nginx as simple reverse proxy for HTTP basic auth

nginx installation

I installed nginx on the same server as the ESK stack. On a Debian based Linux distribution you can just use apt-get install to install nginx:

apt-get update
apt-get install nginx

That's it.

nginx configuration

nginx' configuration files are located in /etc/nginx

In this directory, there are two sub-directories:

/etc/nginx/sites-available
/etc/nginx/sites-enabled

Remove the symbolic link for the default vhost configuration:

rm /etc/nginx/sites-enabled/default

Then, create a new vhost configuration file in /etc/nginx/sites-available with this content:

# file /etc/nginx/sites-available/kibana-proxy
server {
  listen 80 default_server;
  # listen 80;
  listen [::]:80 default_server;
  # listen [::]:80;

  root /var/www/empty;

  # Add index.php to the list if you are using PHP
  index index.html index.htm index.nginx-debian.html;

  server_name syslog.example.com;

  location / {
    auth_basic "Syslog Server";
    # this is the password file
    auth_basic_user_file /etc/nginx/kibana-auth;
    # this points to the Kibana backend
    proxy_pass http://127.0.0.1:5601/;
  }

  # deny access to .htaccess files, if Apache's document root
  # concurs with nginx's one
  location ~ /\.ht {
    deny all;
  }
}

I highlighted the important parts in bold.

Next, create an empty directory as document root, just in case:

mkdir -p /var/www/empty

Finally, create a symbolic link:

cd /etc/nginx/sites-enabled
ln -s ../sites-available/kibana-proxy

Finally, you need to create /etc/nginx/kibana-auth. The general format of the file is

username:password

Use openssl passwd to hash your desired password:

echo -n "myuser:" > /etc/nginx/kibana-auth
openssl passwd -apr1 "mypassword" >> /etc/nginx/kibana-auth

Check the file contents, it yould look like this:

myuser:$apr1$p7F1ZHxZ$JEw.JJJpbf8OIImvIN60o1

Notice the -apr1 option. It tells openssl passwd to use the apache APR1 algorithm. If you don't specify any algorithm, openssl passwd will use the crypt algorithm which is limited to 8 characters.

Now you can restart nginx.

Kibana configuration

Now it's time to change Kibana's configuration, so it is only accessible on 127.0.0.1.

Change the server.host parameter in /etc/kibana/kibana.yml to 127.0.0.1:

server.host: 127.0.0.1

Restart kibana and you're done.

Don't forget about the firewall

If you've set up a host firewall (what you really should have done!), don't forget to remove any rules allowing access to TCP port 5601 and allow access to TCP port 80 instead.

Further improvement

Even better would be to use nginx not only as reverse proxy to provide HTTP basic auth but to use it as SSL/TLS proxy aswell. Maybe I'll cover that topic in another post.

If you like to add something, feel free to write to input@jumping-frog.de

Go back

My Whishlist

If the information I provided was helpful to you, I would really appreciate if you have a look on my Amazon whishlist.

I'm not begging for anything and I will continue to share my knowledge but of course I would be really happy to see some packages arriving ;-)