Skip to content

Instantly share code, notes, and snippets.

@doevelopper

doevelopper/elk-nginx.md

Last active September 16, 2020 07:27
Show Gist options
  • Save doevelopper/168f3aac2d31d307726f27107d8b6bf8 to your computer and use it in GitHub Desktop.
Save doevelopper/168f3aac2d31d307726f27107d8b6bf8 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
elk-nginx.md

vim /etc/nginx/nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
	worker_connections 1024;
	# multi_accept on;
}

http {

	# basic Settings
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	# ssl settings
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;

	# logging settings
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	# gzip settings
	gzip on;
	gzip_disable "msie6";

	# virtual host configs
	include /etc/nginx/conf.d/*.conf;
}

vim /etc/nginx/conf.d/elk-stack.conf

Now that we have our ssl certificates, we need to update our nginx config to enable ssl, redirect http to https and point the ssl certificates and ssl private keys to the certificates that we retrieved from letsencrypt.

upstream elasticsearch {
    server es-coordinator-1:9200;
    server es-coordinator-2:9200;
    keepalive 15;
}

server {
  listen 80;
  server_name elk.proxy.acme.com;
  return 301 https://$host$request_uri;
}

server {
  listen 443 ssl;
  server_name elk.proxy.acme.com;

  ssl_certificate /etc/letsencrypt/live/elk.proxy.acme.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/elk.proxy.acme.com/privkey.pem;

  ssl on;
  ssl_session_cache  builtin:1000  shared:SSL:10m;
  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
  ssl_prefer_server_ciphers on;

  location ^~ /.well-known/acme-challenge/ {
    auth_basic off;
  }

  location / {

    # deny node shutdown api
    if ($request_filename ~ "_shutdown") {
      return 403;
      break;
    }

    proxy_pass http://elasticsearch;
    proxy_http_version 1.1;
    proxy_set_header Connection "Keep-Alive";
    proxy_set_header Proxy-Connection "Keep-Alive";
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $http_host;
    proxy_redirect off;
  }

  location = / {
    proxy_pass http://elasticsearch;
    proxy_http_version 1.1;
    proxy_set_header Connection "Keep-Alive";
    proxy_set_header Proxy-Connection "Keep-Alive";
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    auth_basic "off";
  }

  location ~* ^(/_cluster/health|/_cat/health) {
    proxy_pass http://elasticsearch;
    proxy_http_version 1.1;
    proxy_set_header Connection "Keep-Alive";
    proxy_set_header Proxy-Connection "Keep-Alive";
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    auth_basic "off";
  }
}
@doevelopper
Copy link
Author

miscs from aws

server {
    listen 443;
    server_name $host;
    rewrite ^/$ https://$host/_plugin/kibana redirect;
 
    ssl_certificate           /etc/nginx/cert.crt;
    ssl_certificate_key       /etc/nginx/cert.key;
 
    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;
 
 
    location ^~ /_plugin/kibana {
        # Forward requests to Kibana
        proxy_pass https://vpc-mykibana-111xxx.us-east1.es.amazonaws.com/_plugin/kibana;
 
        # Handle redirects to Amazon Cognito
        proxy_redirect https://mydomain.auth.us-east-1.amazoncognito.com https://$host;
 
        # Update cookie domain and path
        proxy_cookie_domain vpc-mykibana-111xxx.us-east1.es.amazonaws.com $host;
 
        proxy_set_header Accept-Encoding "";
        sub_filter_types *;
        sub_filter vpc-mykibana-111xxx.us-east1.es.amazonaws.com $host;
        sub_filter_once off;
 
        # Response buffer settings
        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;
    }
 
    location ~ \/(log|sign|error|fav|forgot|change|confirm) {
        # Forward requests to Cognito
        proxy_pass https://mydomain.auth.us-east-1.amazoncognito.com;
 
        # Handle redirects to Kibana
        proxy_redirect https://vpc-mykibana-111xxx.us-east1.es.amazonaws.com https://$host;
 
        # Handle redirects to Amazon Cognito
        proxy_redirect https://mydomain.auth.us-east-1.amazoncognito.com https://$host;
 
        # Update cookie domain
        proxy_cookie_domain mydomain.auth.us-east-1.amazoncognito.com $host;
    }
}


worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    include /etc/nginx/conf.d/*.conf;

    server {
      listen 80 default_server;
      listen [::]:80 default_server ipv6only=on;
      server_name kibana.mydomain.com;

      # for elb health checks
      location /status {
        root /usr/share/nginx/html/ ;
      }

      location / {
        proxy_set_header Host search-aws-es.eu-west-1.es.amazonaws.com;
        proxy_set_header X-Real-IP <public-ip-for-instance>;

        proxy_http_version 1.1;
        proxy_set_header Connection "Keep-Alive";
        proxy_set_header Proxy-Connection "Keep-Alive";
        proxy_set_header Authorization "";

        proxy_pass https://search-aws-es.eu-west-1.es.amazonaws.com/_plugin/kibana/;
        proxy_redirect https://search-aws-es.eu-west-1.es.amazonaws.com/_plugin/kibana/ http://<public-ip-for-instance>/kibana/;
      }

      location ~ (/app/kibana|/app/timelion|/bundles|/es_admin|/plugins|/api|/ui|/elasticsearch) {
         proxy_pass              http://search-aws-es.eu-west-1.es.amazonaws.com;
         proxy_set_header        Host $host;
         proxy_set_header        X-Real-IP $remote_addr;
         proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header        X-Forwarded-Proto $scheme;
         proxy_set_header        X-Forwarded-Host $http_host;
    }
  }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment