Kibana-proxy-nginx: improve SSL

kibana-proxy-nginx/README.md

@@ -1,6 +1,6 @@
 # kibana
 
-Install Kibana.
+Install kibana proxy configurations (with or without SSL) for Nginx.
 
 ## Tasks
 
@@ -11,4 +11,5 @@ Everything is in the `tasks/main.yml` file.
 The only variables are derived from gathered facts.
 
 By default, Kibana will bind to localhost:5601.
-If Nginx is installed, a typical proxy configuration is copied into `/etc/nginx/sites-available`. It can be tweeked and enabled by hand.
+
+The configurations are installed but not enabled.

kibana-proxy-nginx/defaults/main.yml

@@ -1,2 +1,3 @@
-kibana_proxy_bind: "{{ ansible_default_ipv4.address }}:80"
 kibana_proxy_domain: "kibana.{{ ansible_fqdn }}"
+kibana_proxy_ssl_cert: "/etc/ssl/certs/{{ ansible_fqdn }}.crt"
+kibana_proxy_ssl_key: "/etc/ssl/private/{{ ansible_fqdn }}.key"

kibana-proxy-nginx/tasks/main.yml

@@ -1,14 +1,20 @@
 ---
 
-- name: Example proxy for Kibana with Nginx
+- name: Example proxy for Kibana with Nginx (with SSL)
   template:
-    src: nginx_proxy_kibana.j2
-    dest: /etc/nginx/sites-available/kibana.conf
+    src: nginx_proxy_kibana_ssl.j2
+    dest: /etc/nginx/sites-available/kibana_ssl.conf
     force: no
 
-- name: Kibana host in Nginx is enabled
-  file:
-    src: /etc/nginx/sites-available/kibana.conf
-    dest: /etc/nginx/sites-enabled/kibana.conf
-    state: link
-  notify: reload nginx
+- name: Example proxy for Kibana with Nginx (without SSL)
+  template:
+    src: nginx_proxy_kibana_nossl.j2
+    dest: /etc/nginx/sites-available/kibana_nossl.conf
+    force: no
+
+# - name: Kibana host in Nginx is enabled
+#   file:
+#     src: /etc/nginx/sites-available/kibana.conf
+#     dest: /etc/nginx/sites-enabled/kibana.conf
+#     state: link
+#   notify: reload nginx

kibana-proxy-nginx/templates/nginx_proxy_kibana_nossl.j2

@@ -4,11 +4,17 @@ upstream kibana {
 server {
   charset utf-8;
 
-  # ajouter les règles d'authentification
+  listen 80;
 
-  listen      {{ kibana_proxy_bind }};
   server_name {{ kibana_proxy_domain }};
 
+  # Auth.
+  include /etc/nginx/snippets/private_ipaddr_whitelist;
+  deny all;
+  auth_basic "Reserved {{ kibana_proxy_domain }}";
+  auth_basic_user_file /etc/nginx/snippets/private_htpasswd;
+  satisfy any;
+
   location / {
     proxy_redirect off;
     proxy_pass http://kibana/;

kibana-proxy-nginx/templates/nginx_proxy_kibana_ssl.j2

@@ -0,0 +1,38 @@
+upstream kibana {
+  server 127.0.0.1:5601 fail_timeout=0;
+}
+
+server {
+    listen [::]:80;
+    listen 80;
+    server_name {{ kibana_proxy_domain }};
+    return 301 https://{{ kibana_proxy_domain }}$request_uri;
+}
+server {
+  charset utf-8;
+
+  listen 443 ssl spdy;
+
+  server_name {{ kibana_proxy_domain }};
+
+  ssl_certificate {{ kibana_proxy_ssl_cert }};
+  ssl_certificate_key {{ kibana_proxy_ssl_key }};
+
+  # Auth.
+  include /etc/nginx/snippets/private_ipaddr_whitelist;
+  deny all;
+  auth_basic "Reserved {{ kibana_proxy_domain }}";
+  auth_basic_user_file /etc/nginx/snippets/private_htpasswd;
+  satisfy any;
+
+  location / {
+    proxy_redirect off;
+    proxy_pass http://kibana/;
+    proxy_set_header    X-Real-IP   $remote_addr;
+    proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto  $scheme;
+    proxy_set_header    X-Forwarded-Server  $host;
+    proxy_set_header    X-Forwarded-Host  $host;
+    proxy_set_header    Host  $host;
+  }
+}