Izek Chen
2 min readOct 22, 2021

--

Amazon Opensearch setup

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "es:*",
"Resource": "*"
}
]
}

Nginx Setup

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/cert.key -out /etc/nginx/cert.crt
server {
listen 443 ssl;
server_name $HOST;
rewrite ^/$ https://$HOST/_plugin/kibana redirect;

ssl_certificate /etc/nginx/cert.crt;
ssl_certificate_key /etc/nginx/cert.key;

ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;


location ^~ /_plugin/kibana {
# Forward requests to Kibana
proxy_pass https://vpc-test-domain-xxxxxxxxxxx.us-east-1.es.amazonaws.com/_plugin/kibana;

# Handle redirects to Amazon ES
proxy_redirect https://vpc-test-domain-xxxxxxxxxx.us-east-1.es.amazonaws.com https://$HOST;

# Update cookie domain and path
proxy_cookie_domain https://vpc-test-domain-xxxxxxxx.us-east-1.es.amazonaws.com $HOST;
proxy_cookie_path / /_plugin/kibana/;

proxy_set_header Accept-Encoding "";
sub_filter_types *;
sub_filter https://vpc-test-domain-xxxxxxxxxx.us-east-1.es.amazonaws.com $HOST;
sub_filter_once off;

proxy_buffering off;
# Response buffer settings
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
}

location ~ \/(log|sign|error|fav|forgot|change|confirm) {

# Forward requests to ES
proxy_pass https://vpc-test-domain-xxxxxxxxxx.us-east-1.es.amazonaws.com;

# Handle redirects to Kibana
proxy_redirect https://vpc-test-domain-xxxxxxxxx.us-east-1.es.amazonaws.com https://$HOST;

# Handle redirects to Amazon ES
proxy_redirect https://vpc-test-domain-xxxxxxxxxx.us-east-1.es.amazonaws.com https://$HOST;

# Update cookie domain
proxy_cookie_domain vpc-test-domain-xxxxxxxxx.us-east-1.es.amazonaws.com $HOST;
}
}
systemctl start nginx

Setup Route53 Record

Setup OKTA IDP configuration

Single Sign On URL
https://kibana..mydoamin.com/_plugin/kibana/_opendistro/_security/saml/acs
Recipient URL
https://vpc-test-domain-xxxxxxxxxxxx.us-east-1.es.amazonaws.com/_plugin/kibana/_opendistro/_security/saml/acs
Destination URL
https://vpc-test-domain-xxxxxxxxxxx.us-east-1.es.amazonaws.com/_plugin/kibana/_opendistro/_security/saml/acs
Audience Restriction
https://vpc-test-domain-xxxxxxxxxxx.us-east-1.es.amazonaws.com <-----------注意最後不能有slash("/")

--

--