Nginx reverse proxy setup for Kibana

bbking · February 6, 2019, 4:11pm

Hi, I'm very new to nginx and have a hard time setting up nginx with kibana. I want to setup two groups, "viewer" and "admin". They will be authenticated using Gmail through oauth2_proxy and then access Kibana. I want to redirect the "viewer" group to Kibana home page whenever they access "Management" or "devTools". Does Nginx capture every request to Kibana and can I do the redirect in Nginx?

I can't access kibana server anyone after I setup server.basePath: "/kibana".
This is my nginx config:

http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;
    keepalive_timeout  65;

    server {
        listen       8080;
        server_name  zerus;

        #charset koi8-r;
        #rewrite ^ http://$server_name$request_uri? permanent;

        location ~ /kibana/(?<kibana_uri>.*) {
            # remote server that kibana is running on
            proxy_pass http://zerus:5601/$kibana_uri;
            proxy_set_header Authorization "Basic *****";
            proxy_set_header X-Forwarded-User $http_x_forwarded_for;
            # enable real-time interactions
            proxy_buffering off;
            rewrite /login http://localhost:4180/oauth2/sign_in redirect;
        }
          # Can I do a redirect here?
#        location /kibana/app/kibana#/management {
#            return 301 http://localhost:5601/;
#        }
      }

       server {
        listen       443;
        server_name  ${HOSTNAME};
        location / {
            # oauth2 proxy application listens on port :4180
            proxy_pass http://127.0.0.1:4180;
            # preserve our host and ip from the request in case we want to
            # dispatch the request to a named nginx directive
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Scheme $scheme;
            proxy_connect_timeout 15;
            proxy_send_timeout 30;
            proxy_read_timeout 30;
        }
    }
   }

I'm quite confused here. After I authenticated http:localhost:4180, I was directed to Welcome to Nginx page instead of Kibana home. Did I configure it correctly? How should I capture request to Kibana Management and do a redirect to Kibana Home? Is it achievable through Nignx?

Thanks a lot!

Aaron_Caldwell · February 6, 2019, 10:20pm

Hello,

Traffic proxy and reverse-proxy should be possible through nginx. While many of us are familiar with nginx, advice on the best specific configuration for this setup is going to be outside our realm (the Elastic Stack). Your best bet would be to read over the nginx docs or possibly post to a forum specifically supporting nginx.

Regards,
Aaron

bbking · February 6, 2019, 11:12pm

I can intercept all requests to kibana now but have a hard time finding the correct Kibana Home url to redirect. I tried http://localhost:5601/app/kibana#/home?_g=() but it doesn't work. What is the correct url of Kibana home page? Thanks!

zaratustra689 · February 7, 2019, 12:10am

Hello!

If you want to get to kibana under /kibana you should add to kibana.yml

...
server.basePath: "/kibana"
...

server.basePath: Enables you to specify a path to mount Kibana at if you are running behind a proxy. Use the server.rewriteBasePath setting to tell Kibana if it should remove the basePath from requests it receives, and to prevent a deprecation warning at startup. This setting cannot end in a slash ( / ).

Source: Configure Kibana | Kibana Guide [8.11] | Elastic

bbking · February 7, 2019, 1:37am

I set the server.basePath: "/kibana" in kibana.yml. But it still doesn't do any redirect.

I updated my Nginx config as below. But Kibana doesn't redirect to home page at all when I clicked on dev tools. Is it because Kibana uses ajax request to refresh the page instead of rendering a page? Is there still a way to configure redirection in Nginx? Thanks! Really appreciate your help!

http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;
    keepalive_timeout  65;

    server {
        listen       8080;
        server_name  ${HOSTNAME};

        location / {
            # kibana sever
            proxy_pass http://zerus:5601/;
            proxy_set_header Authorization "Basic **";
            proxy_set_header X-Forwarded-User $http_x_forwarded_user;
            # enable real-time interactions
            proxy_buffering off;
            rewrite /login http://localhost:4180/oauth2/sign_in redirect;
        } 
        # if the user is not "admin", then do a redirect when the user tries to access "dev tools"
        if ($http_x_forwarded_user != admin) {
            rewrite ^/api/console.*$ http://zerus:5601/ redirect;
        }
  }
}

Julian_Berbel_Alt · February 7, 2019, 3:24pm

Hi bbking!

Adding server.basePath: "/kibana" to your kibana.yml will make request uris generated by kibana to be prefixed by that base path. That way you can set kibana up in a specific path, such as my.site/kibana

You still need to remove that prefix in nginx when passing the request on to kibana.

I'll leave you a snippet of our nginx.conf:

server {
    listen 443 ssl;
    server_name XXXX.XXXX;
    include includes/ssl-settings.core.conf;

    location /kibana/ {
      proxy_pass http://upstream/;
      proxy_redirect off;
      proxy_buffering off;

      proxy_http_version 1.1;
      proxy_set_header Connection "Keep-Alive";
      proxy_set_header Proxy-Connection "Keep-Alive";
    }
  }

Also, you may want to set the /login rewrite in a different location, but I'm not that savvy with nginx either tbh.

I hope this helps!

bbking · February 8, 2019, 11:44pm

Thanks for all of your replies! But some of my questions are still not solved. Assume Kibana server is running on something.com:5601, nginx is listening on something.com:8080 which will proxy the Kibana server.

If I set server.basePath: "/kibana", is there a way that I can directly access kibana server without going through proxy server? I tried to access Kibana server directly using "something.com:/5601/kibana/", but it shows {"statusCode":404,"error":"Not Found","message":"Not Found"}. Does that mean we have to access Kibana server through a proxy once the server.basePath is set? I ask this question because I want to make sure there is no way that users can directly access kibana server except through the proxy server.
Assume a user tries to access Kibana though a proxy server and basePath is setup correctly, how can I redirect users to Kibana home page when users try to access "managment" or "devtools"? I tried to intercept HTTP request to /kibana/app/kibana#/management and /kibana/app/kibana#/dev_tools and return 404 or do a redirect, but Nginx can't capture those paths. The Network tools on Chrome shows that two icons are loaded instead of having a HTTP request to "management". Does that mean there is no way to redirect from "managment" and "dev_tools" to home page?

Network panel:

I intercepted call requests to /kibana/api/index_management/indices and return 404. But why does the index_managment page consistenly reload?

I'm quite stuck at redirecting pages and finding the correct reqest to intercept. Any hints will be a great help! Thanks!

Julian_Berbel_Alt · February 9, 2019, 2:21am

Does that mean we have to access Kibana server through a proxy once the server.basePath is set? I ask this question because I want to make sure there is no way that users can directly access kibana server except through the proxy server.

No. Your kibana server is still very much accessible around the proxy. You are just getting a 404 because there is noone in the middle to remove the base path that kibana is adding. If you took a request to a path like, say, kibana/plugins/vega/index.css, you could still access that asset by hitting something.com:5601/plugins/vega/index.css.

Security-wise, if you don't want users to access your kibana server directly, then you should block all traffic to that port (other than that going through the loopback interface) with a firewall.

Just as you stated, at the very least this isn't something you can deal with through nginx since clients don't send the anchor part in the first place (web server - Nginx Redirect Rule with a anchor tag - Server Fault).

system · March 9, 2019, 2:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Marius_Dragomir · January 28, 2020, 3:35pm

Looks like this has fixed it for one of our users: Reverse proxy issue(Using Nginx) with Kibana 7.5