Motivation
Amazon OpenSearch Service cluster instance run inside a virtual private cloud. If you want to access Kibana dedicated to this instance you have two options. One is tunneling to EC2 bastion host which is realitvely straightforward. One of the disadvantages of this approach is that you need to share your bastion host keys to clients. Another is reverse proxy on bastion host to private OpenSearch Kibana. In this example, we are going to show how you can setup access to Kibana using Nginx reverse proxy and provision it with Ansible.
This example represent basic setup which can serve as basis for future improvements. This basis don't include secure access configuration (certifications, authentication). It uses HTTP between client and proxy server, for production environment using HTTPS is recommended in this context. It's an easier setup, but for other hand it's also less secure setup.
Example
Inventory
First you need to have inventory defined with one variable (open_search_endpoint) which should point to Kibana instance. Notice, we have two ec2 instances in our inventory. One can be for production environment, second for staging for example.
| [ec2s] | |
| {host1} open_search_endpoint={open_search_endpoint1} | |
| {host2} open_search_endpoint={open_search_endpoint2} |
Main playbook
Next we are going to define main Ansible playbook, which is pretty straight forward. For it to work, you need to have configuration files (default.config and ngnix.config) located in your path.
| # Can be run multiple times (idempotent), main playbook | |
| --- | |
| - hosts: ec2s | |
| tasks: | |
| - name: Update all packages | |
| yum: | |
| name: "*" | |
| state: latest | |
| update_only: yes | |
| - name: Enable nginx for amazon linux 2 | |
| shell: "amazon-linux-extras enable nginx1.12" | |
| become: yes | |
| - name: Install nginx | |
| yum: | |
| name: nginx | |
| state: latest | |
| - name: Delete existing dist folder | |
| file: | |
| path: "/etc/nginx/conf.d/default.conf" | |
| state: absent | |
| - name: Start nginx | |
| service: | |
| name: nginx | |
| state: started | |
| enabled: yes | |
| - name: Copy website default config | |
| copy: | |
| src: ../default.conf | |
| dest: /etc/nginx/conf.d/default.conf | |
| owner: root | |
| group: root | |
| mode: 0644 | |
| - name: Copy nginx default config | |
| copy: | |
| src: ../nginx.conf | |
| dest: /etc/nginx/nginx.conf | |
| owner: root | |
| group: root | |
| mode: 0644 | |
| - name: Set correct open search endpoint | |
| lineinfile: | |
| dest: /etc/nginx/conf.d/default.conf | |
| regexp: open_search_endpoint | |
| line: " proxy_pass https://{{open_search_endpoint}};" | |
| - name: Restart nginx | |
| service: | |
| name: nginx | |
| state: restarted |
Default configuration
For default.config, we are using simple proxy pass. If you want more secure connection, this is where you would configure HTTPS.
| server { | |
| listen 80 default_server; | |
| listen [::]:80 default_server; | |
| server_name localhost; | |
| location = / { | |
| rewrite ^ /_dashboards/ redirect; | |
| } | |
| location / { | |
| proxy_pass open_search_uri; | |
| proxy_set_header Authorization ""; | |
| proxy_hide_header Authorization; | |
| } | |
| } |
Nginx configuration
| # For more information on configuration, see: | |
| # * Official English Documentation: http://nginx.org/en/docs/ | |
| # * Official Russian Documentation: http://nginx.org/ru/docs/ | |
| user nginx; | |
| worker_processes auto; | |
| error_log /var/log/nginx/error.log; | |
| pid /run/nginx.pid; | |
| # Load dynamic modules. See /usr/share/nginx/README.dynamic. | |
| include /usr/share/nginx/modules/*.conf; | |
| events { | |
| worker_connections 1024; | |
| } | |
| http { | |
| log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | |
| '$status $body_bytes_sent "$http_referer" ' | |
| '"$http_user_agent" "$http_x_forwarded_for"'; | |
| access_log /var/log/nginx/access.log main; | |
| sendfile on; | |
| tcp_nopush on; | |
| tcp_nodelay on; | |
| keepalive_timeout 65; | |
| types_hash_max_size 2048; | |
| include /etc/nginx/mime.types; | |
| default_type application/octet-stream; | |
| # Load modular configuration files from the /etc/nginx/conf.d directory. | |
| # See http://nginx.org/en/docs/ngx_core_module.html#include | |
| # for more information. | |
| include /etc/nginx/conf.d/*.conf; | |
| } |
