Kibana配置nginx反代並本地ca加密nginx

• 2020 年 8 月 6 日
• 筆記
• ELK Stack, Nginx, 代理, 日誌分析

簡介

我們部署完ELK Stack後,雖然可以直接瀏覽器訪問kibana進行訪問,但這樣對一些重要數據來說是不安全的,可以利用密碼驗證設置許可權訪問,在Kibana所在的伺服器上安裝Nginx服務，利用Nginx的轉髮指令實現

部署nginx

rpm -ivh nginx-1.16.0-1.el7.ngx.x86_64.rpm 

配置加密工具htpasswd生成帳號和密碼

htpasswd -c /etc/nginx/ssl/htpasswd admin
New password: 
Re-type new password: 
Adding password for user admin

配置nginx

cat /etc/nginx/conf.d/kibana.conf 
server {
       listen       80;
       #server_name  kibanaes.com;
       server_name  paidui-kibana.360sides.net;

       access_log  /home/appmanager/data/logs/nginx/kibana_access.log json;
       error_log   /home/appmanager/data/logs/nginx/kibana_error.log;
       location / {
           auth_basic "The Kibana Monitor Center";  
           auth_basic_user_file /etc/nginx/ssl/htpasswd;  
           proxy_pass   //1.1.1.1:5601;
           proxy_http_version 1.1;
           proxy_set_header Host $host;
           proxy_cache_bypass $http_upgrade;
       }
}

重啟nginx生效

nginx -s reload

訪問驗證

配置本地CA生成證書加密nginx

基於https的協議工作的一中虛擬主機，要構建這樣的網站需要mod_ssl模組的支援。且需要提供兩個文件：證書文件和私鑰文件，證書文件是標識這個網站伺服器身份的，私鑰文件主要用來實現在伺服器端對數據進行加密，然後在網站中傳輸的。證書在生產生活中需要到對應的機構去申請，在實驗環境中本應該搭建一台證書伺服器，然後由證書伺服器給web伺服器頒發證書來驗證其的身份，但是證書伺服器構建是非常麻煩的

生成證書及密鑰文件

# 1.準備存放證書和秘鑰的目錄
mkdir /etc/nginx/ssl
cd /etc/nginx/ssl
 
# 2.使用openssl生成基於rsa數學演算法長度為1024bit的秘鑰,文件必須以key為結尾
[root@IntelID-Squid-N25 ssl]#  openssl genrsa 1024 > /etc/nginx/ssl/server.key
Generating RSA private key, 1024 bit long modulus
..............++++++
..........++++++
e is 65537 (0x10001)

# 3.使用秘鑰文件生成證書申請
[root@IntelID-Squid-N25 ~]# openssl req -new -key /etc/nginx/ssl/server.key > /etc/nginx/ssl/server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:dx
Organizational Unit Name (eg, section) []:paidui-kibana.360sides.net
Common Name (eg, your name or your server's hostname) []:paidui-kibana.360sides.net
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# 4. 同意申請，生成證書
[root@IntelID-Squid-N25 ~]# openssl req -x509 -days 365 -key /etc/nginx/ssl/server.key -in /etc/nginx/ssl/server.csr > /etc/nginx/ssl/server.crt

# -x509：證書的格式，固定的
# days：證書的有效期
# key：指定秘鑰文件
# in：指定證書申請文件

配置私有CA的https

[root@IntelID-Squid-N25 conf.d]# cat /etc/nginx/conf.d/kibana.conf 
server {
       listen       80;
       server_name  xxxx.net;
       return 301 //xxxxxx$request_uri;
}

server {
      listen 443 ssl;
      ssl on;
      ssl_certificate /etc/nginx/ssl/server.crt;
      ssl_certificate_key /etc/nginx/ssl/server.key;
      access_log  /home/appmanager/data/logs/nginx/kibana_access.log json;
      error_log   /home/appmanager/data/logs/nginx/kibana_error.log;
      location / {
          auth_basic "The Kibana Monitor Center";
          auth_basic_user_file /etc/nginx/ssl/htpasswd;
          proxy_pass   //1.1.1.1:5601;
          proxy_http_version 1.1;
          proxy_set_header Host $host;
          proxy_cache_bypass $http_upgrade;
      }
}

nginx -s reload