Installing Kibana + Nginx Reverse Proxy on Centos 8

Kibana Is a service for visualizing Elasticsearch data and navigating it through the Elastic Stack. It helps you create dashboards, customize the visualization form, generate interactive graphs, even present geodata, analyze relationships, and explore anomalies with machine learning.

Installing Kibana from the repository

We import the PGP Key to further add the Elasticsearch repository

$ rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

Add the repository

$ sudo nano /etc/yum.repos.d/kibana.repo
[elasticsearch]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

Install Kibana

$ sudo dnf -y install kibana

Add the Kibana service to startup and start it

$ sudo systemctl enable --now kibana

Checking if the service has started

$ systemctl status kibana

Installing Kibana from an RPM package

Download the Kibana package and install it

$ wget https://artifacts.elastic.co/downloads/kibana/kibana-7.9.3-x86_64.rpm -P /tmp
$ cd /tmp
$ sudo dnf -y localinstall kibana-7.9.3-x86_64.rpm

Add the Kibana service to startup and start it

$ sudo systemctl enable --now kibana

Checking if the service has started

$ sudo systemctl status kibana

Checking the port

$ netstat -tulnp | grep 5601

Setting up Kibana

Editing the Kibana config file

$ sudo nano /etc/kibana/kibana.yml
# Kibana is served by a back end server. This setting specifies the port to use.
server.port: 5601
# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
server.host: "192.168.1.10"
[…]

# The URLs of the Elasticsearch instances to use for all your queries.
elasticsearch.hosts: ["http://localhost:9200"]

Restarting Kibana

$ sudo systemctl restart kibana

If we use Nginx as Reverse Proxy

[…]
server.host: "localhost"
[…]

in this example, we say that the server should listen on the 192.168.1.10 interface

Firewall configuration (if we do not use nginx as reverse proxy)

Opening port 5601

$ sudo firewall-cmd --add-port=5601/tcp --permanent
$ sudo firewall-cmd --reload

Installing NGINX

Add NGINX repository

$ sudo nano /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

The stable version will be used by default. If you need a mainline version, switch

$ sudo dnf config-manager --set-enabled nginx-mainline

Install NGINX and httpd-tools

$ sudo dnf -y install nginx httpd-tools

Add the NGINX service to startup and start it

$ sudo systemctl enable --now nginx

Checking if the service has started

$ systemctl status nginx

Configuring NGINX

Disable the default config

$ cd /etc/nginx/conf.d/
$ sudo mv default.conf default.conf.disable

Create config for Kibana

$ sudo nano kibana.conf
server {
  listen      80;
  #listen      [::]:80 ipv6only=on;
  server_name _;

  auth_basic "Restricted Access";
  auth_basic_user_file /etc/nginx/.kibana-user;

  location / {
    proxy_pass http://localhost:5601/;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
  }
}

Generating a password for authorization

$ sudo htpasswd -c /etc/nginx/.kibana-user mykibana
New password: password
Re-type new password: password
Adding password for user mykibana

Restart NGINX, check the status

$ sudo systemctl reload nginx
$ systemctl status nginx

Firewall configuration

Opening port 80

$ sudo firewall-cmd --permanent --zone=public --add-service=http
$ sudo firewall-cmd --reload

See the list of rules

$ sudo firewall-cmd --list-all

We close port 5601 if it was previously opened

$ sudo firewall-cmd --permanent --zone=public --remove-port=5601/tcp
$ sudo firewall-cmd --reload

SELinux configuration

Adding a rule to the SELinux policy

$ sudo setsebool -P httpd_can_network_connect=1