chelming · August 29, 2015 14:02
diff --git a/nginx.conf b/nginx.conf
 user  nginx;
 worker_processes  10;

 error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;


 events {
    worker_connections  1024;
 }


 http {
    auth_ldap_cache_enabled on;
    auth_ldap_cache_expiration_time 10000;
    auth_ldap_cache_size 1000;

    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    gzip  on;
    gzip_disable "msie6";

    gzip_min_length 1100;
    gzip_vary on;
    gzip_proxied any;
    gzip_buffers 16 8k;
    gzip_types text/plain text/css application/json application/x-javascript
    text/xml application/xml application/rss+xml text/javascript
    image/svg+xml application/x-font-ttf font/opentype
    application/vnd.ms-fontobject;

    include /etc/nginx/conf.d/*.conf;

    #
 # Nginx proxy for Elasticsearch + Kibana
 #
 # In this setup, we are password protecting the saving of dashboards. You may
 # wish to extend the password protection to all paths.
 #
 # Even though these paths are being called as the result of an ajax request, the
 # browser will prompt for a username/password on the first request
 #
 # If you use this, you'll want to point config.js at http://FQDN:80/ instead of
 # http://FQDN:9200
 #


 ldap_server main {
 url ldaps://ldap.domain.tld/ou=people,dc=domain,dc=tld?uid?sub;
 require valid_user;
 }


 upstream backend {
  server <FQDN>:9200;
 }

 server {
  listen                *:80 ;

  server_name           <FQDN>;
  access_log            /var/log/nginx/kibana.access.log;
  error_log		/var/log/nginx/error.log debug;

  auth_ldap "Forbidden";
  auth_ldap_servers main;

  location / {
    root  /usr/local/kibana-3.1.0;
    index  index.html  index.htm;
  }

  location ^~ /elasticsearch/ {
    proxy_pass http://backend/;
  }  

  location ^~ /plugins/ {
    proxy_pass http://backend/;
    root /usr/share/elasticsearch/plugins/;
  }

 #  location ^~ /elasticsearch/ {
 #    proxy_pass http://127.0.0.1:9200;
 #    proxy_read_timeout 90;
 #  }

 #  location ~ ^/_aliases$ {
 #    proxy_pass http://127.0.0.1:9200;
 #    proxy_read_timeout 90;
 #  }

 #  location ~ ^/.*/_aliases$ {
 #    proxy_pass http://127.0.0.1:9200;
 #    proxy_read_timeout 90;
 #  }
 #  location ~ ^/.*/_nodes$ {
 #    proxy_pass http://127.0.0.1:9200;
 #    proxy_read_timeout 90;
 #  }
 #  location ~ ^/.*/_search$ {
 #    proxy_pass http://127.0.0.1:9200;
 #    proxy_read_timeout 90;
 #  }
 #  location ~ ^/.*/_mapping$ {
 #    proxy_pass http://127.0.0.1:9200;
 #    proxy_read_timeout 90;
 #  }

  # Password protected end points
  location ~ ^/kibana-int/dashboard/.*$ {
    proxy_pass http://127.0.0.1:9200;
    proxy_read_timeout 90;
    limit_except GET {
      proxy_pass http://127.0.0.1:9200;
      auth_basic "Restricted";
      auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
    }
  }
  location ~ ^/kibana-int/temp.*$ {
    proxy_pass http://127.0.0.1:9200;
    proxy_read_timeout 90;
    limit_except GET {
      proxy_pass http://127.0.0.1:9200;
      auth_basic "Restricted";
      auth_basic_user_file /etc/nginx/conf.d/kibana.myhost.org.htpasswd;
    }
  }
 }
 }
	user nginx;
	worker_processes 10;

	error_log /var/log/nginx/error.log warn;
	pid /var/run/nginx.pid;


	events {
	worker_connections 1024;
	}


	http {
	auth_ldap_cache_enabled on;
	auth_ldap_cache_expiration_time 10000;
	auth_ldap_cache_size 1000;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';

	access_log /var/log/nginx/access.log main;

	sendfile on;
	#tcp_nopush on;

	keepalive_timeout 65;

	gzip on;
	gzip_disable "msie6";

	gzip_min_length 1100;
	gzip_vary on;
	gzip_proxied any;
	gzip_buffers 16 8k;
	gzip_types text/plain text/css application/json application/x-javascript
	text/xml application/xml application/rss+xml text/javascript
	image/svg+xml application/x-font-ttf font/opentype
	application/vnd.ms-fontobject;

	include /etc/nginx/conf.d/*.conf;

	#
	# Nginx proxy for Elasticsearch + Kibana
	#
	# In this setup, we are password protecting the saving of dashboards. You may
	# wish to extend the password protection to all paths.
	#
	# Even though these paths are being called as the result of an ajax request, the
	# browser will prompt for a username/password on the first request
	#
	# If you use this, you'll want to point config.js at http://FQDN:80/ instead of
	# http://FQDN:9200
	#


	ldap_server main {
	url ldaps://ldap.domain.tld/ou=people,dc=domain,dc=tld?uid?sub;
	require valid_user;
	}


	upstream backend {
	server <FQDN>:9200;
	}

	server {
	listen *:80 ;

	server_name <FQDN>;
	access_log /var/log/nginx/kibana.access.log;
	error_log /var/log/nginx/error.log debug;

	auth_ldap "Forbidden";
	auth_ldap_servers main;

	location / {
	root /usr/local/kibana-3.1.0;
	index index.html index.htm;
	}

	location ^~ /elasticsearch/ {
	proxy_pass http://backend/;
	}

	location ^~ /plugins/ {
	proxy_pass http://backend/;
	root /usr/share/elasticsearch/plugins/;
	}

	# location ^~ /elasticsearch/ {
	# proxy_pass http://127.0.0.1:9200;
	# proxy_read_timeout 90;
	# }

	# location ~ ^/_aliases$ {
	# proxy_pass http://127.0.0.1:9200;
	# proxy_read_timeout 90;
	# }

	# location ~ ^/.*/_aliases$ {
	# proxy_pass http://127.0.0.1:9200;
	# proxy_read_timeout 90;
	# }
	# location ~ ^/.*/_nodes$ {
	# proxy_pass http://127.0.0.1:9200;
	# proxy_read_timeout 90;
	# }
	# location ~ ^/.*/_search$ {
	# proxy_pass http://127.0.0.1:9200;
	# proxy_read_timeout 90;
	# }
	# location ~ ^/.*/_mapping$ {
	# proxy_pass http://127.0.0.1:9200;
	# proxy_read_timeout 90;
	# }

	# Password protected end points
	location ~ ^/kibana-int/dashboard/.*$ {
	proxy_pass http://127.0.0.1:9200;
	proxy_read_timeout 90;
	limit_except GET {
	proxy_pass http://127.0.0.1:9200;
	auth_basic "Restricted";
	auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
	}
	}
	location ~ ^/kibana-int/temp.*$ {
	proxy_pass http://127.0.0.1:9200;
	proxy_read_timeout 90;
	limit_except GET {
	proxy_pass http://127.0.0.1:9200;
	auth_basic "Restricted";
	auth_basic_user_file /etc/nginx/conf.d/kibana.myhost.org.htpasswd;
	}
	}
	}
	}