{"id":22039510,"url":"https://github.com/mpolinowski/nginx-node-elasticsearch","last_synced_at":"2026-04-20T09:02:09.744Z","repository":{"id":111483989,"uuid":"82667876","full_name":"mpolinowski/nginx-node-elasticsearch","owner":"mpolinowski","description":"nginx configuration for a multi node.js app server and elasticsearch database","archived":false,"fork":false,"pushed_at":"2018-04-05T07:16:53.000Z","size":145,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-23T13:14:55.965Z","etag":null,"topics":["certbot","elasticsearch","expressjs","firewalld","firewalld-configuration","godaddy","kibana","nginx","nginx-configuration","nodejs","ssl-certificate","tls-sni-01"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mpolinowski.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-02-21T10:37:34.000Z","updated_at":"2024-11-15T05:56:24.000Z","dependencies_parsed_at":"2023-05-20T17:31:26.486Z","dependency_job_id":null,"html_url":"https://github.com/mpolinowski/nginx-node-elasticsearch","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/mpolinowski/nginx-node-elasticsearch","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mpolinowski%2Fnginx-node-elasticsearch","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mpolinowski%2Fnginx-node-elasticsearch/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mpolinowski%2Fnginx-node-elasticsearch/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mpolinowski%2Fnginx-node-elasticsearch/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mpolinowski","download_url":"https://codeload.github.com/mpolinowski/nginx-node-elasticsearch/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mpolinowski%2Fnginx-node-elasticsearch/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32040353,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-20T00:18:06.643Z","status":"online","status_checked_at":"2026-04-20T02:00:06.527Z","response_time":94,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certbot","elasticsearch","expressjs","firewalld","firewalld-configuration","godaddy","kibana","nginx","nginx-configuration","nodejs","ssl-certificate","tls-sni-01"],"created_at":"2024-11-30T11:11:05.138Z","updated_at":"2026-04-20T09:02:09.728Z","avatar_url":"https://github.com/mpolinowski.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Using NGINX as proxy for your nodejs apps\n**We want to set up NGINX with http/2 to serve multiple node apps and an instance of Elasticsearch on a single centOS server**\n\n\u003c!-- TOC --\u003e\n\n- [Using NGINX as proxy for your nodejs apps](#using-nginx-as-proxy-for-your-nodejs-apps)\n  - [1 Useful links](#1-useful-links)\n  - [2 Install Nginx and Adjust the Firewall](#2-install-nginx-and-adjust-the-firewall)\n  - [3 FirewallD](#3-firewalld)\n  - [4 Create a login](#4-create-a-login)\n  - [5 nginx.conf](#5-nginxconf)\n  - [6 virtual.conf](#6-virtualconf)\n  - [7 GoDaddy Certs](#7-godaddy-certs)\n    - [Generate a CSR and Private Key](#generate-a-csr-and-private-key)\n    - [Download your key from GoDaddy](#download-your-key-from-godaddy)\n    - [Install Certificate On Web Server](#install-certificate-on-web-server)\n  - [8 LetsEncrypt and Certbot](#8-letsencrypt-and-certbot)\n    - [Install Certbot on CentOS 7](#install-certbot-on-centos-7)\n    - [Run Certbot](#run-certbot)\n    - [Setting Up Auto Renewal](#setting-up-auto-renewal)\n      - [Systemd](#systemd)\n      - [Cron.d](#crond)\n    - [TLS-SNI-01 challenge Deactivated](#tls-sni-01-challenge-deactivated)\n  - [9 Search Engine Setup and Configuration](#9-search-engine-setup-and-configuration)\n    - [Installing Elasticsearch 6.x on CentOS](#installing-elasticsearch-6x-on-centos)\n      - [Import the Elasticsearch PGP Key](#import-the-elasticsearch-pgp-key)\n    - [Installing from the RPM repository](#installing-from-the-rpm-repository)\n      - [Running Elasticsearch with _systemd_](#running-elasticsearch-with-_systemd_)\n      - [Checking that Elasticsearch is running](#checking-that-elasticsearch-is-running)\n      - [Configuring Elasticsearch](#configuring-elasticsearch)\n    - [Installing Kibana 6.x on CentOS](#installing-kibana-6x-on-centos)\n      - [Running Kibana with _systemd_](#running-kibana-with-_systemd_)\n    - [Install X-Pack](#install-x-pack)\n      - [Elasticsearch Security](#elasticsearch-security)\n      - [Kibana Security](#kibana-security)\n    - [Enabling Anonymous Access](#enabling-anonymous-access)\n\n\u003c!-- /TOC --\u003e\n\n\n## 1 Useful links\n___\n\n* [Apache2-Utils](https://kyup.com/tutorials/set-http-authentication-nginx/)\n* [SSL Labs](https://www.ssllabs.com/ssltest/)\n* [Set up NGINX with http/2](https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-with-http-2-support-on-ubuntu-16-04)\n* [Create a self-signed Certificate](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-centos-7/)\n* [How To Secure Nginx with Let's Encrypt on CentOS 7](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-centos-7)\n* [Installing Elasticsearch](https://www.elastic.co/guide/en/elasticsearch/reference/current/install-elasticsearch.html)\n* [Installing Kibana](https://www.elastic.co/guide/en/kibana/current/install.html)\n* [Installing X-Pack](https://www.elastic.co/downloads/x-pack)\n\n\n\n## 2 Install Nginx and Adjust the Firewall\n___\n\n* **Step One** — Nginx is not available in CentOS's default repositories - but we can install it from the EPEL (extra packages for Enterprise Linux) repository.\n\n```\n sudo yum install epel-release\n```\n\n* **Step Two** — Next, we can install Nginx.\n\n```\n sudo yum install nginx\n```\n\n* **Step Three** — Start the Nginx service and test it inside your browser http://server_domain_name_or_IP/\n\n```\n sudo systemctl start nginx\n```\n\n* **Step Four** — Check that the service is up and running by typing:\n\n```\n systemctl status nginx\n```\n\n* **Step Five** — You will also want to enable Nginx, so it starts when your server boots:\n\n```\n sudo systemctl enable nginx\n```\n\n\n## 3 FirewallD\n___\n\n* **Step One** — Installation\n\nOpen ports 80 and 443 in [FirewallD](http://www.firewalld.org/)\n\nTo start the service and enable FirewallD on boot:\n\n```\nsudo systemctl start firewalld\nsudo systemctl enable firewalld\n```\n\nTo stop and disable it:\n\n```\nsudo systemctl stop firewalld\nsudo systemctl disable firewalld\n```\n\nCheck the firewall status. The output should say either running or not running:\n\n```\nsudo firewall-cmd --state\n```\n\nTo view the status of the FirewallD daemon:\n\n```\nsudo systemctl status firewalld\n```\n\nTo reload a FirewallD configuration:\n\n```\nsudo firewall-cmd --reload\n```\n\n* **Step Two** — Configuration\n\nAdd the http/s rule to the permanent set and reload FirewallD.\n\n```\nsudo firewall-cmd --zone=public --add-service=https --permanent\nsudo firewall-cmd --zone=public --add-service=http --permanent\nsudo firewall-cmd --reload\n```\n\nAllow traffic / block traffic over ports:\n\n```\nsudo firewall-cmd --zone=public --add-port=12345/tcp --permanent\nsudo firewall-cmd --zone=public --remove-port=12345/tcp --permanent\n```\n\nVerify open ports:\n\n```\nfirewall-cmd --list-ports\n```\n\nCheck the firewall status:\n\n```\nsudo firewall-cmd --state\n```\n\nTo view the status of the FirewallD daemon:\n\n```\nsudo systemctl status firewalld\n```\n\nTo reload a FirewallD configuration:\n\n```\nsudo firewall-cmd --reload\n```\n\n\n\n\n## 4 Create a login\n___\n\n```\nsudo htpasswd -c /etc/nginx/.htpasswd USERNAME\nNew password: xxxxxxxxx\nRe-type new password: xxxxxxxxx\n```\n\n\n## 5 nginx.conf\n\n/etc/nginx/nginx.conf\n\n```nginx\nuser nginx;\nworker_processes 8;\nerror_log /var/log/nginx/error.log;\npid /run/nginx.pid;\n\nevents {\n    worker_connections 1024;\n}\n\nhttp {\n    log_format  main  '$remote_addr - $remote_user [$time_local] \"$request\" '\n                      '$status $body_bytes_sent \"$http_referer\" '\n                      '\"$http_user_agent\" \"$http_x_forwarded_for\"';\n\n    access_log  /var/log/nginx/access.log  main;\n\n    sendfile            on;\n    tcp_nopush          on;\n    tcp_nodelay         on;\n    keepalive_timeout   65;\n    types_hash_max_size 2048;\n\tgzip on;\n\tgzip_vary on;\n\tgzip_proxied any;\n\tgzip_comp_level 6;\n\tgzip_buffers 16 8k;\n\tgzip_http_version 1.1;\n\tgzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;\n\n    include             /etc/nginx/mime.types;\n    default_type        application/octet-stream;\n\n    # Load modular configuration files from the /etc/nginx/conf.d directory.\n    # See http://nginx.org/en/docs/ngx_core_module.html#include\n    # for more information.\n    include /etc/nginx/conf.d/*.conf;\n\t# include /etc/nginx/sites-enabled/*;\n\n\t# Hide nginx version token\n\tserver_tokens off;\n\n\t# Configure buffer sizes\n\tclient_body_buffer_size 16k;\n\tclient_header_buffer_size 1k;\n\tclient_max_body_size 8m;\n\tlarge_client_header_buffers 4 8k;\n\n}\n```\n\n\n## 6 virtual.conf\n\n/etc/nginx/conf.d/virtual.conf\n\nSet up virtual server instances for our 2 node/express apps, Elasticsearch and Kibana\n\n```nginx\n# redirect http/80 traffic to https/443 for our node apps\nserver {\n       listen         80;\n       listen    [::]:80;\n       server_name    example.de example2.de;\n       return         301 https://$server_name$request_uri;\n}\n\n# point to our first node app that is running on port 8888 and accept calls over https://example.de:443\nupstream myApp_en {\n\t# point to the running node\n\tserver 127.0.0.1:8888;\n}\n\nserver {\n\t# users using this port and domain will be directed to the node app defined above\n\t# listen 80 default_server;\n\t# listen [::]:80 default_server ipv6only=on;\n\tlisten 443 ssl http2 default_server;\n\tlisten [::]:443 ssl http2 default_server;\n\t# If you want to run more then one node app, they either have to be assigned different web domains (server_name) or ports!\n\tserver_name example.de;\n\n\t# Adding the SSL Certificates\n    ssl_prefer_server_ciphers on;\n\tssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;\n\tssl_dhparam /etc/nginx/ssl/dhparam.pem;\n\tssl_certificate /etc/nginx/ssl/nginx-selfsigned.crt;\n\tssl_certificate_key /etc/nginx/ssl/nginx-selfsigned.key;\n\n\t# set the default public directory for your node\n\troot /opt/myApp_en/build/public;\n\n\t# Optimizing Nginx for Best Performance\n\tssl_session_cache shared:SSL:5m;\n    ssl_session_timeout 1h;\n\n\tlocation / {\n    \tproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n    \tproxy_set_header Host $http_host;\n    \tproxy_set_header X-NginX-Proxy true;\n    \tproxy_http_version 1.1;\n    \tproxy_set_header Upgrade $http_upgrade;\n    \tproxy_set_header Connection \"upgrade\";\n    \tproxy_max_temp_file_size 0;\n\t\tproxy_pass http://myApp_en;\n    \tproxy_redirect off;\n    \tproxy_read_timeout 240s;\n\t\t# Authentication can be activated during development\n\t\t# auth_basic \"Username and Password are required\";\n\t\t# the user login has to be generated\n\t\t# auth_basic_user_file /etc/nginx/.htpasswd;\n\t}\n\n\t# use NGINX to cache static resources that are requested regularly\n\tlocation ~* \\.(css|js|jpg|png|ico)$ {\n\t\texpires 168h;\n\t}\n}\n\n\n# point to our second node app that is running on port 8484 and accept calls over https://example2.de:443\nupstream myApp_de {\n\t# point to the second running node\n\tserver 127.0.0.1:8484;\n}\n\nserver {\n\t# users using this port and domain will be directed to the second node app\n\t# listen 80;\n\t# listen [::]:8080 ipv6only=on;\n\tlisten 443 ssl http2;\n\t# The IPv6 address is unique - only one app can use the default port 443!\n\tlisten [::]:444 ssl http2;\n\tserver_name example2.de;\n\n\t# adding the SSL Certificates\n    ssl_prefer_server_ciphers on;\n\tssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;\n\tssl_dhparam /etc/nginx/ssl/dhparam.pem;\n\tssl_certificate /etc/nginx/ssl/nginx-selfsigned.crt;\n\tssl_certificate_key /etc/nginx/ssl/nginx-selfsigned.key;\n\n\t# set the default public directory for your second node\n\troot /opt/myApp_de/build/public;\n\n\t# optimizing Nginx for Best Performance\n\tssl_session_cache shared:SSL:5m;\n    ssl_session_timeout 1h;\n\n\tlocation / {\n    \tproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n    \tproxy_set_header Host $http_host;\n    \tproxy_set_header X-NginX-Proxy true;\n    \tproxy_http_version 1.1;\n    \tproxy_set_header Upgrade $http_upgrade;\n    \tproxy_set_header Connection \"upgrade\";\n    \tproxy_max_temp_file_size 0;\n\t\tproxy_pass http://myApp_de;\n    \tproxy_redirect off;\n    \tproxy_read_timeout 240s;\n\t\t# auth_basic \"Username and Password are required\";\n\t\t# auth_basic_user_file /etc/nginx/.htpasswd;\n\t}\n\n\t# use NGINX to cache static resources that are requested regularly\n\tlocation ~* \\.(css|js|jpg|png|ico)$ {\n\t\texpires 168h;\n\t}\n}\n\n\n# point to our Elasticsearch database that is running on port 9200 and accept calls over 8080\nupstream elasticsearch {\n\t# point to the second running node\n\tserver 127.0.0.1:9200;\n}\n\nserver {\n\t# users using this port will be directed to Elasticsearch\n\tlisten 8080;\n\tlisten [::]:8080 ipv6only=on;\n\tserver_name SERVER_IP_ADDRESS;\n\n\tlocation / {\n    \tproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n    \tproxy_set_header Host $http_host;\n    \tproxy_set_header X-NginX-Proxy true;\n    \tproxy_http_version 1.1;\n    \tproxy_set_header Upgrade $http_upgrade;\n    \tproxy_set_header Connection \"upgrade\";\n    \tproxy_max_temp_file_size 0;\n\t\tproxy_pass http://elasticsearch;\n    \tproxy_redirect off;\n    \tproxy_read_timeout 240s;\n\t\tauth_basic \"Username and Password are required\";\n\t\tauth_basic_user_file /etc/nginx/.htpasswd;\n\t}\n\n}\n\n# point to our Kibana instance that is running on port 5601 and accept calls over 8181\nserver {\n\t# users using this port and will be directed to Elasticsearch/Kibana\n\tlisten 8181;\n\tlisten [::]:8181 ipv6only=on;\n\n\tserver_name SERVER_IP_ADDRESS;\n\n\tauth_basic \"Restricted Access\";\n\tauth_basic_user_file /etc/nginx/.htpasswd;\n\n\tlocation / {\n    \tproxy_pass http://localhost:5601;\n        proxy_http_version 1.1;\n        proxy_set_header Upgrade $http_upgrade;\n        proxy_set_header Connection 'upgrade';\n        proxy_set_header Host $host;\n        proxy_cache_bypass $http_upgrade;        \n\t}\n\n}\n```\n\n\n## 7 GoDaddy Certs\n\nWhen you ordered a wildcard certificate from goDaddy you will receive two files: Your SSL Certificate with a random name (Ex. 93rfs8dhf834hts.crt) and the GoDaddy intermediate certificate bundle (gd_bundle-g2-g1.crt). Lets install them on our server.\n\n\n### Generate a CSR and Private Key\n\nCreate a folder to put all our ssl certificates:\n\n```\nmkdir /etc/nginx/ssl\ncd /etc/nginx/ssl\n```\n\nGenerate our private key, called example.com.key, and a CSR, called example.com.csr:\n\n```\nopenssl req -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr\n```\n\nAt this point, you will be prompted for several lines of information that will be included in your certificate request. The most important part is the Common Name field which should match the name that you want to use your certificate with — for example, example.com, www.example.com, or (for a wildcard certificate request) [STAR].example.com.\n\n\n### Download your key from GoDaddy\n\nThe files you receive will look something like this:\n\n- 93rfs8dhf834hts.crt\n- gd_bundle-g2-g1.crt\n\nUpload both to /etc/nginx/ssl directory and rename the first one to your domain name example.com.cst\n\n\n### Install Certificate On Web Server\n\nYou can use the following command to create a combined file from both GoDaddy files called example.com.chained.crt:\n\n```\ncat example.com.crt gd_bundle-g2-g1.crt \u003e example.com.chained.crt\n```\n\nAnd now you should change the access permission to this folder:\n\n```\ncd /etc/nginx\nsudo chmod -R 600 ssl/\n```\n\nTo complete the configuration you have to make sure your NGINX config points to the right cert file and to the private key you generated earlier. Add the following lines inside the server block of your NGINX config:\n\n```nginx\n# adding the SSL Certificates\n  ssl_prefer_server_ciphers on;\n  ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;\n\tssl_certificate /etc/nginx/ssl/example.com.chained.crt;\n\tssl_certificate_key /etc/nginx/ssl/example.com.key;\n```\n\nAlways test your configuration first:\n\n```\nnginx -t\n```\n\nand then reload:\n\n```\nservice nginx reload\n```\n\n\n## 8 LetsEncrypt and Certbot\n\n### Install Certbot on CentOS 7\n\n**yum install certbot-nginx**\n\n```\nDependencies Resolved\n\n==============================================================================================\n Package                         Arch             Version                Repository      Size\n==============================================================================================\nInstalling:\n python2-certbot-nginx           noarch           0.14.1-1.el7           epel            52 k\nInstalling for dependencies:\n pyparsing                       noarch           1.5.6-9.el7            base            94 k\n\nTransaction Summary\n==============================================================================================\nInstall  1 Package (+1 Dependent package)\n\nComplete!\n```\n\n### Run Certbot\n\n**certbot --nginx -d wiki.instar.fr**\n\n```\nSaving debug log to /var/log/letsencrypt/letsencrypt.log\nEnter email address (used for urgent renewal and security notices) (Enter 'c' to\ncancel):\n```\n\n**myemail@email.com**\n```\n-------------------------------------------------------------------------------\nPlease read the Terms of Service at\nhttps://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree\nin order to register with the ACME server at\nhttps://acme-v01.api.letsencrypt.org/directory\n-------------------------------------------------------------------------------\n```\n\n**(A)gree/(C)ancel: A**\n\n```\nStarting new HTTPS connection (1): supporters.eff.org\nObtaining a new certificate\nPerforming the following challenges:\ntls-sni-01 challenge for wiki.instar.fr\nWaiting for verification...\nCleaning up challenges\nDeployed Certificate to VirtualHost /etc/nginx/conf.d/virtual.conf for set(['wiki.instar.fr'])\n\nPlease choose whether HTTPS access is required or optional.\n-------------------------------------------------------------------------------\n1: Easy - Allow both HTTP and HTTPS access to these sites\n2: Secure - Make all requests redirect to secure HTTPS access\n-------------------------------------------------------------------------------\nSelect the appropriate number [1-2] then [enter] (press 'c' to cancel): 2\nThe appropriate server block is already redirecting traffic. To enable redirect anyway, uncomment the redirect lines in /etc/nginx/conf.d/virtual.conf.\n-------------------------------------------------------------------------------\nCongratulations! You have successfully enabled https://wiki.instar.fr\n-------------------------------------------------------------------------------\n```\n\n```\nIMPORTANT NOTES:\n - Congratulations! Your certificate and chain have been saved at\n   /etc/letsencrypt/live/wiki.instar.fr/fullchain.pem. Your cert will\n   expire on 2017-12-13. To obtain a new or tweaked version of this\n   certificate in the future, simply run certbot again with the\n   \"certonly\" option. To non-interactively renew *all* of your\n   certificates, run \"certbot renew\"\n - Your account credentials have been saved in your Certbot\n   configuration directory at /etc/letsencrypt. You should make a\n   secure backup of this folder now. This configuration directory will\n   also contain certificates and private keys obtained by Certbot so\n   making regular backups of this folder is ideal.\n```\n\n### Setting Up Auto Renewal\n\n\n#### Systemd\n\nGo to _/etc/systemd/system/_ and create the following two files\n\n_certbot-nginx.service_\n```\n[Unit]\nDescription=Renew Certbot certificates (nginx)\nAfter=network-online.target\n\n[Service]\nType=oneshot\nExecStart=/usr/bin/certbot-2 renew --deploy-hook \"systemctl reload nginx\"\n```\n\n_certbot-nginx.timer_\n```\n[Unit]\nDescription=Renew Certbot certificate (nginx)\n\n[Timer]\nOnCalendar=daily\nPersistent=true\nRandomizedDelaySec=86400\n\n[Install]\nWantedBy=multi-user.target\n```\n\nNow activate the service\n\n```\n$ systemctl daemon-reload\n$ systemctl start certbot-nginx.service  # to run manually\n$ systemctl enable --now certbot-nginx.timer  # to use the timer\n```\n\n\n#### Cron.d\n\nAdd Certbot renewal to Cron.d in /etc/cron.d - we want to run it twice daily at 13:22 and 04:17:\n\n```\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# |  .------------- hour (0 - 23)\n# |  |  .---------- day of month (1 - 31)\n# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...\n# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# |  |  |  |  |\n# *  *  *  *  * user-name command to be executed\n\n17 4 * * * /usr/bin/certbot-2 renew --quiet\n22 13 * * * /usr/bin/certbot-2 renew --quiet\n```\n\n### TLS-SNI-01 challenge Deactivated\n\nIf you are receiving the following error when trying to add a certificate to your domain:\n\n```\nClient with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.\n```\n\nFollow the Instructions given [here](https://community.letsencrypt.org/t/solution-client-with-the-currently-selected-authenticator-does-not-support-any-combination-of-challenges-that-will-satisfy-the-ca/49983) and if you’re serving files for that domain out of a directory on that server, you can run the following command:\n\n```\nsudo certbot --authenticator webroot --webroot-path \u003cpath to served directory\u003e --installer nginx -d \u003cdomain\u003e\n```\n\nIf you’re not serving files out of a directory on the server, you can temporarily stop your server while you obtain the certificate and restart it after Certbot has obtained the certificate. This would look like:\n\n```\nsudo certbot --authenticator standalone --installer nginx -d \u003cdomain\u003e --pre-hook \"service nginx stop\" --post-hook \"service nginx start\"\n```\n\ne.g.\n\n1. Create your virtual server conf - the given config below routes an node/express app running on localhost:7777 with a public directory in /opt/mysite-build/app :\n\n```nginx\nserver {\n       listen         80;\n       listen    [::]:80;\n       server_name    my.domain.com;\n       return         301 https://$server_name$request_uri;\n}\n\nupstream app_test {\n\t# point to the running node\n\tserver 127.0.0.1:7777;\n}\n\nserver {\n\tlisten 443 ssl http2;\n\tlisten [::]:443 ssl http2;\n\tserver_name my.domain.com;\n\t\n\t# set the default public directory for your node\n\troot /opt/mysite-build/app;\n\t\n\t# Optimizing Nginx for Best Performance\n\tssl_session_cache shared:SSL:5m;\n    ssl_session_timeout 1h;\n\t\n\tlocation / {\n    \tproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n    \tproxy_set_header Host $http_host;\n    \tproxy_set_header X-NginX-Proxy true;\n    \tproxy_http_version 1.1;\n    \tproxy_set_header Upgrade $http_upgrade;\n    \tproxy_set_header Connection \"upgrade\";\n    \tproxy_max_temp_file_size 0;\n\t\tproxy_pass http://wiki2_test;\n    \tproxy_redirect off;\n    \tproxy_read_timeout 240s;\n\t}\n\t\n\t# use NGINX to cache static resources that are requested regularly\n\tlocation ~* \\.(css|js|jpg|png|ico)$ {\n\t\texpires 168h;\n\t}\n\n}\n```\n\nTest your your site by opening my.domain.com inside your browser - you should be automatically redirected to https://my.domain.com and be given a certificate warning. Click to proceed anyway to access your site.\n\nNow run:\n\n```\nsudo certbot --authenticator webroot --webroot-path /opt/mysite-build/app --installer nginx -d my.domain.com\n```\n\ncertbot will modify your NGINX config automatically!\n\n\n## 9 Search Engine Setup and Configuration\n\n### Installing Elasticsearch 6.x on CentOS\n\nElasticsearch is a distributed, JSON-based search and analytics engine designed for horizontal scalability, maximum reliability, and easy management.\n\n#### Import the Elasticsearch PGP Key\n\n```\nrpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch\n```\n\n### Installing from the RPM repository\n\nCreate a file called elasticsearch.repo in the _/etc/yum.repos.d/_ directory and add the following lines:\n\n```\n[elasticsearch-6.x]\nname=Elasticsearch repository for 6.x packages\nbaseurl=https://artifacts.elastic.co/packages/6.x/yum\ngpgcheck=1\ngpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch\nenabled=1\nautorefresh=1\ntype=rpm-md\n```\n\nAnd your repository is ready for use. You can now install Elasticsearch with one of the following commands:\n\n```\nsudo yum install elasticsearch\n```\n\n#### Running Elasticsearch with _systemd_\n\nTo configure Elasticsearch to start automatically when the system boots up, run the following commands:\n\n```\nsudo /bin/systemctl daemon-reload\nsudo /bin/systemctl enable elasticsearch.service\n```\n\nApparently there is no way to quietly reload the Elasticsearch service after changing the config file - you will be required to stop and restart instead:\n\n```\nsudo systemctl stop elasticsearch.service\nsudo systemctl start elasticsearch.service\n```\n\nThese commands provide no feedback as to whether Elasticsearch was started successfully or not. Instead, this information will be written in the log files located in /var/log/elasticsearch/.\n\n#### Checking that Elasticsearch is running\n\nYou can test that your Elasticsearch node is running by sending an HTTP request to port 9200 on localhost:\n\n```\ncurl -XGET 'localhost:9200/?pretty'\n```\n\n```\nhttp://localhost:9200/_cat/indices?v\u0026pretty\n```\n\n#### Configuring Elasticsearch\n\nElasticsearch loads its configuration from the _/etc/elasticsearch/elasticsearch.yml_ file by default. Examples:\n\n* __cluster.name:__ e.g. _instar-wiki_\n* __node.name__ e.g. _c21_\n* __node.attr.rack:__ e.g _r44_\n* __path.data:__ _/path/to/data_\n* __path.logs:__ _/path/to/logs_\n* __network.host:__ _localhost_ [see config](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-network.html#network-interface-values) __*__\n* __http.port:__ _9200_\n* __http.cors:__ _enabled:_ true , _allow-origin:_ /https?:\\/\\/localhost(:[0-9]+)?/, _allow-origin:_ /https?:\\/\\/localhost(:[0-9][0-9][0-9][0-9])?/\n__*__ _e.g. network.host: 127.0.0.1, 192.168.1.200, 7.114.21.49_\n\n\nThe RPM places config files, logs, and the data directory in the appropriate locations for an RPM-based system:\n\n| Type | Description | Default Location | Setting |\n|---|---|---|---|\n| home | Elasticsearch home directory or $ES_HOME | _/usr/share/elasticsearch_ |  |\n| bin | Binary scripts including elasticsearch to start a node and elasticsearch-plugin to install plugins | _/usr/share/elasticsearch/bin_ |   |\n| conf | Configuration files including elasticsearch.yml | _/etc/elasticsearch_ | ES_PATH_CONF |\n| conf | Environment variables including heap size, file descriptors. | _/etc/sysconfig/elasticsearch_ |   |\n| data | The location of the data files of each index / shard allocated on the node. Can hold multiple locations. | _/var/lib/elasticsearch_ | path.data |\n| logs | Log files location. | _/var/log/elasticsearch_ | path.logs |\n| plugins | Plugin files location. Each plugin will be contained in a subdirectory. | _/usr/share/elasticsearch/plugins_ |   |\n\n\n### Installing Kibana 6.x on CentOS\n\nKibana gives shape to your data and is the extensible user interface for configuring and managing all aspects of the Elastic Stack.\n\nCreate a file called kibana.repo in the _/etc/yum.repos.d/_ directory and add the following lines:\n\n```\n[kibana-6.x]\nname=Kibana repository for 6.x packages\nbaseurl=https://artifacts.elastic.co/packages/6.x/yum\ngpgcheck=1\ngpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch\nenabled=1\nautorefresh=1\ntype=rpm-md\n```\n\nAnd your repository is ready for use. You can now install Kibana with one of the following command:\n\n```\nsudo yum install kibana\n```\n\n\n#### Running Kibana with _systemd_\n\nTo configure Kibana to start automatically when the system boots up, run the following commands:\n\n```\nsudo /bin/systemctl daemon-reload\nsudo /bin/systemctl enable kibana.service\n```\n\nKibana can be started and stopped as follows:\n\n```\nsudo systemctl stop kibana.service\nsudo systemctl start kibana.service\n```\n\nThese commands provide no feedback as to whether Kibana was started successfully or not. Instead, this information will be written in the log files located in _/var/log/kibana/_. Kibana loads its configuration from the _/etc/kibana/kibana.yml_ file by default. Examples:\n\n\n* __elasticsearch.url:__ Default: _http://localhost:9200_ The URL of the Elasticsearch instance to use for all your queries.\n* __server.port:__ Server port for the Kibana web UI - _default 5601_\n* __server.host:__ Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values. The default is _localhost_, which usually means remote machines will not be able to connect. To allow connections from remote users, set this parameter to a non-loopback address.\n* __console.enabled:__  Default: true Set to false to disable Console.\n* __elasticsearch.username:__ s. below\n* __elasticsearch.password:__ If your Elasticsearch is protected with basic authentication, these settings provide the username and password that the Kibana server uses to perform maintenance on the Kibana index at startup. Your Kibana users still need to authenticate with Elasticsearch, which is proxied through the Kibana server. (see X-Pack below)\n* __server.ssl.enabled:__ Default: \"false\" Enables SSL for outgoing requests from the Kibana server to the browser. When set to true, server.ssl.certificate and server.ssl.key are required\n* __server.ssl.certificate:__ s. below\n* __server.ssl.key:__ Paths to the PEM-format SSL certificate and SSL key files, respectively.\n* __server.ssl.certificateAuthorities:__ List of paths to PEM encoded certificate files that should be trusted.\n* __server.ssl.cipherSuites:__ Default: _ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, DHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, DHE-RSA-AES256-SHA384, ECDHE-RSA-AES256-SHA256, DHE-RSA-AES256-SHA256, HIGH,!aNULL, !eNULL, !EXPORT, !DES, !RC4, !MD5, !PSK, !SRP, !CAMELLIA_. Details on the format, and the valid options, are available via the [OpenSSL cipher list format documentation](https://www.openssl.org/docs/man1.0.2/apps/ciphers.html#CIPHER-LIST-FORMAT)\n* __server.ssl.keyPassphrase:__ The passphrase that will be used to decrypt the private key. This value is optional as the key may not be encrypted.\n* __server.ssl.redirectHttpFromPort:__ Kibana will bind to this port and redirect all http requests to https over the port configured as server.port.\n* __server.ssl.supportedProtocols:__ _Default_: TLSv1, TLSv1.1, TLSv1.2 Supported protocols with versions. Valid protocols: TLSv1, TLSv1.1, TLSv1.2\n* __status.allowAnonymous:__ Default: false If authentication is enabled, setting this to true allows unauthenticated users to access the Kibana server status API and status page.\n\n\n\n| Type | Description | Default Location | Setting |\n|---|---|---|---|\n| home | Kibana home directory or $KIBANA_HOME | _/usr/share/kibana_ |  |\n| bin | Binary scripts including kibana to start the Kibana server and kibana-plugin to install plugins | _/usr/share/kibana/bin_ |   |\n| config | Configuration files including kibana.yml | _/etc/kibana_ | |\n| data | The location of the data files written to disk by Kibana and its plugins | _/var/lib/kibana_ | path.data |\n| optimize | Transpiled source code. Certain administrative actions (e.g. plugin install) result in the source code being retranspiled on the fly. | _/usr/share/kibana/optimize_ | |\n| plugins | Plugin files location. Each plugin will be contained in a subdirectory. | _/usr/share/kibana/plugins_ |   |\n\n\n### Install X-Pack\n\nX-Pack is a single extension that integrates handy features — security, alerting, monitoring, reporting, graph exploration, and machine learning — you can trust across the Elastic Stack.\n\n#### Elasticsearch Security\n\nWe need to add a user athentication to our Elasticsearch / Kibana setup. We will do this by installing X-Pack. To get started with installing the Elasticsearch plugin, go to _/etc/elasticsearch/_ and call the following function:\n\n```\nbin/elasticsearch-plugin install x-pack\n```\n\nNow restart Elasticsearch:\n\n```\nsudo systemctl stop elasticsearch.service\nsudo systemctl start elasticsearch.service\n```\n\nYou can either use the auto function to generate user passwords for Elasticsearch, Kibana (and the not yet installed Logstash):\n\n```\nbin/x-pack/setup-passwords auto\n```\n\nor swap the _auto_ flag with _interactive_ to use your own user logins. The auto output will look something like this:\n\n```\nChanged password for user kibana \nPASSWORD kibana = *\u0026$*(80gfddzg\n\nChanged password for user logstash_system\nPASSWORD logstash_system = 58#$)Qljfksh\n\nChanged password for user elastic\nPASSWORD elastic = jgfisg)#*%\u0026(@*#)\n```\n\n__Now every interaction with Elasticsearch or Kibana will require you to authenticate with _username: elastic_ and _password: jgfisg)#*%\u0026(@*#)___\n\n\n#### Kibana Security\n\nNow we repeat these steps with Kibana. First navigate to _/etc/kibana/_ and call the following function:\n\n```\nbin/kibana-plugin install x-pack\n```\n\nAnd we have to add the login that Kibana has to use to access Elasticsearch (auto generated above) to the _kibana.yml_ file in _/etc/kibana/_:\n\n```\nelasticsearch.username: \"kibana\"\nelasticsearch.password:  \"*\u0026$*(80gfddzg\"\n```\n\nNow restart Kibana:\n\n```\nsudo systemctl stop kibana.service\nsudo systemctl start kibana.service\n```\n\nNow navigate your browser _http://localhost:5601/_ and login with the \"elastic\" user we generated above.\n\n\n### Enabling Anonymous Access\n\nIncoming requests are considered to be anonymous if no authentication token can be extracted from the incoming request. By default, anonymous requests are rejected and an authentication error is returned (status code 401). To allow anonymous user to send search queries (Read access to specified indices), we need to add the following lines to the _elasticsearch.yml_ file in _/etc/elasticsearch/_:\n\n```\nxpack.security.authc:\n  anonymous:\n    username: anonymous_user \n    roles: wiki_reader \n    authz_exception: true \n```\n\nNow we have to switch to the Kibana webUI on _http://localhost:5601/_ and create the _role:_ *wiki_reader* to allow read access to the wiki indices. First switch to the __Management__ tab and click on user:\n\n![Add a Elasticsearch User with Read Access](./kibana_01.png)\n\n\nThen click on __Add a User__ and add a user with the __watcher_user__ role:\n\n![Add a Elasticsearch User with Read Access](./kibana_02.png)\n\n\nSwitch back to the __Management__ tab and click on role:\n\n![Add a Elasticsearch User with Read Access](./kibana_03.png)\n\n\nClick on __Create Role__ and add the name **wiki_reader** that we choose for the role of the anonymous user inside the elasticsearch.yml file, assign the **monitor_watcher** privilege and choose the indices that you want the anonymous user to have __READ__ access to:\n\n![Add a Elasticsearch User with Read Access](./kibana_04.png)\n\n\nYour configuration will be active after restarting Elasticsearch. Now you can use webservices to read from your ES database. But only the __elastic__ user has the privileg to __WRITE__ and to work in Kibana.\n\n\nhttps://github.com/elastic/cookbook-elasticsearch/tree/4.0.0-beta\n\nhttps://github.com/elastic/ansible-elasticsearch\n\nhttps://www.elastic.co/blog/deploying-elasticsearch-200-with-chef\n\nhttp://ikeptwalking.com/authentication-elasticsearch-without-shield-x-pack/\n\nhttps://readonlyrest.com/download.html\n\nhttps://github.com/sscarduzio/elasticsearch-readonlyrest-plugin\n\nhttps://docs.search-guard.com/latest/kibana-plugin-installation.html\n\nhttps://docs.chef.io/elasticsearch_and_kibana_auth.html\n\nhttps://qbox.io/blog/how-to-lock-down-elasticsearch-kibana-logstash-maintain-security\n\nhttps://mapr.com/blog/how-secure-elasticsearch-and-kibana/\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmpolinowski%2Fnginx-node-elasticsearch","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmpolinowski%2Fnginx-node-elasticsearch","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmpolinowski%2Fnginx-node-elasticsearch/lists"}