Deployment Overview of Kibana on Server¶

Prerequisites and Basic Requirements¶

The deployment requires a Linux server running Ubuntu with root privileges. The system must have network access to download packages from the Elastic repository and external resources for SSL certificate generation.

The following components and versions are installed:

Operating System: Ubuntu (specific version not restricted, requires apt package manager)
Software Versions:
Kibana: 8.18.3
Elasticsearch: 8.18.3
Nginx: Latest available version
Certbot: Latest available version
Dependencies: curl, gnupg, software-properties-common, unzip, ufw

Access URL and Domain Configuration¶

The application is accessible via a dynamic domain name formatted based on the server identifier. The final URL structure is:

<prefix><server_id>.hostkey.in:<port>

Based on the configuration variables:

Domain Zone: hostkey.in
Prefix: kibana
Accessible Address: kibana<ServerID>.hostkey.in
Protocol: HTTPS (Port 443)
Internal Kibana Port: 5601

File and Directory Structure¶

The deployment creates specific directories for configuration, logs, certificates, and data storage.

Component	Directory Path	Description
Elasticsearch Logs	`/usr/share/elasticsearch/logs`	Application logs for Elasticsearch
Elasticsearch Data	`/var/lib/elasticsearch`	Index data storage
Elasticsearch Certificates	`/etc/elasticsearch/certs`	SSL certificates and keys for Elasticsearch
Kibana Certificates	`/etc/kibana`	CA certificate for Kibana connection
Nginx Configuration	`/etc/nginx/sites-available/kibana<ServerID>.hostkey.in`	Nginx site configuration
Certbot SSL Certificates	`/etc/letsencrypt/live/kibana<ServerID>.hostkey.in/`	Let's Encrypt SSL files
Certbot Web Root	`/var/www/certbot`	Directory used by Certbot for validation
Docker Proxy Directory	`/root/kibana-nginx-proxy`	Directory for Nginx Docker Compose files
Credentials File	`/root/.kibana_passwords`	Stored user credentials

Application Installation Process¶

The installation process involves installing system dependencies, adding the Elastic GPG key and repository, and installing specific versions of Elasticsearch and Kibana via the APT package manager.

Dependencies: Packages apt-transport-https, curl, gnupg, software-properties-common, and unzip are installed.
Repository Setup: The GPG key from https://artifacts.elastic.co/GPG-KEY-elasticsearch is added, followed by the repository deb https://artifacts.elastic.co/packages/8.x/apt stable main.
Elasticsearch Installation:
- Installed version: 8.18.3
- Service enabled and started automatically.
Kibana Installation:
- Installed version: 8.18.3
- Service enabled and started automatically.
Certificate Generation:
- A Certificate Authority (CA) is generated locally.
- Node-specific certificates are generated with DNS SANs for localhost and IP 127.0.0.1.
- Certificates are placed in /etc/elasticsearch/certs and /etc/kibana.

Access Rights and Security¶

Security is enforced through SSL/TLS encryption, firewall rules, and user-specific service accounts.

SSL/TLS:
Elasticsearch communicates over HTTPS on localhost:9200.
Kibana communicates with Elasticsearch over HTTPS.
External access is secured via Nginx acting as a reverse proxy with SSL termination.
Firewall (UFW):
The Uncomplicated Firewall (ufw) is installed and enabled.
Allowed incoming TCP ports: 22 (SSH), 80 (HTTP), 443 (HTTPS), 5601 (Kibana), 9200 (Elasticsearch).
Users and Passwords:
System services run as elasticsearch and kibana users.
Initial credentials for elastic and kibana_system users are set using the SSH password ({{ ansible_ssh_pass }}).
Credentials are stored in /root/.kibana_passwords.

Databases¶

The application uses Elasticsearch as its primary data store and search engine.

Connection Method: Local HTTPS connection.
Connection String: https://localhost:9200
Authentication:
Username: kibana_system
Password: Set to the SSH password used during deployment.
SSL Verification: Enabled using the CA certificate located at /etc/kibana/ca.crt.
Storage Location: Data is stored in /var/lib/elasticsearch.
Configuration Settings:
Cluster Name: elastic-cluster
Node Name: elastic-node-1
Discovery Type: single-node
Disk Watermarks:
- Low: 85%
- High: 90%
- Flood Stage: 95%

Docker Containers and Their Deployment¶

A Docker container is utilized specifically for running the Nginx reverse proxy with SSL support.

Directory: /root/kibana-nginx-proxy
Compose File: compose.yml
Service Details:
Container Name: Defined dynamically in the template.
Image: nginx:latest
Network Mode: host
Ports: 80:80, 443:443
Restart Policy: always
Volumes:
Nginx configuration mounted at /etc/nginx/conf.d/.
Let's Encrypt certificates mounted at /etc/letsencrypt/.
Certbot web root mounted at /var/www/certbot.
Deployment Command: Executed via docker compose up -d within the project directory.

Proxy Servers¶

Nginx is deployed as a reverse proxy to handle external traffic and SSL termination. It is configured to redirect all HTTP traffic (Port 80) to HTTPS (Port 443).

SSL Provider: Let's Encrypt (Certbot)
Certificate Location: /etc/letsencrypt/live/kibana<ServerID>.hostkey.in/
Nginx Configuration Path: /etc/nginx/sites-available/kibana<ServerID>.hostkey.in
Proxy Settings:
Upstream: http://localhost:5601 (Kibana)
Headers:
- Host: Passed as $host
- X-Real-IP: Passed as $remote_addr
- X-Forwarded-For: Passed as $proxy_add_x_forwarded_for
- X-Forwarded-Proto: Passed as $scheme
ACME Challenge: Handled via the /.well-known/acme-challenge/ location pointing to /var/www/certbot.

Permission Settings¶

File and directory permissions are strictly set to ensure security and proper service operation.

Elasticsearch Directories:
/usr/share/elasticsearch/logs: 0755, owned by elasticsearch:elasticsearch.
/etc/elasticsearch/certs: 0750, owned by elasticsearch:elasticsearch.
Certificate files: Private keys (*.key) set to 0600, certificates (*.crt) set to 0640.
Kibana Directories:
/etc/kibana: 0750, owned by kibana:kibana.
Configuration file /etc/kibana/kibana.yml: 0640, owned by kibana:kibana.
Nginx Configuration:
Site config: 0644, owned by root:root.
Credentials File:
/root/.kibana_passwords: 0600, readable only by root.

Location of Configuration Files and Data¶

The primary configuration files and data paths are as follows:

Elasticsearch Configuration: /etc/elasticsearch/elasticsearch.yml
Kibana Configuration: /etc/kibana/kibana.yml
Nginx Site Configuration: /etc/nginx/sites-available/kibana<ServerID>.hostkey.in
Docker Compose File: /root/kibana-nginx-proxy/compose.yml
Elasticsearch Data: /var/lib/elasticsearch
Kibana Logs: /var/log/kibana/kibana.log
Elasticsearch Logs: /usr/share/elasticsearch/logs

Available Ports for Connection¶

The following TCP ports are open and utilized by the system components:

22: SSH Access
80: HTTP (Nginx - Redirects to HTTPS)
443: HTTPS (Nginx - Main Application Access)
5601: Kibana (Internal only, proxied via Nginx)
9200: Elasticsearch (Internal only, HTTPS)

Starting, Stopping, and Updating¶

Service management for the core applications is handled via systemd. The Docker proxy is managed via docker compose.

Elasticsearch Service:
Start: systemctl start elasticsearch
Stop: systemctl stop elasticsearch
Restart: systemctl restart elasticsearch
Enable on Boot: systemctl enable elasticsearch
Kibana Service:
Start: systemctl start kibana
Stop: systemctl stop kibana
Restart: systemctl restart kibana
Enable on Boot: systemctl enable kibana
Nginx Service:
Restart: systemctl restart nginx
Check Syntax: nginx -t
Docker Proxy (Nginx Container):
Start/Stop/Restart: docker compose up -d / docker compose down
Command execution directory: /root/kibana-nginx-proxy