This guide will work anywhere, but was originally written as part 4 of a series of guides on setting up an Elasticstack.
- Building Your Environment in AWS
- Setting up and Installing Elasticsearch
- Setting up Kibana
- Using a Proxy for Kibana with HAProxy
- Enabling Security and Using Password Authentication
- Making Kibana Internet Accessible with Cloudfront
- Securing Cloudfront with Security Groups
- Inserting Data into Elasticsearch with Logstash
This guide will show you how to setup a proxy for a kibana dashboard. It can also double as basic load balancing if required.
Step 1: Setup Instance and OS
I am going to be using a t3a.nano with Centos 7 to make it as cheap as possible. It has the default 8GB. This server will be running a firewall and HAProxy. In my case it is for personal use, so I don’t need much memory or CPU. If you are running it with a more users, you may need to get a bigger server.
Start by ensuring your server is up to date.
sudo yum updateNow we need to install a few things first. (I am going to be using vim throughout this guide, so install that if you fancy)
sudo yum install vim firewalld haproxyNow that everything is installed, lets set it all up.
Step 2: Configure Firewall.d
First we need to start Firewall.d.
sudo systemctl start firewalldNext we have to allow http into the server. Firewall.d will by default block everything except SSH. (Or else you wouldn’t be able to remote into it).
sudo firewall-cmd --add-service http --permanentNow reload the config with:
sudo firewall-cmd --reloadYou can confirm it has worked by running:
sudo firewall-cmd --list-allYou should see a services line that looks something like this:
> services: dhcpv6-client http sshNow its time to setup the proxy.
Step 3: Configure HAProxy
Start by opening up the default config file.
sudo vim /etc/haproxy/haproxy.cfgThe default config will have a large number of defaults that are fine to leave as is. Go past the global and defaults section (you can edit these if you like) and go to the frontend and backend section.
Remove all frontends and backends from the config (or coment them out) and add the below in instead:
frontend web
bind *:80
default_backend kibana
backend kibana
mode http
server kibana1 172.31.70.80:5601 check
server kibana2 172.31.70.81:5601 checkBe sure to set the IP to your Kibana instance. Add or remove more backends for each Kibana you have.
Step 4: Start HAProxy
If you would like HAProxy to start on startup:
sudo systemctl enable haproxyBefore you start HAProxy, if you are running on a Centos/RHEL family that has SELinux enabled, you are going to have to allow HAProxy to use port 80.
You can run the below command to allow HAProxy on restricted ports:
sudo setsebool -P haproxy_connect_any=1With that done, you can finally start HAProxy.
sudo systemctl start haproxyIf everything has gone as planned, you should now to able to navigate to your Kibana dashboard via the proxy server on port 80. (You may need to temporarily add port 80 and your IP address to a Security Group in order to access it.)
OPTIONAL: You can connect an Elastic IP to your proxy so that its IP address never changes. I would suggest you do so as it makes it much easier later on, and it is free so long as the instance is running.
With that done, we can now move onto adding a password requirement and security to our cluster. You can checkout Part 5: Enabling Security and Using Password Authentication to continue.
Any thoughts, concerns, mistakes? Let me know in the comments or via the Contact page.
BlueScionic 