通过Nginx反向代理实现Kibana登录认证

Kibana本身提供基本的认证功能，但通过Nginx反向代理可以实现更灵活和安全的认证方式。以下是几种实现方案：

方案一：Nginx基础认证

1. 安装htpasswd工具（如果尚未安装）：

   sudo apt-get install apache2-utils  # Ubuntu/Debian
   sudo yum install httpd-tools        # CentOS/RHEL
   

2. 创建密码文件：

   sudo htpasswd -c /etc/nginx/.htpasswd username
   

   系统会提示输入并确认密码

3. 配置Nginx：

   server {
      listen 80;
      server_name kibana.yourdomain.com;
   
      location / {
          auth_basic "Restricted Access";
          auth_basic_user_file /etc/nginx/.htpasswd;
   
          proxy_pass http://localhost:5601;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection 'upgrade';
          proxy_set_header Host $host;
          proxy_cache_bypass $http_upgrade;
      }
   }
   

方案二：结合Elasticsearch认证

如果Elasticsearch已启用X-Pack安全功能：

server {
    listen 80;
    server_name kibana.yourdomain.com;

    location / {
        proxy_pass http://localhost:5601;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;

        # 传递认证头
        proxy_set_header Authorization $http_authorization;
        proxy_pass_header Authorization;
    }
}

方案三：使用LDAP认证

1. 安装Nginx LDAP模块：

   # 需要编译Nginx时加入--with-http_auth_request_module
   

2. 配置Nginx：

   server {
      listen 80;
      server_name kibana.yourdomain.com;
   
      location / {
          auth_request /auth;
          error_page 401 = @error401;
   
          proxy_pass http://localhost:5601;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection 'upgrade';
          proxy_set_header Host $host;
          proxy_cache_bypass $http_upgrade;
      }
   
      location = /auth {
          internal;
          proxy_pass http://ldap-auth-server;
          proxy_pass_request_body off;
          proxy_set_header Content-Length "";
          proxy_set_header X-Original-URI $request_uri;
      }
   
      location @error401 {
          return 302 /login;
      }
   }
   

方案四：OAuth2/OpenID Connect认证

使用Nginx的auth_request模块与OAuth2提供者集成：

server {
    listen 80;
    server_name kibana.yourdomain.com;

    location / {
        auth_request /oauth2/auth;
        error_page 401 = /oauth2/sign_in;

        # 传递用户信息
        auth_request_set $user $upstream_http_x_auth_request_user;
        proxy_set_header X-User $user;

        proxy_pass http://localhost:5601;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

    location /oauth2/ {
        proxy_pass http://oauth2-proxy;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
    }
}

最佳实践建议

1. 启用HTTPS：

   server {
      listen 443 ssl;
      server_name kibana.yourdomain.com;
   
      ssl_certificate /path/to/cert.pem;
      ssl_certificate_key /path/to/key.pem;
   
      # 其他配置...
   }
   

2. 限制IP访问：

   location / {
      allow 192.168.1.0/24;
      allow 10.0.0.0/8;
      deny all;
   
      # 其他配置...
   }
   

3. Kibana服务器配置： 确保Kibana配置文件中设置了正确的服务器基础路径（如果使用子路径）：

   server.basePath: "/kibana"
   server.rewriteBasePath: true
   

重启Nginx使配置生效：

sudo nginx -t   # 测试配置
sudo systemctl restart nginx

选择哪种方案取决于您的安全需求和现有基础设施。对于生产环境，建议使用方案三或方案四提供更强大的认证机制。