Kibana: Support unix sockets for kibana 4 server

Created on 12 Oct 2014  路  8Comments  路  Source: elastic/kibana

It would ease the administrator's taks if the kibana server could be configured to listen on a unix socket instead of a tcp port.

It is probably quite simple to implement by adding a few lines in server.rb.

Operations enhancement
Source
picture Yogu
👍6

Most helpful comment

Unix sockets are a very simple (thus reliable) way of enforcing security in a wide variety of situations. The utility of this is INCREASING with larger number of cores per machine.

  • Security on multi-tenant implementations. You can block access using the full set of file-system and mount options, including chroots.
  • Any time you only need the application to talk with other local (to the same machine) applications. No need to configure more complicated network settings (specific ip-bindings, firewalls, machine firewalld, etc.)
  • It's much easier to isolate and identify services by location on a hierarchical filesystem than a port-number.
picture CarlEklof on 17 Jan 2017
👍42

All 8 comments

Can you elaborate on the benefits of a unix socket over a tcp port for a web server?

rashidkpc picture rashidkpc on 13 Oct 2014

It is easier to remember a name than a port number, performance of unix sockets is a bit better than a tcp connection over loopback, and security is improved because while you can access tcp ports through a misconfigured firewall, unix sockets are bound to the machine.

This all of course only makes sense when kibana is behind a reverse proxy.

Yogu picture Yogu on 13 Oct 2014

I just found out that kibana does not support it, that's annoying :(
I use them so that every server listen to a specific unix socket and then use nginx as rever proxy to control where and if each server is accessible from the outside, doing so with unix socket prevent polluting the list of open ports even if they are just local.

is there any plan to add support for it ?

PS: I also trust nginx more than most of the http application when it comes to block any weird attack attempt.

schmurfy picture schmurfy on 24 Apr 2015

+1

xionglingfeng picture xionglingfeng on 17 Apr 2016

@rashidkpc any news on this ? If I take the time to learn the codebase and do a pull request will it be merged ? I am not a node developer but I can't imagine it will to be too hard to add support for this.

schmurfy picture schmurfy on 18 Apr 2016

Unix sockets are a very simple (thus reliable) way of enforcing security in a wide variety of situations. The utility of this is INCREASING with larger number of cores per machine.

  • Security on multi-tenant implementations. You can block access using the full set of file-system and mount options, including chroots.
  • Any time you only need the application to talk with other local (to the same machine) applications. No need to configure more complicated network settings (specific ip-bindings, firewalls, machine firewalld, etc.)
  • It's much easier to isolate and identify services by location on a hierarchical filesystem than a port-number.
CarlEklof picture CarlEklof on 17 Jan 2017
👍42

/cc @elastic/kibana-operations

kobelb picture kobelb on 8 Aug 2018

This feature request is an interesting idea but since its opening, we have not seen enough feedback that it is a feature we should pursue. We prefer to close this issue as a clear indication that we are not going to work on this at this time. We are always open to reconsidering this in the future based on compelling feedback; despite this issue being closed please feel free to leave feedback on the proposal (including +1s).

This decision is also in line with that of Elasticsearch and other product in the stack.

tylersmalley picture tylersmalley on 7 Feb 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ctindel picture ctindel  路  3Comments
timroes picture timroes  路  3Comments
bradvido picture bradvido  路  3Comments
bhavyarm picture bhavyarm  路  3Comments
timroes picture timroes  路  3Comments