ELK基礎篇2:nginx限制kibana訪問
阿新 • • 發佈:2018-12-28
這裡主要說明我們如何使用nginx顯示kibana訪問,上一篇的內容中我們已經講述了kibana的安裝知識。
1、nginx安裝
【解壓縮】
[[email protected]_woyun soft]# tar -zxvf nginx-1.14.2.tar.gz -C /usr/local/
[[email protected]_woyun soft]# cd /usr/local/nginx-1.14.2/
【nginx編譯時的環境】
[[email protected]_woyun nginx-1.14.2]# yum install pcre openssl openssl-devel zlib zlib-devel pcre-devel [
[email protected]_woyun nginx-1.14.2]# ./configure --help |grep sub --with-http_sub_module enable ngx_http_sub_module [[email protected]_woyun nginx-1.14.2]# ./configure --help |grep ssl --with-http_ssl_module enable ngx_http_ssl_module --with-mail_ssl_module enable ngx_mail_ssl_module --with-stream_ssl_module enable ngx_stream_ssl_module --with-stream_ssl_preread_module enable ngx_stream_ssl_preread_module --with-openssl=DIR set path to OpenSSL library sources --with-openssl-opt=OPTIONS set additional build options for OpenSSL
【編譯安裝】
[[email protected]_woyun nginx-1.14.2]# ./configure --prefix=/usr/local/nginx --with-http_sub_module --with-http_ssl_module
[[email protected]_woyun nginx-1.14.2]# make && make install
【建立配置檔案】
#建立conf.d目錄用來存放我們自己的各種配置
[[email protected]_woyun conf]# mkdir /usr/local/nginx/conf.d
#修改主配置檔案/usr/local/nginx/conf/nginx.conf
[ [email protected]_woyun conf]#vim /usr/local/nginx/conf/nginx.conf
user nginx;
worker_processes auto;
pid /usr/local/nginx/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
include /usr/local/nginx/conf.d/*.conf;
}
#自定義配置檔案kibana.conf內容
[[email protected]_woyun local]# cat /usr/local/nginx/conf.d/kibana.conf
upstream kibana_server {
server 127.0.0.1:5601 weight=1 max_fails=3 fail_timeout=60;
}
server {
listen 80;
server_name 10.9.7.1;
location / {
proxy_pass http://kibana_server;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
【啟動nginx】
#修改許可權
[[email protected]_woyun conf]# useradd nginx
[[email protected]_woyun conf]# usermod -s /sbin/nologin nginx
[[email protected]_woyun conf]# chown nginx.nginx /usr/local/nginx
#檢查配置檔案是否正常
[[email protected]_woyun ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
#首次啟動需要-c引數指定配置檔案
[[email protected]_woyun ~]# /usr/local/nginx/sbin/nginx -c /usr/local/nginx/sbin/nginx
#重啟
[[email protected]_woyun ~]# /usr/local/nginx/sbin/nginx -s reload
2、根據ip地址來限制訪問
在我們自定義配置檔案kibana.conf配置資訊如下:
#kibana.conf配置檔案
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
server {
listen 5609;
access_log /usr/local/nginx/logs/kibana_access.log main;
error_log /usr/local/nginx/logs/kibana_error.log error;
location / {
allow 127.0.0.1;
allow 192.168.4.0/24;
deny all;
proxy_pass http://127.0.0.1:5601;
}
}
其中allow 192.168.4.0/24;這表示可以訪問的網段。 deny all;表示其他網路禁止訪問
3、使用httpd-tools工具來限制訪問
【安裝httpd-tools工具】
[[email protected]_woyun conf]# htpasswd --help
Usage:
htpasswd [-cimBdpsDv] [-C cost] passwordfile username
htpasswd -b[cmBdpsDv] [-C cost] passwordfile username password
htpasswd -n[imBdps] [-C cost] username
htpasswd -nb[mBdps] [-C cost] username password
-c Create a new file.
-n Don't update file; display results on stdout.
-b Use the password from the command line rather than prompting for it.
-i Read password from stdin without verification (for script usage).
-m Force MD5 encryption of the password (default).
-B Force bcrypt encryption of the password (very secure).
-C Set the computing time used for the bcrypt algorithm
(higher is more secure but slower, default: 5, valid: 4 to 31).
-d Force CRYPT encryption of the password (8 chars max, insecure).
-s Force SHA encryption of the password (insecure).
-p Do not encrypt the password (plaintext, insecure).
-D Delete the specified user.
-v Verify password for the specified user.
On other systems than Windows and NetWare the '-p' flag will probably not work.
The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.
htpasswd引數
(1)-c 建立passwdfile.如果passwdfile 已經存在,那麼它會重新寫入並刪去原有內容.
(2)-n 不更新passwordfile,直接顯示密碼
(3)-m 使用MD5加密(預設)
(4)-d 使用CRYPT加密(預設)
(5)-p 使用普通文字格式的密碼
(6)-s 使用SHA加密
(7)-b 命令列中一併輸入使用者名稱和密碼而不是根據提示輸入密碼,可以看見明文,不需要互動
(8)-D 刪除指定的使用者
【配置使用者資訊】
#kibana.users是生成的檔名稱,kibana是使用者名稱,123456是密碼。
[[email protected]_woyun conf]# htpasswd -bc /usr/local/nginx/conf/kibana.users kibana 123456
Adding password for user kibana
#檢視
[[email protected]_woyun conf]# cat /usr/local/nginx/conf/kibana.users
kibana:$apr1$gUFig84A$I2SSf6.DBmtVvn/LVZkeS0
【修改nginx的kibana.conf配置檔案指出htpasswd】
在kibana.conf新增如下內容
auth_basic "Restricted Access";
auth_basic_user_file /usr/local/nginx/conf/kibana.users;
【重啟nginx服務】
[[email protected]_woyun ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected]_woyun ~]# /usr/local/nginx/sbin/nginx -s reload