How do I use an NGINX proxy to access Kibana or OpenSearch Dashboards outside of a VPC that doesn’t use Amazon Cognito authentication?

3 minute read
0

I want to use NGINX to configure an Amazon Elastic Compute Cloud (Amazon EC2) Linux instance as a proxy server.

Resolution

Note: This solution works only for domains that are outside of Amazon Cognito.

First, launch an EC2 instance inside the public subnet of the same virtual private cloud (VPC) where the Amazon OpenSearch Service domain is. Then, complete the following steps.

Configure the NGINX proxy

1.    Install NGINX on the EC2 Linux instance:

$ sudo yum -y install nginx

2.    In your preferred file editor, edit the nginx.conf file. Then, add the OpenSearch Service cluster endpoint to the location field.

$ sudo vim /etc/nginx/nginx.conf

Example configuration:

         server {
                listen       80 default_server;
                listen       [::]:80 default_server;
                server_name  localhost ;
                root         /usr/share/nginx/html;

                # Load configuration files for the default server block.
                include /etc/nginx/default.d/*.conf;

                 location / {
                proxy_pass https://<your-es-cluster-vpc-endpoint>;
                }
      } 

Note: For proxy_pass, include https in your endpoint. If you don't include the entire endpoint, then you might get an invalid URL prefix in /etc/nginx/nginx.conf:47 error message.

3.    To start the service, run the following command:

$ sudo service nginx start

Access the Kibana or OpenSearch Dashboards

Note: OpenSearch Service supports legacy Elasticsearch domain versions 5.3 and later and uses Kibana dashboard by default. OpenSearch Service versions 1.0 and later use OpenSearch Dashboards.

To access the Kibana or OpenSearch Dashboards endpoint, open your browser and enter one of the following URLs:

http://<ec2-public-ip>/_plugin/kibana

http://<ec2-public-ip>/_dashboards

For clusters with FGAC

For clusters with fine-grained access control (FGAC), you must include an SSL/TLS certificate. To create an SSL/TLS certificate, run the following command:

$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/cert.key -out /etc/nginx/cert.crt

Note: The SSL/TLS certificate is valid for one year. To continue to use this solution after the SSL/TLS certificate expires, delete existing certificates and create a new certificate.

The modified configuration file looks similar to the following example:

server {
    listen 443 ssl;
    listen [::]:443;
    server_name localhost;
    root /usr/share/nginx/html;
    ssl_certificate /etc/nginx/cert.crt;
    ssl_certificate_key /etc/nginx/cert.key;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    # Load configuration files for the default server block.
     include /etc/nginx/default.d/*.conf;

    location / {
    proxy_pass https://<your-es-cluster-vpc-endpoint>;
     }
}

Related information

How do I use an NGINX proxy to access OpenSearch Dashboards from outside a VPC that's using Amazon Cognito authentication?

AWS OFFICIAL
AWS OFFICIALUpdated 7 months ago