com/kibana/;
subs_filter src=" src="http://publicwebserver.example.com/kibana/;

proxy_pass http://elkserver.example.net/;
proxy_read_timeout 90;
}

location /elasticsearch/_aliases$ {
proxy_pass http://elkserver.example.net/elasticsearch/_aliases;
proxy_read_timeout 90;
}

location /elasticsearch/.*/_aliases$ {
proxy_pass http://elkserver.example.net/;
proxy_read_timeout 90;
}

location /elasticsearch/_nodes$ {
proxy_pass http://elkserver.example.net/elasticsearch/_nodes;
proxy_read_timeout 90;
}

location /elasticsearch/.*/_search$ {
proxy_pass http://elkserver.example.net/;
proxy_read_timeout 90;
}

location /elasticsearch/.*/_mapping$ {
proxy_pass http://elkserver.example.net/;
proxy_read_timeout 90;
}

At least I can load js, css and lot of stuff...
now I'm dealing on how to proxy elasticsearch/_ndes _search etc, atc properly to the internal elkserver in order to it perform the actual query to elasticsearch.

Will post if further success, maybe someone is interested

3

What version are you proxying?

4

I'm proxying version 3 of kibana...

My Idea is to setup a small site in front of kibana, in order to control that only a securely loged in user can access exclusively a list of dashboards.

The small site is just a light sqlite driven site, with a login screen folled by a simple selector that will load into a div the proxied location (a remote kibana dashboard).
The idea is that I can control what the final user will see, and ensure i can prevent it to do strange things sucha as delete dashboards or freely navigate other dashboards or query elasticsearch, or at least make it hard to figure out...
This is something I did in the past with munin: by using a proxy, users cannot navigate beyond their graphs proxied site.

Also, I like to keep the actual graphing/statistics server away from users... and let them only acces via a proxy request from a regular web server.
I have seen some kibana - proxy projects in github doing something similar... but they seem to host kibana locally, so direct access to elasticsearch from the hosting server would be required. And I also like to have a small database and a litle php session environment to allow users to sigle sign on upon login and let them navigate their dashboards...

My problem is that since I did it with munin... I would like to have the same with ELK... I will share my success or my shame!!!! :smile:

5

There is an example config we provided for KB3 - https://github.com/elastic/kibana/blob/3.0/sample/nginx.conf - try to see if you can adopt that to your needs.

6

Got a very basic functional setup...

location /kibana/ {
subs_filter_types text/html text/css text/xml;
subs_filter href=" href="http://publicwebserver.example.com/kibana/;
subs_filter src=" src="http://publicwebserver.example.com/kibana/;

proxy_pass http://elkserver.example.net/;
proxy_read_timeout 90;
}

location /elasticsearch/ {
proxy_pass http://elkserver.example.net;
proxy_read_timeout 90;
}

This but behaves transparent... here some kind of control should be implemented in top of it

7

... saaaad but true...

Give up on this: anchor based urls and dynamic way to work makes it (at least at my knoledge level) impossible to proxy in a controllable manner using nginx: proxy all or nothing.

So, at the end, ELK falls short on the 'K'... it turned out to be a great tool for system admins, but once you got your dashboards you cannot share them safely: nothing prevents people from accesing other people data, destroying dashboards, etc...
Dashboards with disabled edit mode or .htaccess restrictions are just workaround, but nothing I would trust on.

I'm getting interested on shield... Also I'm using kibana 3, so maybe kibana 4 helps!

8

You could do a detailed proxy setup with ACLs to solve this.

But Shield is what you really want.

9

Aha... yes ACLs were my approach but I didnt suceed on handling URLs correctly.
Googling around I faced common assertions that nginx proxying process does not handle anchored (#) url parts.
I asked on the nginx forum to no avail... I don't dare to say this is not possible at all, but the matter is either too complex to my limited nginx knowledge level... or maybe even not possible at all.

Anyhow I've been reading about shield and yes! it effectiveley solves the question! ... but just on the backend part.
... without a propper frontend, I will deploy ELK just for internal/private usage... and for just internal/private usage I do not need shield.... overall I have the feeling the stack falls short just before the end line.

Anyhow... for internal usage I have decided to move to ELK all monitoring infraestructure! I'm loving it!!!!

10

Good to hear!