Using a Proxy Server for Your Kibana Dashboard with HAProxy

This guide will work anywhere, but was originally written as part 4 of a series of guides on setting up an Elasticstack.

  1. Building Your Environment in AWS
  2. Setting up and Installing Elasticsearch
  3. Setting up Kibana
  4. Using a Proxy for Kibana with HAProxy
  5. Enabling Security and Using Password Authentication
  6. Making Kibana Internet Accessible with Cloudfront
  7. Securing Cloudfront with Security Groups
  8. Inserting Data into Elasticsearch with Logstash

This guide will show you how to setup a proxy for a kibana dashboard. It can also double as basic load balancing if required.

Step 1: Setup Instance and OS

I am going to be using a t3a.nano with Centos 7 to make it as cheap as possible. It has the default 8GB. This server will be running a firewall and HAProxy. In my case it is for personal use, so I don’t need much memory or CPU. If you are running it with a more users, you may need to get a bigger server.

Start by ensuring your server is up to date.

sudo yum update

Now we need to install a few things first. (I am going to be using vim throughout this guide, so install that if you fancy)

sudo yum install vim firewalld haproxy

Now that everything is installed, lets set it all up.

Step 2: Configure Firewall.d

First we need to start Firewall.d.

sudo systemctl start firewalld

Next we have to allow http into the server. Firewall.d will by default block everything except SSH. (Or else you wouldn’t be able to remote into it).

sudo firewall-cmd --add-service http --permanent

Now reload the config with:

sudo firewall-cmd --reload

You can confirm it has worked by running:

sudo firewall-cmd --list-all

You should see a services line that looks something like this:

> services: dhcpv6-client http ssh

Now its time to setup the proxy.

Step 3: Configure HAProxy

Start by opening up the default config file.

sudo vim /etc/haproxy/haproxy.cfg

The default config will have a large number of defaults that are fine to leave as is. Go past the global and defaults section (you can edit these if you like) and go to the frontend and backend section.

Remove all frontends and backends from the config (or coment them out) and add the below in instead:

frontend web
  bind *:80
  default_backend kibana

backend kibana
  mode http
  server kibana1 172.31.70.80:5601 check
  server kibana2 172.31.70.81:5601 check

Be sure to set the IP to your Kibana instance. Add or remove more backends for each Kibana you have.

Step 4: Start HAProxy

If you would like HAProxy to start on startup:

sudo systemctl enable haproxy

Before you start HAProxy, if you are running on a Centos/RHEL family that has SELinux enabled, you are going to have to allow HAProxy to use port 80.

You can run the below command to allow HAProxy on restricted ports:

sudo setsebool -P haproxy_connect_any=1

With that done, you can finally start HAProxy.

sudo systemctl start haproxy

If everything has gone as planned, you should now to able to navigate to your Kibana dashboard via the proxy server on port 80. (You may need to temporarily add port 80 and your IP address to a Security Group in order to access it.)

OPTIONAL: You can connect an Elastic IP to your proxy so that its IP address never changes. I would suggest you do so as it makes it much easier later on, and it is free so long as the instance is running.

With that done, we can now move onto adding a password requirement and security to our cluster. You can checkout Part 5: Enabling Security and Using Password Authentication to continue.


Any thoughts, concerns, mistakes? Let me know in the comments or via the Contact page.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s