forked from evolix/ansible-roles
Kibana-proxy-nginx: improve SSL
This commit is contained in:
parent
45a3ad5ef1
commit
27ca3e204a
|
@ -1,6 +1,6 @@
|
||||||
# kibana
|
# kibana
|
||||||
|
|
||||||
Install Kibana.
|
Install kibana proxy configurations (with or without SSL) for Nginx.
|
||||||
|
|
||||||
## Tasks
|
## Tasks
|
||||||
|
|
||||||
|
@ -11,4 +11,5 @@ Everything is in the `tasks/main.yml` file.
|
||||||
The only variables are derived from gathered facts.
|
The only variables are derived from gathered facts.
|
||||||
|
|
||||||
By default, Kibana will bind to localhost:5601.
|
By default, Kibana will bind to localhost:5601.
|
||||||
If Nginx is installed, a typical proxy configuration is copied into `/etc/nginx/sites-available`. It can be tweeked and enabled by hand.
|
|
||||||
|
The configurations are installed but not enabled.
|
||||||
|
|
|
@ -1,2 +1,3 @@
|
||||||
kibana_proxy_bind: "{{ ansible_default_ipv4.address }}:80"
|
|
||||||
kibana_proxy_domain: "kibana.{{ ansible_fqdn }}"
|
kibana_proxy_domain: "kibana.{{ ansible_fqdn }}"
|
||||||
|
kibana_proxy_ssl_cert: "/etc/ssl/certs/{{ ansible_fqdn }}.crt"
|
||||||
|
kibana_proxy_ssl_key: "/etc/ssl/private/{{ ansible_fqdn }}.key"
|
||||||
|
|
|
@ -1,14 +1,20 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Example proxy for Kibana with Nginx
|
- name: Example proxy for Kibana with Nginx (with SSL)
|
||||||
template:
|
template:
|
||||||
src: nginx_proxy_kibana.j2
|
src: nginx_proxy_kibana_ssl.j2
|
||||||
dest: /etc/nginx/sites-available/kibana.conf
|
dest: /etc/nginx/sites-available/kibana_ssl.conf
|
||||||
force: no
|
force: no
|
||||||
|
|
||||||
- name: Kibana host in Nginx is enabled
|
- name: Example proxy for Kibana with Nginx (without SSL)
|
||||||
file:
|
template:
|
||||||
src: /etc/nginx/sites-available/kibana.conf
|
src: nginx_proxy_kibana_nossl.j2
|
||||||
dest: /etc/nginx/sites-enabled/kibana.conf
|
dest: /etc/nginx/sites-available/kibana_nossl.conf
|
||||||
state: link
|
force: no
|
||||||
notify: reload nginx
|
|
||||||
|
# - name: Kibana host in Nginx is enabled
|
||||||
|
# file:
|
||||||
|
# src: /etc/nginx/sites-available/kibana.conf
|
||||||
|
# dest: /etc/nginx/sites-enabled/kibana.conf
|
||||||
|
# state: link
|
||||||
|
# notify: reload nginx
|
||||||
|
|
|
@ -4,11 +4,17 @@ upstream kibana {
|
||||||
server {
|
server {
|
||||||
charset utf-8;
|
charset utf-8;
|
||||||
|
|
||||||
# ajouter les règles d'authentification
|
listen 80;
|
||||||
|
|
||||||
listen {{ kibana_proxy_bind }};
|
|
||||||
server_name {{ kibana_proxy_domain }};
|
server_name {{ kibana_proxy_domain }};
|
||||||
|
|
||||||
|
# Auth.
|
||||||
|
include /etc/nginx/snippets/private_ipaddr_whitelist;
|
||||||
|
deny all;
|
||||||
|
auth_basic "Reserved {{ kibana_proxy_domain }}";
|
||||||
|
auth_basic_user_file /etc/nginx/snippets/private_htpasswd;
|
||||||
|
satisfy any;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
proxy_redirect off;
|
proxy_redirect off;
|
||||||
proxy_pass http://kibana/;
|
proxy_pass http://kibana/;
|
38
kibana-proxy-nginx/templates/nginx_proxy_kibana_ssl.j2
Normal file
38
kibana-proxy-nginx/templates/nginx_proxy_kibana_ssl.j2
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
upstream kibana {
|
||||||
|
server 127.0.0.1:5601 fail_timeout=0;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen [::]:80;
|
||||||
|
listen 80;
|
||||||
|
server_name {{ kibana_proxy_domain }};
|
||||||
|
return 301 https://{{ kibana_proxy_domain }}$request_uri;
|
||||||
|
}
|
||||||
|
server {
|
||||||
|
charset utf-8;
|
||||||
|
|
||||||
|
listen 443 ssl spdy;
|
||||||
|
|
||||||
|
server_name {{ kibana_proxy_domain }};
|
||||||
|
|
||||||
|
ssl_certificate {{ kibana_proxy_ssl_cert }};
|
||||||
|
ssl_certificate_key {{ kibana_proxy_ssl_key }};
|
||||||
|
|
||||||
|
# Auth.
|
||||||
|
include /etc/nginx/snippets/private_ipaddr_whitelist;
|
||||||
|
deny all;
|
||||||
|
auth_basic "Reserved {{ kibana_proxy_domain }}";
|
||||||
|
auth_basic_user_file /etc/nginx/snippets/private_htpasswd;
|
||||||
|
satisfy any;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_redirect off;
|
||||||
|
proxy_pass http://kibana/;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header X-Forwarded-Server $host;
|
||||||
|
proxy_set_header X-Forwarded-Host $host;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in a new issue