Имеется веб-интерфейс Kibana и NGINX, настроенные по статье CentOS: установка Elasticsearch + Logstash + Kibana (ELK).
Требуется ограничить доступ только по HTTPS.
Создаём приватный ключ сервера:
# cd /var/pki/tls
# openssl genrsa -out private/logger.domain.com.key 2048 Generating RSA private key, 2048 bit long modulus ....................................................+++ ...................+++ e is 65537 (0x10001)
Из него создаём публичную часть ключа:
# openssl req -new -x509 -key private/logger.domain.com.key -out certs/logger.domain.com.crt -days 1095 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:UA State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:logger.domain.com Email Address []:[email protected]
Обратите внимание на строку:
Common Name (eg, your name or your server's hostname) []:logger.domain.com
Имя тут должно совпадать с FQDN сервера.
Проверяем:
# ls -l certs/ | grep logger -rw-r--r-- 1 root root 1131 Sep 9 13:34 logger.domain.com.crt
# ls -l private/ | grep logger -rw-r--r-- 1 root root 1704 Sep 9 13:34 logger.domain.com.key
Далее, редактируем конфигурационный файл виртуалхоста, в который прописываем:
server { listen 80; # перенаправляем запрос на HTTPS server_name logger.domain.com; return 301 https://$server_name$request_uri; } server { server_name logger.domain.com; listen 443; ssl on; ssl_certificate /etc/pki/tls/certs/logger.domain.com.crt; ssl_certificate_key /etc/pki/tls/private/logger.domain.com.key; ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; access_log /var/log/nginx/logger.domain.com_access.log; error_log /var/log/nginx/logger.domain.com_error.log notice; auth_basic "Restricted Access"; auth_basic_user_file /etc/nginx/htpasswd.users; location / { proxy_pass http://localhost:5601; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } }
Проверяем:
# curl -k -u user:password https://logger.domain.com <!DOCTYPE html> <!--[if IE 8]> <html class="no-js lt-ie9" lang="en"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en"> <!--<![endif]--> ...
Кратко описание параметров SSL тут:
ssl_certificate
– побличная часть ключа;ssl_certificate_key
– приватная часть ключа;ssl_ciphers
– поддерживаемые алгоритмы шифрования;ssl_protocols
– поддерживаемые протоколы.