Kibana基于Nginx反向代理增加Basic Auth认证生成Docker镜像
Kibana官方镜像默认是没有认证的,如果暴露在外网很容易被恶意访问入侵,所以基于Nginx反向代理为其增加了Basic Auth认证。需要注意的是官方镜像Kibana 5.x 版本和6.x,7.x 版本所基于的Linux发行版和启动脚本区别很大,下面的构建过程也进行了相应区分。
一、 5.x版本,官方镜像基于Debian,启动脚本位于/目录;
Dockerfile
FROM kibana:5.3 # 防止有人错误映射了5601端口 RUN sed -i "s/server.host: '0.0.0.0'/server.host: '127.0.0.1'/g" /etc/kibana/kibana.yml # 安装Nginx RUN apt-get update && apt-get install --no-install-recommends --no-install-suggests -y nginx EXPOSE 80 # 环境变量,认证文件内容 ENV AUTH_HTPASSWD admin:\$apr1\$iyh1Sj5.\$kVFjc2Nw9xrbz5rVdzPEC. # Nginx配置文件 COPY kibana.conf /etc/nginx/conf.d/ RUN rm -f /etc/nginx/sites-enabled/default # 启动脚本,把认证环境变量写入文件,启动Nginx和kibana COPY entrypoint.sh / RUN chmod +x /entrypoint.sh # 执行清理 RUN rm -rf /var/lib/apt/lists/*; ENTRYPOINT ["/entrypoint.sh"]
构建时需要的启动脚本shell和Nginx代理配置文件
#!/bin/sh # 读取环境变量写入htpasswd文件 echo "$AUTH_HTPASSWD" > /etc/nginx/conf.d/htpasswd # 启动kibana和Nginx service nginx start && /docker-entrypoint.sh kibana
upstream kibana_server { server 127.0.0.1:5601 weight=1 max_fails=3 fail_timeout=60; } server { listen 80; listen [::]:80; server_name www.kibana.com; # basic auth auth_basic "Basic Auth"; auth_basic_user_file /etc/nginx/conf.d/htpasswd; location / { proxy_pass http://kibana_server; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } }
二、 6.x++版本,官方镜像基于CentOS,启动脚本位于/usr/local/bin/kibana-docker;
Dockerfile
FROM kibana:7.9.3 # 切换到root用户 USER root # 防止有人错误映射了5601端口 RUN sed -i 's/server.host: "0"/server.host: "127.0.0.1"/g' /usr/share/kibana/config/kibana.yml # 安装Nginx RUN yum install -y epel-release && yum install -y nginx \ && yum clean all && rm -rf /var/cache/yum/*; EXPOSE 80 # 环境变量,认证文件内容 ENV AUTH_HTPASSWD admin:\$apr1\$iyh1Sj5.\$kVFjc2Nw9xrbz5rVdzPEC. # Nginx配置文件 COPY kibana.conf /etc/nginx/conf.d/ RUN rm -f /etc/nginx/sites-enabled/default # 启动脚本,把认证环境变量写入文件,启动Nginx和kibana COPY entrypoint.sh / RUN chmod +x /entrypoint.sh ENTRYPOINT ["/entrypoint.sh"]
构建时需要的启动脚本shell和Nginx代理配置文件
#!/bin/sh # 读取环境变量写入htpasswd文件 echo "$AUTH_HTPASSWD" > /etc/nginx/conf.d/htpasswd # 启动kibana和Nginx # kibana 官方镜像采用的启动用户是kibana,所以启动kibana换为用户kibana /usr/sbin/nginx && runuser -l kibana -c /usr/local/bin/kibana-docker
upstream kibana_server { server 127.0.0.1:5601 weight=1 max_fails=3 fail_timeout=60; } server { listen 80; listen [::]:80; server_name www.kibana.com; # basic auth auth_basic "Basic Auth"; auth_basic_user_file /etc/nginx/conf.d/htpasswd; location / { proxy_pass http://kibana_server; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } }
三、 使用
生成htpasswd文件,拷贝内容作为容器的AUTH_HTPASSWD环境变量内容,并映射80端口启动容器,下方是一个参考docker-compose.yml文件,需要注意htpasswd文件中的$需要进行转义:
version: '3.5' services: kibana: image: itfsw/kibana:7.9.3 container_name: kibana ports: - 1000:80 environment: AUTH_HTPASSWD: 'admin:$$apr1$$VRGn3W3e$$y31sVsSdv1HWbsUhkl5EH1' ELASTICSEARCH_HOSTS: 'http://elasticsearch:9200'