Logging into elk stack brings me to elasticsearch json page

I set up an elk stack, and I initially got to kibana by browsing to my FQDN. Now it takes me to a json block like this:

{
  "name" : "ubuntu-elk",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "UVOrZ8a3T669Ft2_-E7jlw",
  "version" : {
    "number" : "7.17.18",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "8682172c2130b9a411b1bd5ff37c9792367de6b0",
    "build_date" : "2024-02-02T12:04:59.691750271Z",
    "build_snapshot" : false,
    "lucene_version" : "8.11.1",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

How do I get back to the kibana login?

Here are the only uncommented lines in my kibana.yml:

server.port: 5601
server.host: "ubuntu-elk.<mydomain>.com"
server.publicBaseUrl: "ubuntu-elk.<mydomain>.com"
server.name: "ubuntu-elk.<mydomain>.com"
elasticsearch.hosts: ["http://localhost:9200"]
enterpriseSearch.host: 'http://localhost:3002'

and the uncommented lines of my elasticsearch.yml

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
xpack.security.enabled: fasle

Please let me know what else I need to provide.

VIckistan

I added this to both elasticsearch.yml and kibana.yml (replaced the line I show above), so now I get my login prompt again.

xpack.security.enabled: True

I still don't understand what I need to change to get back into kibana. Here is netstat -ntlp which shows that both port 9200 and 9300 are configured for localhost only:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:9200          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:9300          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:9600          0.0.0.0:*               LISTEN      -  

I have the nginx config set up to reverse proxy:

server {
       listen         80;
       server_name    ubuntu-elk.<mydomain> www.ubuntu-elk.<mydomain>;
       return 301 https://ubuntu-elk.<mydomain>;
       auth_basic "Restricted Access";
       auth_basic_user_file /etc/nginx/htpasswd.users;

       location / {
           proxy_pass https://$host$request_uri:5601;
           # proxy_pass http://localhost:5601;
           proxy_http_version 1.1;
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection 'upgrade';
           proxy_set_header Host $host;
           proxy_cache_bypass $http_upgrade;
       }
}
server {
    listen 443 ssl;
    server_name ubuntu-elk.<mydomain> www.ubuntu-elk.<mydomain>;
    add_header Strict-Transport-Security "max-age=31536000";
    ssl_certificate /etc/nginx/ssl/ubuntu-elk.<mydomain>.crt;
    ssl_certificate_key /etc/nginx/ssl/ubuntu-elk.<mydomain>.key;
    ssl_stapling on;
    ssl_stapling_verify on;
    access_log /var/log/nginx/sub.log combined;
    location / {
        proxy_pass http://localhost:9200;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header X-Forwarded-For $remote_addr;
    }
}

You need to redirect to the 5601 port and not 9200 I guess. You need to check your nginx settings I think.

@dadoonet Thanks for that. I am closer. I can get to elasticsearch from the command line with this: curl -u elastic http://localhost:9200

I think I was confused on what parts of the stack need to be https and what need to be http. I thought that kibana needed to be https, but since I am fronting it with nginx, it probably doesn't need to be. Can both elasticsearch and kibana use localhost if nginx has a proxy_pass like this:

proxy_pass http://localhost:5601;

**I have that proxy pass in both the port 80 and port 443 sections, btw.

netstat -ntlp shows this:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:9200          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:9300          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:9600          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.1.1:5601          0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      - 

I am seeing a Bad Gateway error when I try to access it from an outside system, and this is showing in the logs:

2024/03/15 20:52:53 [error] 3220#3220: *6 no live upstreams while connecting to upstream, client: 104.15.186.251, server: ubuntu-elk.<mydomain>, request: "GET /favicon.ico HTTP/1.1", upstream: "http://localhost/favicon.ico", host: "ubuntu-elk.<mydomain>", referrer: "https://ubuntu-elk.<mydomain>/"

I suspect I am just missing some obvious little detail.

Thanks in advance,
Vickistan

I had to step away to see that kibana was running on 127.0.1.1 instead of 127.0.0.1. Thanks for the assistance. Closing this issue out now.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.