Securing Kibana with Nginx

This article describes how to secure a Kibana behind Nginx on Debian 10.

Install nginx

apt install nginx-full

Generate and setup self-signed certificate

First, generate certificates and dhparam: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt openssl dhparam -out /etc/nginx/dhparam.pem 4096 # can take a few minutes Then, configure an Nginx snippet. Edit /etc/nginx/snippets/self-signed.conf: ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; Configure ssl params, edit /etc/nginx/snippets/ssl-params.conf: ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/dhparam.pem; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 # Disable strict transport security for now. You can uncomment the following # line if you understand the implications. # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block";

Virtual server configuration

Create user/password: echo -n "$USERNAME:" >> /etc/nginx/.htpasswd openssl passwd -apr1 >> /etc/nginx/.htpasswd Edit /etc/nginx/sites-available/kibana.conf: server { listen 443 ssl; server_name KIBANA_FQDN; root html; index index.html index.htm; include snippets/self-signed.conf; include snippets/ssl-params.conf; location / { proxy_pass http://localhost:5601; proxy_redirect http://localhost:5601/ $scheme://$host/; auth_basic "Kibana auth required"; #For Basic Auth auth_basic_user_file /etc/nginx/.htpasswd; #For Basic Auth } } Enable this configuration file: ln -s /etc/nginx/sites-available/kibana.conf /etc/nginx/sites-enabled/ Restart nginx: systemctl restart nginx

Test it

Open https://KIBANA_FQDN, you should be prompted for credentials.