nginx as simple reverse proxy for HTTP basic auth

nginx installation

I installed nginx on the same server as the ESK stack. On a Debian based Linux distribution you can just use apt-get install to install nginx:

apt-get update
apt-get install nginx

That's it.

nginx configuration

nginx' configuration files are located in /etc/nginx

In this directory, there are two sub-directories:


Remove the symbolic link for the default vhost configuration:

rm /etc/nginx/sites-enabled/default

Then, create a new vhost configuration file in /etc/nginx/sites-available with this content:

# file /etc/nginx/sites-available/kibana-proxy
server {
  listen 80 default_server;
  # listen 80;
  listen [::]:80 default_server;
  # listen [::]:80;

  root /var/www/empty;

  # Add index.php to the list if you are using PHP
  index index.html index.htm index.nginx-debian.html;


  location / {
    auth_basic "Syslog Server";
    # this is the password file
    auth_basic_user_file /etc/nginx/kibana-auth;
    # this points to the Kibana backend

  # deny access to .htaccess files, if Apache's document root
  # concurs with nginx's one
  location ~ /\.ht {
    deny all;

I highlighted the important parts in bold.

Next, create an empty directory as document root, just in case:

mkdir -p /var/www/empty

Finally, create a symbolic link:

cd /etc/nginx/sites-enabled
ln -s ../sites-available/kibana-proxy

Finally, you need to create /etc/nginx/kibana-auth. The general format of the file is


Use openssl passwd to hash your desired password:

echo -n "myuser:" > /etc/nginx/kibana-auth
openssl passwd -apr1 "mypassword" >> /etc/nginx/kibana-auth

Check the file contents, it yould look like this:


Notice the -apr1 option. It tells openssl passwd to use the apache APR1 algorithm. If you don't specify any algorithm, openssl passwd will use the crypt algorithm which is limited to 8 characters.

Now you can restart nginx.

Kibana configuration

Now it's time to change Kibana's configuration, so it is only accessible on

Change the parameter in /etc/kibana/kibana.yml to

Restart kibana and you're done.

Don't forget about the firewall

If you've set up a host firewall (what you really should have done!), don't forget to remove any rules allowing access to TCP port 5601 and allow access to TCP port 80 instead.

Further improvement

Even better would be to use nginx not only as reverse proxy to provide HTTP basic auth but to use it as SSL/TLS proxy aswell. Maybe I'll cover that topic in another post.

If you like to add something, feel free to write to

Go back

My Wishlist

If the information I provided was helpful to you, I would really appreciate if you have a look on my Amazon wishlist.

I'm not begging for anything and I will continue to share my knowledge but of course I would be really happy to see some packages arriving ;-)