这里主要说明我们如何使用nginx显示kibana访问,上一篇的内容中我们已经讲述了kibana的安装知识。
1、nginx安装
【解压缩】
[root@wzy_woyun soft]# tar -zxvf nginx-1.14.2.tar.gz -C /usr/local/
[root@wzy_woyun soft]# cd /usr/local/nginx-1.14.2/
【nginx编译时的环境】
[root@wzy_woyun nginx-1.14.2]# yum install pcre openssl openssl-devel zlib zlib-devel pcre-devel
[root@wzy_woyun nginx-1.14.2]# ./configure --help |grep sub
--with-http_sub_module enable ngx_http_sub_module
[root@wzy_woyun nginx-1.14.2]# ./configure --help |grep ssl
--with-http_ssl_module enable ngx_http_ssl_module
--with-mail_ssl_module enable ngx_mail_ssl_module
--with-stream_ssl_module enable ngx_stream_ssl_module
--with-stream_ssl_preread_module enable ngx_stream_ssl_preread_module
--with-openssl=DIR set path to OpenSSL library sources
--with-openssl-opt=OPTIONS set additional build options for OpenSSL
【编译安装】
[root@wzy_woyun nginx-1.14.2]# ./configure --prefix=/usr/local/nginx --with-http_sub_module --with-http_ssl_module
[root@wzy_woyun nginx-1.14.2]# make && make install
【创建配置文件】
#创建conf.d目录用来存放我们自己的各种配置
[root@wzy_woyun conf]# mkdir /usr/local/nginx/conf.d
#修改主配置文件/usr/local/nginx/conf/nginx.conf
[root@wzy_woyun conf]#vim /usr/local/nginx/conf/nginx.conf
user nginx;
worker_processes auto;
pid /usr/local/nginx/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
include /usr/local/nginx/conf.d/*.conf;
}
#自定义配置文件kibana.conf内容
[root@wzy_woyun local]# cat /usr/local/nginx/conf.d/kibana.conf
upstream kibana_server {
server 127.0.0.1:5601 weight=1 max_fails=3 fail_timeout=60;
}
server {
listen 80;
server_name 10.9.7.1;
location / {
proxy_pass http://kibana_server;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
【启动nginx】
#修改权限
[root@wzy_woyun conf]# useradd nginx
[root@wzy_woyun conf]# usermod -s /sbin/nologin nginx
[root@wzy_woyun conf]# chown nginx.nginx /usr/local/nginx
#检查配置文件是否正常
[root@wzy_woyun ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
#首次启动需要-c参数指定配置文件
[root@wzy_woyun ~]# /usr/local/nginx/sbin/nginx -c /usr/local/nginx/sbin/nginx
#重启
[root@wzy_woyun ~]# /usr/local/nginx/sbin/nginx -s reload
2、根据ip地址来限制访问
在我们自定义配置文件kibana.conf配置信息如下:
#kibana.conf配置文件
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
server {
listen 5609;
access_log /usr/local/nginx/logs/kibana_access.log main;
error_log /usr/local/nginx/logs/kibana_error.log error;
location / {
allow 127.0.0.1;
allow 192.168.4.0/24;
deny all;
proxy_pass http://127.0.0.1:5601;
}
}
其中allow 192.168.4.0/24;这表示可以访问的网段。 deny all;表示其他网络禁止访问
3、使用httpd-tools工具来限制访问
【安装httpd-tools工具】
[root@wzy_woyun conf]# htpasswd --help
Usage:
htpasswd [-cimBdpsDv] [-C cost] passwordfile username
htpasswd -b[cmBdpsDv] [-C cost] passwordfile username password
htpasswd -n[imBdps] [-C cost] username
htpasswd -nb[mBdps] [-C cost] username password
-c Create a new file.
-n Don't update file; display results on stdout.
-b Use the password from the command line rather than prompting for it.
-i Read password from stdin without verification (for script usage).
-m Force MD5 encryption of the password (default).
-B Force bcrypt encryption of the password (very secure).
-C Set the computing time used for the bcrypt algorithm
(higher is more secure but slower, default: 5, valid: 4 to 31).
-d Force CRYPT encryption of the password (8 chars max, insecure).
-s Force SHA encryption of the password (insecure).
-p Do not encrypt the password (plaintext, insecure).
-D Delete the specified user.
-v Verify password for the specified user.
On other systems than Windows and NetWare the '-p' flag will probably not work.
The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.
htpasswd参数
(1)-c 创建passwdfile.如果passwdfile 已经存在,那么它会重新写入并删去原有内容.
(2)-n 不更新passwordfile,直接显示密码
(3)-m 使用MD5加密(默认)
(4)-d 使用CRYPT加密(默认)
(5)-p 使用普通文本格式的密码
(6)-s 使用SHA加密
(7)-b 命令行中一并输入用户名和密码而不是根据提示输入密码,可以看见明文,不需要交互
(8)-D 删除指定的用户
【配置用户信息】
#kibana.users是生成的文件名称,kibana是用户名,123456是密码。
[root@wzy_woyun conf]# htpasswd -bc /usr/local/nginx/conf/kibana.users kibana 123456
Adding password for user kibana
#查看
[root@wzy_woyun conf]# cat /usr/local/nginx/conf/kibana.users
kibana:$apr1$gUFig84A$I2SSf6.DBmtVvn/LVZkeS0
【修改nginx的kibana.conf配置文件指出htpasswd】
在kibana.conf添加如下内容
auth_basic "Restricted Access";
auth_basic_user_file /usr/local/nginx/conf/kibana.users;
【重启nginx服务】
[root@wzy_woyun ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@wzy_woyun ~]# /usr/local/nginx/sbin/nginx -s reload