Setting https for Kibana with NGINX and a FQDN

I have a Droplet on Digital Ocean which runs CentOS 7 and I run an ELK stack on it. I've also successfully configured an NGINX web server with a FQDN (got one from namecheap.com ) and I also have an SSL certificate managed by Let's Encrypt.

In order to set-up my nginx web server and the SSL certificate, I followed this straightforward tutorial from Digital Ocean. I can now basically access my website from any browser. You can see it form yourself here. The connection is https and has a valid certificate.

Now, I want to have my Kibana running on the same FQDN (insead of running it on localhost), with https support (basically under the same SSL configuration as the rest of my website). I tried to start with this tutorial which basically sets up a reverse proxy with nginx for accessing the Kibana dashboard from any machine.
The issue I have is that after I follow the step where I have to modify the config file in etc/nginx/conf.d/basavyr.live.conf, I should be able to access it with: http://basavyr.live/status. However, the browser redirects me to the https version of the page, which returns the 404 error.

β”‚server {
β”‚
β”‚    listen 80;
β”‚    server_name basavyr.live www.basavyr.live;
β”‚
β”‚    auth_basic "Restricted Access";
β”‚
β”‚    auth_basic_user_file /etc/nginx/htpasswd.users;
β”‚
β”‚
β”‚
β”‚    location / {
β”‚
β”‚        proxy_pass http://localhost:5601;
β”‚
β”‚        proxy_http_version 1.1;
β”‚
β”‚        proxy_set_header Upgrade $http_upgrade;
β”‚
β”‚        proxy_set_header Connection 'upgrade';
β”‚
β”‚        proxy_set_header Host $host;
β”‚
β”‚        proxy_cache_bypass $http_upgrade;
β”‚
β”‚    }
β”‚
β”‚}

According to the tutorial, this is what I have to add in my conf file.

TL;DR
All I want is to be able to connect to Kibana using https by accessing something like https://basavyr.live/kibana (for example) and also make it possible to redirect the http request to a https one (from what I understand though, certbot takes care of this by default ? ).
I believe I also have to update the Kibana yaml file with these options:

server.ssl.enabled: true
server.ssl.key: /path/to/your/server.key
server.ssl.certificate: /path/to/your/server.crt

however these settings seem to be for setting up SSL on the localhost (?)

How can I successfully set-up my Kibana to run through https and nginx?
Thank you in advance!

Hey @basavyr.

Option 1

If you're using NGINX as a reverse-proxy for all traffic to Kibana, I'd recommend configuring it to do TLS termination before proxying http traffic to Kibana.

To start, you'll want to change the following setting in your etc/nginx/conf.d/basavyr.live.conf

listen 80;

to the following:

listen              443 ssl default_server;
ssl_certificate     /path/to/your/cert.crt;
ssl_certificate_key /path/to/your/cert.crt;

You can then remove the following settings from your kibana.yml:

server.ssl.enabled: true
server.ssl.key: /path/to/your/server.key
server.ssl.certificate: /path/to/your/server.crt

Option 2

You can also remove NGINX, and allow end-users to access Kibana directly using HTTPS. In this situation, you'd keep the following settings in your kibana.yml

server.ssl.enabled: true
server.ssl.key: /path/to/your/server.key
server.ssl.certificate: /path/to/your/server.crt

Hey @Brandon_Kobel
Thank you for reply, and sorry for answering so late.
I've changed my config file to this:

    server {
        server_name  basavyr.live www.basavyr.live;
        #root         /usr/share/nginx/html;
        root         /var/www/basavyr.live/html;
        include /etc/nginx/default.d/*.conf;
        location /kibana {
            proxy_pass http://localhost:5601;
                proxy_set_header Host $host;
                    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
                    }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    listen    443 ssl http2;
    listen    [::]:443 ssl http2;
    ssl_certificate /etc/letsencrypt/live/basavyr.live/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/basavyr.live/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    }

The website works fine (I can acces my index.html here and it's secure). But when I type the URL: basavyr.live/kibana, I get this webpage result:
image

I tried in console:
curl -X GET https://basavyr.live/kibana and of course I get the same output. What could be the issue?

Kibana is working (checked status with systemctl)

If you're using location /kibana, you'll need to set server.basePath: /kibana in your kibana.yml

1 Like

Dear @Brandon_Kobel,
I tried changing the kibana.yml file, but it still didn't work with that initial config file on the nginx reverse proxy.
However, after more research, I've come across this post where the solution is to change the location context for kibana:

location /kibana {
                  rewrite ^/kibana/?(.*)$ /$1 break;
                  proxy_set_header Connection "";
                  proxy_intercept_errors on;
                  proxy_redirect off;
                  proxy_pass http://localhost:5601;
                  include nginxconfig.io/proxy.conf;  #this was added by me after I saw a config generator for NGINX on the web
}

After I changed it, it finally worked. Regarding the include file, I found it here:


It is a super useful website which helps you generate config files for your web servers.

I think this whole time, my issue was related with nginx not being able to access kibana files due to non-root access (??)

Fortunately, now I am able to access Kibana with my domain, with full TLS encryption and valid ssl certificate.

Thank you!

PS: I did the same set-up for elasticsearch reverse proxy (with the /elastic location context) and that also works like a charm :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.