How to Install and Configure NGINX for Kibana

by Zachary Burnham, posted in ELK, SOC

In one of my prior posts, I discussed the steps necessary to set up a Single-Node ELK Stack. If you were to follow this guide, Kibana, as it stands, would be accessible to anyone on your network over Port 5601 who knows its IP Address. For myself, I could always socially outcast my roommate if they were to touch my precious Kibana. However, in a more professional environment where bullying is completely unacceptable, this could prove to become a major security issue. Remember, ELK can be used to store logs from endpoints maybe not everyone can or should have access to; an unprotected Kibana can be a treasure trove of information. To remedy this, we will need to install and enable NGINX, a reverse proxy, for Kibana.

What you need:

  • A functioning ELK stack (single or multiple node) with Kibana

NOTE: This post is heavily influenced by the work of @Cyb3rWard0g on HELK. Check out his blog for more information.

Install & Configure NGINX

sudo apt-get install nginx

Create a user (kibadmin) to log in to Kibana web interface

NOTE: Enter superuser (sudo su) for the rest of this guide

echo "kibadmin:`openssl passwd -apr1`" | sudo tee -a /etc/nginx/htpasswd.users

Type a password, then verify again.

Backup default NGINX configuration file (fires happen)

mv /etc/nginx/sites-available/default /etc/nginx/sites-available/original_backup_default

Create your new NGINX configuration for Kibana

nano /etc/nginx/sites-available/default

Put the following into the new NGINX configuration file you just created, putting Kibana’s IP address in the server_name field:

server {
    listen 80;

    server_name <YourKibanaIP>;

    auth_basic "Restricted Access";
    auth_basic_user_file /etc/nginx/htpasswd.users;

    location / {
        proxy_pass http://localhost:5601;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;        
    }
}

Your file should look like mine below. Once verified, save and exit:

Test the NGINX configuration file to ensure there are no syntax errors

nginx -t

Enable NGINX on startup and start the service

systemctl enable nginx
systemctl start nginx

Go to your browser and navigate to your Kibana IP to ensure NGINX is working properly. If so, the following windows should appear:

Ensure you navigate without using :5601

Enter the username (kibadmin) and the password you created earlier. If successful, you should be allowed into Kibana:

May appear different depending on how Kibana is setup

Congrats! You have successfully configured NGINX to work with Kibana. Be proud of the extra security step you have just taken.

Published by Zachary Burnham

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s