The default value of "http.enabled" option in elasticsearch's configuration file is true which means that we can search and admin the cluster from http command, for example:DELETE /index_* request can delete all indexes. But this is not safe when deployment the service to the production environment. How can I fix this problem?
You can either implement shield - this is free if you are paying for one of the Elasticsearch support packages.
Or implement a reverse proxy which checks each request and the user running the request, for example nginx.
Related
I am really new to nginx API and I never done API configuration as well.
I configured Ngnix as a load balancer in which I need to set weight for my backend server. base on my CPU utilization I decided to set my weight.
The thing is I don't have any issue getting server utilization but I need patch my server weight to nginx via API
Help me how to configure API
Note: I am getting server utilization periodically. to nginx I have to change server weight dynamically. it has to happen atomically.
The ability to modify an Nginx configuration on the fly like this is, unfortunately, a feature that's only available in the commercial Nginx Plus variety. (E.g., this tutorial.)
As far as I'm aware, the only way to reconfigure the vanilla open source Nginx is to modify the configuration files and either do a reload or a reboot of the service.
New to Kibana & not an expert in web security. We're trying to build a small startup in which we're leveraging Kibana 5.x for our backoffice analysts for data exploration. This is a webapp and will be accessible over the internet.
Also, X-PACK security (though promising) may not be an option for us purely because of cost.
I''d like to summarize my thoughts and get them validated by professionals out here.
Firstly, I'm thinking of putting Elasticsearch behind a firewall so that only my APP server and Kibana server could access - ES is now secure.
I'm thinking of fronting Kibana using a Reverse Proxy (Apache or Nginx) and apply basic authentication. And everything will be over HTTPS.
I'll only allow GET requests to Kibana through this Reverse Proxy so that the users can read only.
Does this have any gap? Also I'm wondering if Kibana makes a direct call to Elasticsearch from it's Javascript running on the browser? If this is true then we would have another potential backdoor to get to ES. What should be done if this is true.
I am running a quite easy setup for ES+Kibana. I have the following 2 AWS instances as follows:
HAProxy Instance & ES+Kibana Instance (both on same machine) The whole set-up is straight foreword, HAProxy redirects request to Kibana Dashboard. The Haproxy holds my certificate is not a dedicated instance i.e it is also responsible to send connections to other monitoring instances that i own.
So It looks like :
|---->> Monitor 1
Request ------------> HAPROXY ------|---->> Monitor 2
|---->> (Kibana+ES_server)
I need a basic authentication for Kibana+ES_Server only, which basically should ask a User its username & password after it hit the URL.
P.S I am also using Browser based certificates. What should be my approach? I am expecting a number of ways here and the best approach to do so.
Try Elasticsearch basic authentication plugin -
click here for elasticsearch
for kibana try kibana-authentication-proxy
click here for kibana
I'm trying to track down who is issuing queries to an ElasticSearch Cluster. Elastic doesn't appear to have an access log.
Is there a place where I can find out which IP is hitting the cluster?
Elasticsearch doesn't provide any security out of the box, and that is on purpose and by design.
So you have a couple solutions out there:
Don't let your ES cluster exposed to the open world, but put it behind a firewall (i.e. whitelist the hosts that can access ports 9200/9300 on your nodes)
Look into the Shield plugin for Elasticsearch in order to secure your environment.
Put an nginx server in front of your cluster to act as a reverse proxy.
Add simple basic authentication with either the elasticsearch-jetty plugin or simply the elasticsearch-http-basic plugin, which also allowws you to whitelist the client IPs that are allowed to access your cluster.
If you want to have access logs, you need either 2 or 3, but all solutions above will allow you to secure your ES environment.
When running a elasticsearch server.
We can access www.example.com:9200
But i want block remote access only allow local access.
How to setting?
Instead of disabling whole HTTP protocol by changing http.enabled in /etc/elasticsearch/elasticsearch.yml settings (because some of your APIs can use the HTTP endpoint which was my case), you can just set network.host: localhost in the same file.
This will make your :9200 HTTP access to be available only from your local machine/server.
Elasticsearch allows you to disable the http endpoint just setting http.enabled to false in the settings. It also allows to have a local node which will only be reachable in the same jvm. On the other hand you are asking how to allow only local access to the rest endpoint, which is different and require the use of additional tools.
In fact, it's not a good idea to expose elasticsearch to the internet. I would use a proxy like apache or Nginx to limit the access to it and open for instance only some of the available endpoints, but that's needed only if you have external users that want to send messages directly to elasticsearch. Usually that's not the case. Or if you just want to deny access to it for all external users, because it's for instance only your website or application that needs access to it, just use a firewall and setup a proper rule to close the 9200 port.
You should set http.host to "127.0.0.1". This way you can access http on port 9200 from host itself, however not from outside. This also allows you to put a proxy which listens on some other port and filters and passes the requests selectively to elasticsearch node on localhost:9200.
For example, you may want to reject the request for shutdown, do a basic authentication using nginx and then pass all query requests to elasticsearch cluster url at http://localhost:9200.
This doesn't involve firewall.