forked from evolix/ansible-roles
Kibana-proxy-nginx: improve SSL
This commit is contained in:
parent
45a3ad5ef1
commit
27ca3e204a
|
@ -1,6 +1,6 @@
|
|||
# kibana
|
||||
|
||||
Install Kibana.
|
||||
Install kibana proxy configurations (with or without SSL) for Nginx.
|
||||
|
||||
## Tasks
|
||||
|
||||
|
@ -11,4 +11,5 @@ Everything is in the `tasks/main.yml` file.
|
|||
The only variables are derived from gathered facts.
|
||||
|
||||
By default, Kibana will bind to localhost:5601.
|
||||
If Nginx is installed, a typical proxy configuration is copied into `/etc/nginx/sites-available`. It can be tweeked and enabled by hand.
|
||||
|
||||
The configurations are installed but not enabled.
|
||||
|
|
|
@ -1,2 +1,3 @@
|
|||
kibana_proxy_bind: "{{ ansible_default_ipv4.address }}:80"
|
||||
kibana_proxy_domain: "kibana.{{ ansible_fqdn }}"
|
||||
kibana_proxy_ssl_cert: "/etc/ssl/certs/{{ ansible_fqdn }}.crt"
|
||||
kibana_proxy_ssl_key: "/etc/ssl/private/{{ ansible_fqdn }}.key"
|
||||
|
|
|
@ -1,14 +1,20 @@
|
|||
---
|
||||
|
||||
- name: Example proxy for Kibana with Nginx
|
||||
- name: Example proxy for Kibana with Nginx (with SSL)
|
||||
template:
|
||||
src: nginx_proxy_kibana.j2
|
||||
dest: /etc/nginx/sites-available/kibana.conf
|
||||
src: nginx_proxy_kibana_ssl.j2
|
||||
dest: /etc/nginx/sites-available/kibana_ssl.conf
|
||||
force: no
|
||||
|
||||
- name: Kibana host in Nginx is enabled
|
||||
file:
|
||||
src: /etc/nginx/sites-available/kibana.conf
|
||||
dest: /etc/nginx/sites-enabled/kibana.conf
|
||||
state: link
|
||||
notify: reload nginx
|
||||
- name: Example proxy for Kibana with Nginx (without SSL)
|
||||
template:
|
||||
src: nginx_proxy_kibana_nossl.j2
|
||||
dest: /etc/nginx/sites-available/kibana_nossl.conf
|
||||
force: no
|
||||
|
||||
# - name: Kibana host in Nginx is enabled
|
||||
# file:
|
||||
# src: /etc/nginx/sites-available/kibana.conf
|
||||
# dest: /etc/nginx/sites-enabled/kibana.conf
|
||||
# state: link
|
||||
# notify: reload nginx
|
||||
|
|
|
@ -4,11 +4,17 @@ upstream kibana {
|
|||
server {
|
||||
charset utf-8;
|
||||
|
||||
# ajouter les règles d'authentification
|
||||
listen 80;
|
||||
|
||||
listen {{ kibana_proxy_bind }};
|
||||
server_name {{ kibana_proxy_domain }};
|
||||
|
||||
# Auth.
|
||||
include /etc/nginx/snippets/private_ipaddr_whitelist;
|
||||
deny all;
|
||||
auth_basic "Reserved {{ kibana_proxy_domain }}";
|
||||
auth_basic_user_file /etc/nginx/snippets/private_htpasswd;
|
||||
satisfy any;
|
||||
|
||||
location / {
|
||||
proxy_redirect off;
|
||||
proxy_pass http://kibana/;
|
38
kibana-proxy-nginx/templates/nginx_proxy_kibana_ssl.j2
Normal file
38
kibana-proxy-nginx/templates/nginx_proxy_kibana_ssl.j2
Normal file
|
@ -0,0 +1,38 @@
|
|||
upstream kibana {
|
||||
server 127.0.0.1:5601 fail_timeout=0;
|
||||
}
|
||||
|
||||
server {
|
||||
listen [::]:80;
|
||||
listen 80;
|
||||
server_name {{ kibana_proxy_domain }};
|
||||
return 301 https://{{ kibana_proxy_domain }}$request_uri;
|
||||
}
|
||||
server {
|
||||
charset utf-8;
|
||||
|
||||
listen 443 ssl spdy;
|
||||
|
||||
server_name {{ kibana_proxy_domain }};
|
||||
|
||||
ssl_certificate {{ kibana_proxy_ssl_cert }};
|
||||
ssl_certificate_key {{ kibana_proxy_ssl_key }};
|
||||
|
||||
# Auth.
|
||||
include /etc/nginx/snippets/private_ipaddr_whitelist;
|
||||
deny all;
|
||||
auth_basic "Reserved {{ kibana_proxy_domain }}";
|
||||
auth_basic_user_file /etc/nginx/snippets/private_htpasswd;
|
||||
satisfy any;
|
||||
|
||||
location / {
|
||||
proxy_redirect off;
|
||||
proxy_pass http://kibana/;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
}
|
Loading…
Reference in a new issue