ELK基础篇2：nginx限制kibana访问

这里主要说明我们如何使用nginx显示kibana访问，上一篇的内容中我们已经讲述了kibana的安装知识。

1、nginx安装

【解压缩】

[root@wzy_woyun soft]# tar -zxvf nginx-1.14.2.tar.gz  -C /usr/local/
[root@wzy_woyun soft]# cd /usr/local/nginx-1.14.2/

【nginx编译时的环境】

[root@wzy_woyun nginx-1.14.2]# yum install pcre openssl openssl-devel zlib zlib-devel pcre-devel
[root@wzy_woyun nginx-1.14.2]# ./configure --help |grep sub
  --with-http_sub_module             enable ngx_http_sub_module
[root@wzy_woyun nginx-1.14.2]# ./configure --help |grep ssl
  --with-http_ssl_module             enable ngx_http_ssl_module
  --with-mail_ssl_module             enable ngx_mail_ssl_module
  --with-stream_ssl_module           enable ngx_stream_ssl_module
  --with-stream_ssl_preread_module   enable ngx_stream_ssl_preread_module
  --with-openssl=DIR                 set path to OpenSSL library sources
  --with-openssl-opt=OPTIONS         set additional build options for OpenSSL

【编译安装】

[root@wzy_woyun nginx-1.14.2]# ./configure --prefix=/usr/local/nginx --with-http_sub_module --with-http_ssl_module
[root@wzy_woyun nginx-1.14.2]# make && make install

【创建配置文件】

#创建conf.d目录用来存放我们自己的各种配置
[root@wzy_woyun conf]# mkdir  /usr/local/nginx/conf.d

#修改主配置文件/usr/local/nginx/conf/nginx.conf 
[root@wzy_woyun conf]#vim /usr/local/nginx/conf/nginx.conf 
user  nginx;
worker_processes  auto;
pid   /usr/local/nginx/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       80;
        server_name  localhost;


        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;
        }

        #error_page  404              /404.html;

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
       
    }
  

    include /usr/local/nginx/conf.d/*.conf;

}
#自定义配置文件kibana.conf内容
[root@wzy_woyun local]# cat /usr/local/nginx/conf.d/kibana.conf 
upstream kibana_server {
        server  127.0.0.1:5601 weight=1 max_fails=3  fail_timeout=60;
}

server {
        listen 80;
        server_name 10.9.7.1;       
        location / {
        proxy_pass http://kibana_server;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        }
}

【启动nginx】

#修改权限
[root@wzy_woyun conf]# useradd nginx
[root@wzy_woyun conf]# usermod -s /sbin/nologin nginx
[root@wzy_woyun conf]# chown nginx.nginx /usr/local/nginx 
#检查配置文件是否正常
[root@wzy_woyun ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
#首次启动需要-c参数指定配置文件
[root@wzy_woyun ~]# /usr/local/nginx/sbin/nginx -c /usr/local/nginx/sbin/nginx
#重启
[root@wzy_woyun ~]# /usr/local/nginx/sbin/nginx -s reload

2、根据ip地址来限制访问

在我们自定义配置文件kibana.conf配置信息如下：

#kibana.conf配置文件
log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';                  
server {
 listen 5609;
 access_log /usr/local/nginx/logs/kibana_access.log main;
 error_log /usr/local/nginx/logs/kibana_error.log error;
 location / {
  allow 127.0.0.1;
  allow 192.168.4.0/24;
  deny all;
  proxy_pass http://127.0.0.1:5601;
 }
}

其中allow 192.168.4.0/24;这表示可以访问的网段。 deny all;表示其他网络禁止访问

3、使用httpd-tools工具来限制访问

【安装httpd-tools工具】

[root@wzy_woyun conf]# htpasswd --help
Usage:
        htpasswd [-cimBdpsDv] [-C cost] passwordfile username
        htpasswd -b[cmBdpsDv] [-C cost] passwordfile username password

        htpasswd -n[imBdps] [-C cost] username
        htpasswd -nb[mBdps] [-C cost] username password
 -c  Create a new file.
 -n  Don't update file; display results on stdout.
 -b  Use the password from the command line rather than prompting for it.
 -i  Read password from stdin without verification (for script usage).
 -m  Force MD5 encryption of the password (default).
 -B  Force bcrypt encryption of the password (very secure).
 -C  Set the computing time used for the bcrypt algorithm
     (higher is more secure but slower, default: 5, valid: 4 to 31).
 -d  Force CRYPT encryption of the password (8 chars max, insecure).
 -s  Force SHA encryption of the password (insecure).
 -p  Do not encrypt the password (plaintext, insecure).
 -D  Delete the specified user.
 -v  Verify password for the specified user.
On other systems than Windows and NetWare the '-p' flag will probably not work.
The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.

htpasswd参数
（1）-c 创建passwdfile.如果passwdfile 已经存在,那么它会重新写入并删去原有内容.
（2）-n 不更新passwordfile，直接显示密码
（3）-m 使用MD5加密（默认）
（4）-d 使用CRYPT加密（默认）
（5）-p 使用普通文本格式的密码
（6）-s 使用SHA加密
（7）-b 命令行中一并输入用户名和密码而不是根据提示输入密码，可以看见明文，不需要交互
（8）-D 删除指定的用户

【配置用户信息】

#kibana.users是生成的文件名称，kibana是用户名，123456是密码。
[root@wzy_woyun conf]# htpasswd -bc /usr/local/nginx/conf/kibana.users kibana 123456
Adding password for user kibana
#查看
[root@wzy_woyun conf]# cat /usr/local/nginx/conf/kibana.users 
kibana:$apr1$gUFig84A$I2SSf6.DBmtVvn/LVZkeS0

【修改nginx的kibana.conf配置文件指出htpasswd】

在kibana.conf添加如下内容

 auth_basic "Restricted Access";
 auth_basic_user_file /usr/local/nginx/conf/kibana.users;

【重启nginx服务】

[root@wzy_woyun ~]# /usr/local/nginx/sbin/nginx -t          
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@wzy_woyun ~]# /usr/local/nginx/sbin/nginx -s reload