I want to use NGINX to configure an Amazon Elastic Compute Cloud (Amazon EC2) Linux instance as a proxy server.
Resolution
Note: This solution works only for domains that are outside of Amazon Cognito.
First, launch an EC2 instance inside the public subnet of the same virtual private cloud (VPC) where the Amazon OpenSearch Service domain is. Then, complete the following steps.
Configure the NGINX proxy
1. Install NGINX on the EC2 Linux instance:
$ sudo yum -y install nginx
2. In your preferred file editor, edit the nginx.conf file. Then, add the OpenSearch Service cluster endpoint to the location field.
$ sudo vim /etc/nginx/nginx.conf
Example configuration:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name localhost ;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass https://<your-es-cluster-vpc-endpoint>;
}
}
Note: For proxy_pass, include https in your endpoint. If you don't include the entire endpoint, then you might get an invalid URL prefix in /etc/nginx/nginx.conf:47 error message.
3. To start the service, run the following command:
$ sudo service nginx start
Access the Kibana or OpenSearch Dashboards
Note: OpenSearch Service supports legacy Elasticsearch domain versions 5.3 and later and uses Kibana dashboard by default. OpenSearch Service versions 1.0 and later use OpenSearch Dashboards.
To access the Kibana or OpenSearch Dashboards endpoint, open your browser and enter one of the following URLs:
http://<ec2-public-ip>/_plugin/kibana
http://<ec2-public-ip>/_dashboards
For clusters with FGAC
For clusters with fine-grained access control (FGAC), you must include an SSL/TLS certificate. To create an SSL/TLS certificate, run the following command:
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/cert.key -out /etc/nginx/cert.crt
Note: The SSL/TLS certificate is valid for one year. To continue to use this solution after the SSL/TLS certificate expires, delete existing certificates and create a new certificate.
The modified configuration file looks similar to the following example:
server {
listen 443 ssl;
listen [::]:443;
server_name localhost;
root /usr/share/nginx/html;
ssl_certificate /etc/nginx/cert.crt;
ssl_certificate_key /etc/nginx/cert.key;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass https://<your-es-cluster-vpc-endpoint>;
}
}
Related information
How do I use an NGINX proxy to access OpenSearch Dashboards from outside a VPC that's using Amazon Cognito authentication?