If you use later versions of Logstash with Kibana:
I deploy Kibana into a virtual host in an Apache at /kibana/
and route the Elasticsearch API through a reverse proxy such that is available at /elasticsearch/
:
<Location /elasticsearch/>
ProxyPass http://elasticsearchhost:9200/
ProxyPassReverse /
</Location>
You need to adapt Kibanas config.js to
elasticsearch: "/elasticsearch/",
Then the virtual host can be secured via HTTP Basic Authentication, which applies automatically to both Kibana and the Elasticsearch API.
What still worries me is that the users of Kibana could also use the Elasticsearch API to do nasty things like dropping indizes, shutting down Elasticsearch servers and so forth - for instance with the elasticsearch head. But I don't have a good solution to that problem so far. Probably one could generally allow GETs to /elasticsearch/ since in REST GETs cannot change anything, but other HTTP methods to only specific URLs which are important for Kibana.