Login for kibana and token passthrough

Author: Jc2k

docker-compose.yml

@@ -3,6 +3,7 @@ version: '2'
 volumes:
   elasticsearch_data: {}
   postgres_data: {}
+  nginx_tls: {}
 
 services:
   postgres:
@@ -35,3 +36,14 @@ services:
       dockerfile: Dockerfile
     depends_on:
     - elasticsearch
+
+  nginx:
+    build:
+      context: nginx
+      dockerfile: Dockerfile
+    depends_on:
+    - kibana
+    volumes:
+      - nginx_tls:/etc/nginx/external/
+    ports:
+      - "127.0.0.1:443:443"

kibana/Dockerfile

@@ -0,0 +1,5 @@
+FROM kibana:5.5.2
+
+RUN sh -c 'echo elasticsearch.username: "gatekeeper" >> /etc/kibana/kibana.yml'
+RUN sh -c 'echo elasticsearch.password: "keymaster" >> /etc/kibana/kibana.yml'
+RUN sh -c 'echo elasticsearch.requestHeadersWhitelist: [cookie] >> /etc/kibana/kibana.yml'

nginx/Dockerfile

@@ -0,0 +1,16 @@
+FROM openresty/openresty:alpine AS builder
+RUN apk --no-cache add curl perl
+RUN /usr/local/openresty/bin/opm get tinyauth/lua-resty-tinyauth
+
+FROM openresty/openresty:alpine
+
+RUN apk --no-cache add openssl
+
+COPY --from=builder /usr/local/openresty/site /usr/local/openresty/site
+
+COPY nginx.conf /etc/nginx/nginx.conf
+COPY entrypoint.sh /docker-entrypoint
+COPY *.js /srv/static/
+
+ENTRYPOINT ["/docker-entrypoint"]
+CMD ["nginx", "-c", "/etc/nginx/nginx.conf"]

nginx/entrypoint.sh

@@ -0,0 +1,28 @@
+#!/bin/sh
+
+if [ -z ${DH_SIZE+x} ]
+then
+  >&2 echo ">> no \$DH_SIZE specified using default"
+  DH_SIZE="2048"
+fi
+
+DH="/etc/nginx/external/dh.pem"
+
+if [ ! -e "$DH" ]
+then
+  echo ">> generating $DH with size: $DH_SIZE"
+  openssl dhparam -out "$DH" $DH_SIZE
+fi
+
+if [ ! -e "/etc/nginx/external/cert.pem" ] || [ ! -e "/etc/nginx/external/key.pem" ]
+then
+  echo ">> generating self signed cert"
+  openssl req -x509 -newkey rsa:4096 \
+  -subj "/C=XX/ST=XXXX/L=XXXX/O=XXXX/CN=localhost" \
+  -keyout "/etc/nginx/external/key.pem" \
+  -out "/etc/nginx/external/cert.pem" \
+  -days 3650 -nodes -sha256
+fi
+
+echo "$@"
+exec "$@"

nginx/main.b9228724.js

@@ -0,0 +1,68 @@
+worker_processes 1;
+error_log /dev/stdout warn;
+daemon off;
+pid /var/run/nginx.pid;
+
+events {
+  worker_connections  1024;
+}
+
+http {
+  include       /usr/local/openresty/nginx/conf/mime.types;
+  default_type  application/octet-stream;
+
+  # Let nginx be able to resolve Docker containers
+  resolver 127.0.0.11;
+
+  access_log /dev/stdout;
+
+  upstream kibana {
+    server kibana:5601;
+  }
+
+  server {
+    listen 443 default_server;
+
+    ssl on;
+    ssl_certificate external/cert.pem;
+    ssl_certificate_key external/key.pem;
+  
+    charset utf-8;
+
+    location /login/static/ {
+      alias /srv/static/;
+      expires 365;
+    }
+
+    location = /login {
+      content_by_lua_block {
+        local tinyauth = require('resty/tinyauth');
+        local client = tinyauth.new("http://tinyauth:5000/api/v1/", "gatekeeper", "keymaster")
+        client:handle_login('b9228724')
+      }
+    }
+
+    location / {
+      access_by_lua_block {
+        local tinyauth = require('resty/tinyauth');
+        local client = tinyauth.new("http://tinyauth:5000/api/v1/", "gatekeeper", "keymaster")
+
+        local auth = client:authorize_token_for_action("AccessKibana")
+
+        if not auth['Authorized'] then
+          ngx.redirect('/login')
+          return
+        end
+
+        if auth['Identity'] then
+            ngx.req.set_header('X-User', auth['Identity'])
+        end
+      }
+
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header Host $http_host;
+      proxy_redirect off;
+      proxy_pass   http://kibana;
+    }
+  }
+}