Kibana配置nginx反代並本地ca加密nginx
阿新 • • 發佈:2020-08-06
簡介
我們部署完ELK Stack後,雖然可以直接瀏覽器訪問kibana進行訪問,但這樣對一些重要資料來說是不安全的,可以利用密碼驗證設定許可權訪問,在Kibana所在的伺服器上安裝Nginx服務,利用Nginx的轉發指令實現
部署nginx
rpm -ivh nginx-1.16.0-1.el7.ngx.x86_64.rpm
配置加密工具htpasswd生成賬號和密碼
htpasswd -c /etc/nginx/ssl/htpasswd admin
New password:
Re-type new password:
Adding password for user admin
配置nginx
cat /etc/nginx/conf.d/kibana.conf server { listen 80; #server_name kibanaes.com; server_name paidui-kibana.360sides.net; access_log /home/appmanager/data/logs/nginx/kibana_access.log json; error_log /home/appmanager/data/logs/nginx/kibana_error.log; location / { auth_basic "The Kibana Monitor Center"; auth_basic_user_file /etc/nginx/ssl/htpasswd; proxy_pass http://1.1.1.1:5601; proxy_http_version 1.1; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } }
重啟nginx生效
nginx -s reload
訪問驗證
配置本地CA生成證書加密nginx
基於https的協議工作的一中虛擬主機,要構建這樣的網站需要mod_ssl模組的支援。且需要提供兩個檔案:證書檔案和私鑰檔案,證書檔案是標識這個網站伺服器身份的,私鑰檔案主要用來實現在伺服器端對資料進行加密,然後在網站中傳輸的。證書在生產生活中需要到對應的機構去申請,在實驗環境中本應該搭建一臺證書伺服器,然後由證書伺服器給web伺服器頒發證書來驗證其的身份,但是證書伺服器構建是非常麻煩的
生成證書及金鑰檔案
# 1.準備存放證書和祕鑰的目錄 mkdir /etc/nginx/ssl cd /etc/nginx/ssl # 2.使用openssl生成基於rsa數學演算法長度為1024bit的祕鑰,檔案必須以key為結尾 [root@IntelID-Squid-N25 ssl]# openssl genrsa 1024 > /etc/nginx/ssl/server.key Generating RSA private key, 1024 bit long modulus ..............++++++ ..........++++++ e is 65537 (0x10001) # 3.使用祕鑰檔案生成證書申請 [root@IntelID-Squid-N25 ~]# openssl req -new -key /etc/nginx/ssl/server.key > /etc/nginx/ssl/server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BJ Locality Name (eg, city) [Default City]:BJ Organization Name (eg, company) [Default Company Ltd]:dx Organizational Unit Name (eg, section) []:paidui-kibana.360sides.net Common Name (eg, your name or your server's hostname) []:paidui-kibana.360sides.net Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: # 4. 同意申請,生成證書 [root@IntelID-Squid-N25 ~]# openssl req -x509 -days 365 -key /etc/nginx/ssl/server.key -in /etc/nginx/ssl/server.csr > /etc/nginx/ssl/server.crt # -x509:證書的格式,固定的 # days:證書的有效期 # key:指定祕鑰檔案 # in:指定證書申請檔案
配置私有CA的https
[root@IntelID-Squid-N25 conf.d]# cat /etc/nginx/conf.d/kibana.conf
server {
listen 80;
server_name xxxx.net;
return 301 https://xxxxxx$request_uri;
}
server {
listen 443 ssl;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
access_log /home/appmanager/data/logs/nginx/kibana_access.log json;
error_log /home/appmanager/data/logs/nginx/kibana_error.log;
location / {
auth_basic "The Kibana Monitor Center";
auth_basic_user_file /etc/nginx/ssl/htpasswd;
proxy_pass http://1.1.1.1:5601;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
nginx -s reload