Ngnx

If you’ve been following Elasticsearch-related news over the past few months, you’ve most likely heard about a series of cases in which sensitive data stored in Elasticsearch clusters was exposed. Here’s a recap just in case — Equifax, CITI, AIESEC to name just a few.

Elasticsearch features are available via an extensive REST API over HTTP, which makes it easy to fit it into modern architectures. It’s super easy to create a new index, search across multiple indices and perform other management actions. Since Elasticsearch and Kibana don’t ship with built-in authentication, this also means that data can be easily exposed to malicious activity if simple yet necessary steps are not taken to secure it.

In this article, I’d like to explain how to implement one of the more common and simple methods of securing the ELK Stack — deploying nginx in front of Elasticsearch and Kibana to act as a reverse proxy.

Setting up ELK

I’m not going to provide all the instructions for installing Kibana and Elasticsearch. If you need help with this, check out our ELK guide. However, to make sure the steps for securing these two components work correctly, we do need to verify we have some settings configured correctly — changing the default ports and binding to localhost. 

Configuring Kibana

Open the Kibana configuration file, change the default port, and make sure Kibana is bound to localhost.

Save the file and restart Kibana:

Configuring Elasticsearch

Repeat the same process with Elasticsearch.

Open the Elasticsearch configuration file, change the default port, and in the Network section, make sure Elasticsearch is bound to localhost:

Save the file and restart Kibana:

You’ll see that Kibana can still be easily accessed by simply opening your browser at:

Kibana

Our next step will make sure this can no longer happen.

Installing and configuring Nginx

To start the process of adding authentication, we’ll install nginx:

We’re also going to install apache2-utils to help us create the accounts used with basic authentication:

Next, we’ll create a user account for the basic authentication (I chose kibanauser, but you can of course replace this with any user account you’d like):

After hitting enter, we’ll be prompted to enter and verify a password for the user.

Next, we’re going to create an nginx configuration file:

Enter the following configuration:

We are asking nginx to listen to port 8881 for connections to Elasticsearch and port 8882 for connections to Kibana, using basic authentication with the account we created with htpasswd.   

That’s all there is to it.

Restart nginx and restart Kibana:

Verifying authentication

Both Elasticsearch and Kibana are now gated with basic authentication. We can verify this using some cURL commands.

For Elasticsearch, use:

You should see the following output:

For Kibana:

And the output:

Opening up our browser at http://localhost:8882 displays an authentication dialog (since I’m using an EC2 instance, the URL specifies the public IP):

Sign in

 

Enter the user and password you configured, and Kibana is displayed.

Welcome

Endnotes

Like many open source projects, the ELK Stack lacks some key ingredients to make it production-ready. Security is one of them. While using nginx as a reverse proxy helps us close some of the security gaps, it will not help us protect our stack from specific attack vectors and Elasticsearch-specific vulnerabilities.

That’s where using a completely managed service like Logz.io can help, providing users with a bullet-proof platform that includes role-based access, user control, SSO and is fully compliant with the strictest regulatory requirements.

Of course, the nginx configuration described here was just a simple example. More advanced configurations will allow you to encrypt traffic with SSL and we will explore adding SSL into the mix in a future article.

Logz.io offers a secure and compliant ELK solution. Easily monitor, troubleshoot, and secure your environment with one unified platform.