Secure and Customize Kibana in One Click with INFINI Gateway

Why Add a Proxy and Security to Kibana?

Kibana visualizes Elasticsearch data, and if access control is not configured, anyone can view or modify the data. Many teams run older or default‑configured Kibana without TLS or authentication, leaving it exposed on public or internal networks.

Risk: Unrestricted Access to Your Analyses

Unauthenticated users can read or modify indices, dashboards, and other resources, causing data leakage or accidental deletions.

Development or test environments often skip security, and the same configuration may be promoted to production, carrying the vulnerability.

Solution Idea: Use a Gateway as a Protective Shell

INFINI Gateway can quickly add the following to Kibana at the gateway layer:

Authentication (Basic Auth)

TLS Encryption (HTTPS)

Custom replacement and routing rules

This works for old Kibana versions without modifying Kibana itself.

What Problems Does This Solve? Use Cases

Rapid Security Hardening

Whether you run an old Kibana or multiple versions, the gateway can add username/password and HTTPS in one step.

Even if Kibana lacks built‑in security, the gateway prevents arbitrary access.

Flexible Front‑end Customization

The gateway can intercept static resources or routes to replace logos, inject custom JS/CSS, etc.

Scenario Examples

Internal network : Use the gateway as a gate so developers cannot directly access Kibana.

Public exposure : When Kibana is exposed to the internet, TLS and authentication are mandatory.

Version upgrade transition : Older Kibana versions that lack official security plugins can be patched with the gateway.

How to Configure? (Example)

The following example shows how to add a TLS proxy, Basic Auth, and static‑resource replacement on INFINI Gateway.

3.1 Enable TLS Proxy Before the Gateway

In the configuration file, the entry section defines the external address of the gateway:

entry:
  - name: my_es_entry
    enabled: true
    router: my_router
    max_concurrency: 10000
    network:
      binding: 0.0.0.0:8000
      skip_occupied_port: true
    tls:
      enabled: true

binding: 0.0.0.0:8000 – the gateway listens on all interfaces; change to a local IP for tighter security.

tls.enabled: true – enables HTTPS to encrypt traffic and avoid plain‑text credentials.

Clients now access Kibana via https://<gatewayIP>:8000.

3.2 Add Basic Auth for Kibana

Define a flow that first performs Basic Auth:

flow:
  - name: default_flow
    filter:
      - basic_auth:
          valid_users:
            medcl: passwd
      - http:
          schema: "http" # can be https if Kibana enables TLS
          host: "192.168.3.188:5602"

basic_auth – only the specified username and password allow access.

http – forwards the request to the real Kibana instance.

3.3 Replace Static Resources (Custom Logo or Illustration)

Use a “replace_logo_flow” to redirect a request to a custom image URL:

- name: replace_logo_flow
    filter:
      - redirect:
          uri: https://elasticsearch.cn/uploads/event/20211120/458c74ca3169260dbb2308dd06ef930a.png

When the flow matches, the original Kibana illustration is replaced by the specified picture.

3.4 Flexible Routing Rules

In the router section, map request patterns to flows:

router:
  - name: my_router
    default_flow: default_flow
    rules:
      - method:
          - GET
          - POST
        pattern:
          - "/_logout"
        flow:
          - logout_flow
      - method:
          - GET
        pattern:
          - "/plugins/kibanaReact/assets/illustration_cloud_migration.png"
        flow:
          - replace_logo_flow

Default rule – applies default_flow (Basic Auth) to all requests.

Custom rule – redirects /_logout to logout_flow and replaces a specific illustration with the custom logo.

3.5 Complete Example Configuration

entry:
  - name: my_es_entry
    enabled: true
    router: my_router
    max_concurrency: 10000
    network:
      binding: 0.0.0.0:40001
      skip_occupied_port: true
    tls:
      enabled: true

flow:
  - name: logout_flow
    filter:
      - set_response:
          status: 401
          body: "Success logout!"
      - drop:
  - name: replace_logo_flow
    filter:
      - redirect:
          uri: https://elasticsearch.cn/uploads/event/20211120/458c74ca3169260dbb2308dd06ef930a.png
  - name: default_flow
    filter:
      - basic_auth:
          valid_users:
            elastic: changeme
      - http:
          schema: "http"
          host: "10.0.8.2:5601"

router:
  - name: my_router
    default_flow: default_flow
    rules:
      - method:
          - GET
          - POST
        pattern:
          - "/_logout"
        flow:
          - logout_flow
      - method:
          - GET
        pattern:
          - "/plugins/kibanaReact/assets/illustration_cloud_migration.png"
        flow:
          - replace_logo_flow

Verification

Access requires username and password : Open https://<gatewayIP>:40001, a login dialog appears; entering medcl / passwd grants access.

Static resources are replaced : Specified illustrations or logos show the custom image defined in replace_logo_flow.

Custom logout : Visiting https://<gatewayIP>:40001/_logout triggers logout_flow, returning a 401 status and the message “Success logout!”.

Outlook: More Possibilities

Deep front‑end customization : Replace additional JS/CSS, embed custom navigation or scripts for secondary development.

Fine‑grained access control : Configure different permissions or rate‑limit rules per user or IP.

Rapid, non‑intrusive upgrades : Regardless of Kibana version, the gateway can provide unified security and customization without touching Kibana itself.

Conclusion

By configuring entries, flows, and routers on INFINI Gateway, a “bare‑bones” Kibana gains:

Basic Auth – mandatory login.

TLS – encrypted communication.

Custom resource replacement – flexible UI branding.

This low‑cost, high‑benefit approach suits scenarios that require security compliance or quick protection without modifying existing Kibana settings, while still allowing further extensions such as additional filters or custom logic.