通过nginx实现aliyun elasticsearch v3公网kibana内网转发访问

env

  • aliyun es kibana 公网访问及IP加白
  • nginx ssl

1.aliyun elasticsearch kibana开启公网访问

白名单机制

48df19dc94772a142395e37be0da7be4.png

2.内网nginx必须ssl协议转发

80是被禁止,80打开提示:kibana nginx代理登录提示: 登录需要安全连接,请联系您的系统管理员。

2.1配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
server {
listen 443 ssl http2;
server_name xxx.internal;

ssl_certificate /etc/nginx/conf.d.ssl/keys/wildcard.xxx.crt;
ssl_certificate_key /etc/nginx/conf.d.ssl/keys/wildcard.xxx.internal.key;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

# HSTS 可选:内部环境建议谨慎开启
# add_header Strict-Transport-Security "max-age=63072000" always;

# 安全设置
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff;

location / {
# 将请求代理到后端Kibana服务
proxy_pass https://zzzx.elasticsearch.aliyuncs.com;
# 头部设置
proxy_set_header Host xxxx.elasticsearch.aliyuncs.com; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme;
# 关闭证书校验
proxy_ssl_verify off; proxy_ssl_server_name on;
# WebSocket支持
proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_cache_bypass $http_upgrade;
# 超时设置
proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s;
}
}

2.2重载nginx进程

nginx -t && nginx -s reload

2.3验证
https://xxxx.xxxx.internal

41127a84f3777b1499a10196b7e3cc44.png

Reference