haproxy代理kibana、nginx代理kibana并实现登录验证

  在使用ELK进行日志统计的时候,由于Kibana自身并没有身份验证的功能,任何人只要知道链接地址就可以正常登录到Kibana控制界面,由于日常的查询,添加和删除日志都是在同一个web中进行,这样就有极高的安全隐患.任何人都有权限对其进行修改,为了避免这一问题,可以使用Nginx的验证功能来代理Kibana.

1.先用haproxy代理

# haproxy的安装和配置可参考之前的博文
# 实验环境,IP:10.0.0.33,没有安装过kibana、es、haproxy,kibana的安装不需要java环境
yum -y install kibana-5.4.0-x86_64.rpm
/usr/local/haproxy/sbin/haproxy -v
HA-Proxy version 1.7.11 2018/04/30
Copyright 2000-2018 Willy Tarreau <willy@haproxy.org>

grep "^[a-Z]" /etc/kibana/kibana.yml
server.port: 5601
server.host: "127.0.0.1"
elasticsearch.url: "http://10.0.0.22:9200"

systemctl start kibana

cat /etc/haproxy/haproxy.cfg
global
maxconn 100000
chroot /usr/local/haproxy
uid 1000
gid 1000
daemon
nbproc 1
pidfile /usr/local/haproxy/run/haproxy.pid
log 127.0.0.1 local6 info
 
defaults
option http-keep-alive
option  forwardfor
maxconn 100000
mode http
timeout connect 300000ms
timeout client  300000ms
timeout server  300000ms
 
listen stats
 mode http
 bind 0.0.0.0:9999
 stats enable
 log global
 stats uri     /haproxy-status
 stats auth    haadmin:123456
#frontend web_port
frontend web_port
        bind 0.0.0.0:80
        mode http
        option httplog
        log global
        option forwardfor
#ACL Setting
acl kibana        hdr_dom(host) -i www.kibanahaproxy.com
#USE ACL
use_backend   kibana_host        if kibana
 
backend kibana_host
        mode    http
        option  httplog
        balance source
        server web1  127.0.0.1:5601 check inter 2000 rise 3 fall 2 weight 1

systemctl start haproxy.service

windows的hosts添加一条记录,然后访问http://www.kibanahaproxy.com

10.0.0.33 www.kibanahaproxy.com

2.关掉haproxy,用nginx代理kibana并实现登录验证

systemctl stop haproxy.service
# yum安装nginx
wget  http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
rpm -ivh nginx-release-centos-7-0.el7.ngx.noarch.rpm
yum -y install nginx
rpm -qa | grep nginx
nginx-1.14.1-1.el7_4.ngx.x86_64
# 创建验证文件授权,需要先安装httpd-tools
yum -y install httpd-tools
# 第一次创建用户需要-c参数
htpasswd -bc /etc/nginx/htpasswd.users lixiang root123456
htpasswd -b /etc/nginx/htpasswd.users lisi root123
cat /etc/nginx/htpasswd.users 

cat kibana.conf
upstream kibana_server {
        server  127.0.0.1:5601 weight=1 max_fails=3  fail_timeout=60;
}

server {
        listen 80;
        server_name www.kibananginx.com;
        auth_basic "Restricted Access";
        auth_basic_user_file /etc/nginx/htpasswd.users;
        location / {
        proxy_pass http://kibana_server;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        }
}

systemctl start nginx

如果是编译安装的nginx,需要修改配置文件和验证文件的属主、属组

chown -R www.www /usr/local/nginx/conf

nginx成功代理kibana

Kibana使用Nginx代理验证:http://blog.51cto.com/tryingstuff/2049877