-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Closes #2: install + configure kibana.
- Loading branch information
Showing
4 changed files
with
129 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,6 @@ | ||
[submodule "roles/ansible-letsencrypt"] | ||
path = graylog-ec2/roles/ansible-letsencrypt | ||
url = git@github.com:jaywink/ansible-letsencrypt.git | ||
[submodule "graylog-ec2/roles/ansible-role-kibana"] | ||
path = graylog-ec2/roles/ansible-role-kibana | ||
url = git@github.com:geerlingguy/ansible-role-kibana.git |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
--- | ||
# Installs kibana (v4.6, since that is compatible with ES 2.4.2, which is the version graylog uses) | ||
# Thx! https://github.com/geerlingguy/ansible-role-kibana | ||
- name: Install and configure Kibana | ||
hosts: metrics | ||
vars: | ||
nginx_conf_dir: /opt/graylog/conf/nginx | ||
passwdfile: "{{ nginx_conf_dir }}/.htpasswd" # location of the .htpasswd file used to | ||
password: "" # basic auth password for the 'metrics' account to secure kibana instance. if empty, will skip setting/creating the file. | ||
kibana_conf_file: /opt/kibana/config/kibana.yml # config location for kibana | ||
kibana_subpath: "viz" # path uri for accessing kibana, i.e. https://myhost.com/{{ kibana_subpath }} | ||
remote_user: ubuntu | ||
become: yes | ||
|
||
roles: | ||
- role: ansible-role-kibana | ||
kibana_elasticsearch_url: "http://{{ ansible_default_ipv4.address }}:9200" | ||
|
||
post_tasks: | ||
- name: Set kibana to only listen on loopback interface | ||
replace: | ||
dest: "{{ kibana_conf_file }}" | ||
regexp: '^.*server.host.*$' | ||
replace: "server.host: 127.0.0.1" | ||
- name: Set kibana basepath to match set kibana uri path | ||
replace: | ||
dest: "{{ kibana_conf_file }}" | ||
regexp: '^.*server.basePath.*$' | ||
replace: 'server.basePath: "/{{ kibana_subpath }}"' | ||
notify: restart kibana | ||
- name: Create htpasswd file for basic auth (if does not exist) | ||
htpasswd: | ||
path: "{{ passwdfile }}" | ||
name: metrics | ||
password: "{{ password }}" | ||
owner: root | ||
group: root | ||
mode: 0644 | ||
state: present | ||
create: yes | ||
when: password | trim != '' | ||
- name: Copy over nginx config file | ||
template: | ||
src: templates/kibana-nginx-conf.j2 | ||
dest: "{{ nginx_conf_dir }}/nginx.conf" | ||
notify: restart nginx | ||
|
||
handlers: | ||
- name: restart nginx | ||
command: graylog-ctl restart nginx | ||
- name: restart kibana | ||
service: name=kibana state=restarted |
Submodule ansible-role-kibana
added at
52e426
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
worker_processes 1; | ||
daemon off; | ||
|
||
events { | ||
worker_connections 1024; | ||
} | ||
|
||
http { | ||
include {{ nginx_conf_dir }}/mime.types; | ||
default_type application/octet-stream; | ||
log_format graylog_format 'nginx: $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for" <msec=$msec|connection=$connection|connection_requests=$connection_requests|millis=$request_time>'; | ||
access_log /dev/stdout graylog_format; | ||
|
||
server { | ||
listen 80; | ||
return 301 https://$host:443$request_uri; | ||
error_page 502 /502.html; | ||
location /502.html { | ||
internal; | ||
} | ||
} | ||
|
||
server { | ||
listen 443; | ||
|
||
ssl on; | ||
ssl_certificate {{ nginx_conf_dir }}/ca/graylog.crt; | ||
ssl_certificate_key {{ nginx_conf_dir }}/ca/graylog.key; | ||
ssl_session_timeout 5m; | ||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; | ||
ssl_prefer_server_ciphers on; | ||
|
||
location / { | ||
proxy_pass http://localhost:9000/; | ||
proxy_http_version 1.1; | ||
proxy_set_header Host $host; | ||
proxy_set_header X-Real-IP $remote_addr; | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Graylog-Server-URL https://{{ inventory_hostname }}/api/; | ||
proxy_pass_request_headers on; | ||
proxy_connect_timeout 150; | ||
proxy_send_timeout 100; | ||
proxy_read_timeout 100; | ||
proxy_buffers 4 32k; | ||
client_max_body_size 8m; | ||
client_body_buffer_size 128k; | ||
} | ||
|
||
location /api/ { | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header Host $http_host; | ||
proxy_pass http://localhost:9000/api/; | ||
} | ||
|
||
location /viz/ { | ||
proxy_set_header Host $host; | ||
proxy_set_header X-Real-IP $remote_addr; | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Proto $scheme; | ||
proxy_pass http://localhost:5601/; | ||
proxy_read_timeout 90; | ||
proxy_redirect http://localhost:5601/ https://{{ inventory_hostname }}/{{ kibana_subpath }}/; | ||
auth_basic "Restricted Content"; | ||
auth_basic_user_file {{ passwdfile }}; | ||
} | ||
|
||
error_page 502 /502.html; | ||
location /502.html { | ||
internal; | ||
} | ||
} | ||
} |