Hi, I'm very new to nginx and have a hard time setting up nginx with kibana. I want to setup two groups, "viewer" and "admin". They will be authenticated using Gmail through oauth2_proxy and then access Kibana. I want to redirect the "viewer" group to Kibana home page whenever they access "Management" or "devTools". Does Nginx capture every request to Kibana and can I do the redirect in Nginx?
I can't access kibana server anyone after I setup server.basePath: "/kibana".
This is my nginx config:
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 8080;
server_name zerus;
#charset koi8-r;
#rewrite ^ http://$server_name$request_uri? permanent;
location ~ /kibana/(?<kibana_uri>.*) {
# remote server that kibana is running on
proxy_pass http://zerus:5601/$kibana_uri;
proxy_set_header Authorization "Basic *****";
proxy_set_header X-Forwarded-User $http_x_forwarded_for;
# enable real-time interactions
proxy_buffering off;
rewrite /login http://localhost:4180/oauth2/sign_in redirect;
}
# Can I do a redirect here?
# location /kibana/app/kibana#/management {
# return 301 http://localhost:5601/;
# }
}
server {
listen 443;
server_name ${HOSTNAME};
location / {
# oauth2 proxy application listens on port :4180
proxy_pass http://127.0.0.1:4180;
# preserve our host and ip from the request in case we want to
# dispatch the request to a named nginx directive
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 15;
proxy_send_timeout 30;
proxy_read_timeout 30;
}
}
}
I'm quite confused here. After I authenticated http:localhost:4180, I was directed to Welcome to Nginx page instead of Kibana home. Did I configure it correctly? How should I capture request to Kibana Management and do a redirect to Kibana Home? Is it achievable through Nignx?
Traffic proxy and reverse-proxy should be possible through nginx. While many of us are familiar with nginx, advice on the best specific configuration for this setup is going to be outside our realm (the Elastic Stack). Your best bet would be to read over the nginx docs or possibly post to a forum specifically supporting nginx.
I can intercept all requests to kibana now but have a hard time finding the correct Kibana Home url to redirect. I tried http://localhost:5601/app/kibana#/home?_g=() but it doesn't work. What is the correct url of Kibana home page? Thanks!
If you want to get to kibana under /kibana you should add to kibana.yml
...
server.basePath: "/kibana"
...
server.basePath: Enables you to specify a path to mount Kibana at if you are running behind a proxy. Use the server.rewriteBasePath setting to tell Kibana if it should remove the basePath from requests it receives, and to prevent a deprecation warning at startup. This setting cannot end in a slash ( / ).
I set the server.basePath: "/kibana" in kibana.yml. But it still doesn't do any redirect.
I updated my Nginx config as below. But Kibana doesn't redirect to home page at all when I clicked on dev tools. Is it because Kibana uses ajax request to refresh the page instead of rendering a page? Is there still a way to configure redirection in Nginx? Thanks! Really appreciate your help!
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 8080;
server_name ${HOSTNAME};
location / {
# kibana sever
proxy_pass http://zerus:5601/;
proxy_set_header Authorization "Basic **";
proxy_set_header X-Forwarded-User $http_x_forwarded_user;
# enable real-time interactions
proxy_buffering off;
rewrite /login http://localhost:4180/oauth2/sign_in redirect;
}
# if the user is not "admin", then do a redirect when the user tries to access "dev tools"
if ($http_x_forwarded_user != admin) {
rewrite ^/api/console.*$ http://zerus:5601/ redirect;
}
}
}
Adding server.basePath: "/kibana" to your kibana.yml will make request uris generated by kibana to be prefixed by that base path. That way you can set kibana up in a specific path, such as my.site/kibana
You still need to remove that prefix in nginx when passing the request on to kibana.
Thanks for all of your replies! But some of my questions are still not solved. Assume Kibana server is running on something.com:5601, nginx is listening on something.com:8080 which will proxy the Kibana server.
If I set server.basePath: "/kibana", is there a way that I can directly access kibana server without going through proxy server? I tried to access Kibana server directly using "something.com:/5601/kibana/", but it shows {"statusCode":404,"error":"Not Found","message":"Not Found"}. Does that mean we have to access Kibana server through a proxy once the server.basePath is set? I ask this question because I want to make sure there is no way that users can directly access kibana server except through the proxy server.
Assume a user tries to access Kibana though a proxy server and basePath is setup correctly, how can I redirect users to Kibana home page when users try to access "managment" or "devtools"? I tried to intercept HTTP request to /kibana/app/kibana#/management and /kibana/app/kibana#/dev_tools and return 404 or do a redirect, but Nginx can't capture those paths. The Network tools on Chrome shows that two icons are loaded instead of having a HTTP request to "management". Does that mean there is no way to redirect from "managment" and "dev_tools" to home page?
Does that mean we have to access Kibana server through a proxy once the server.basePath is set? I ask this question because I want to make sure there is no way that users can directly access kibana server except through the proxy server.
No. Your kibana server is still very much accessible around the proxy. You are just getting a 404 because there is noone in the middle to remove the base path that kibana is adding. If you took a request to a path like, say, kibana/plugins/vega/index.css, you could still access that asset by hitting something.com:5601/plugins/vega/index.css.
Security-wise, if you don't want users to access your kibana server directly, then you should block all traffic to that port (other than that going through the loopback interface) with a firewall.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.