Connect to Elasticsearch Heroku database - heroku

I've set up a starter account on Heroku with a Bonsai elasticsearch add-on. I'm trying to connect to it via a Java application, but can't seem to connect via either Transport Client or the NodeBuilder options that are explained on the elasticsearch documentation pages.
I can run the following CURL to post data:
curl -XPOST http://banyan-7086980.us-east-1.bonsai.io/med/test/hello3 -d '{"title":"Hello world2"}'
My current line of thought is this:
Client client = new TransportClient()
.addTransportAddress(new InetSocketTransportAddress("http://banyan-7086980.us-east-1.bonsai.io", 9300));
But this is not working. What am I missing?

Most services that offer hosted Elasticsearch on Heroku does not support any other transport than HTTP. The canonical way of interfacing with Elasticsearch from Java is using either the Transport client or the Node client, both of which you've tried connecting to HTTP-endpoints.
The transport and node clients use a custom-built binary protocol which is not compatible with HTTP.
Additionally, this binary protocol by default does not support some core features you should expect in a production setup: authentication and encryption.
If your requirements include running on Heroku and using the official Java clients, have a look at Found Elasticsearch on Heroku, which provides support for the transport client using a custom transport module: https://github.com/foundit/elasticsearch-transport-module
Disclosure: I'm one of the developers at Found

Bonsai is a hosted service for elasticsearch, and if you are using the heroku addon, there are internals of both ES and Heroku that are abstracted.
For instance, the URL that you are hitting is at port 80 (http), whereas you are attempting to connect to 9300 (which is the default Elasticsearch port). This tells me that there is a proxy layer in between that is hiding ports 9200 and 9300 from the outside world, for security reasons.
What to do?
You could try connecting your Java client to port 80.
Client client = new TransportClient() .addTransportAddress(new InetSocketTransportAddress("http://banyan-7086980.us-east-1.bonsai.io", 80));
If you are using Heroku to host your application, follow the instructions of the Bonsai addon, use the ENV variables to setup the connection.
If you just want to have a hosted instance, you can use alternatives such as qbox for found
I prefer using Elasticsearch on Openshift.

Related

secure Kibana and elasticsearch using SSL / TLS

Thanks for taking the time to read this :)
My web app (grimoirelab) contains multiple services spun up using docker-compose which contains elasticsearch and kibana . Port 5601 (kibana) is open and accessible through the web.
I want to enable SSL / TLS in the Kibana container , i.e , change the URL from http to https
Kibana and Elasticsearch are both of Version : 6.8.6
I have very less experience in web security so would really appreciate any guidance on the same...
You can follow this elasticsearch documentation for configuration of SSL and TLS, and it is available as free after 6.8 version.
Please check Configuring SSL, TLS, and HTTPS to secure Elasticsearch, Kibana, Beats, and Logstash blog.
Please check this documentation for how to setup SSL and TLS with Elasticsearch Docker Container.

Tcp client not connecting to server when using istio

I created two sample application(tcp-server and tcp-client) for checking TCP connection in istio environment. Used the below link to create server and client in g0
https://www.linode.com/docs/guides/developing-udp-and-tcp-clients-and-servers-in-go/
Deployed the application in kubernetes cluster and tested without istio, it is working fine.
But after installing istio(demo configuration, followed this url to install istio: https://istio.io/latest/docs/setup/getting-started/),
and redeploying the apps to fill with envoy-proxy, the client is not connecting to server
Also using below command makes the server connect success
sh -c "echo world | nc 10.244.1.29 1234" is
What am I doing wrong?
Posting the solution I found.
Issue: I was trying to connect to server using ip address and nodePort, which some how not working in istio environment
Solution: From Client instead of providing ip address and nodePort of server node, give service name and container port of server app.
Extra Info: For using client from outside cluster, create gateway and virtual service for server. In your external client provide nodePort and ip address of istio-ingress pod as server destination

Spring App on GCP - Cloud Run - HTTPS only - This combination of host and port requires TLS

My Spring app uses lets encrypt and is https only. I did not include http to https thing, as it worked for me in postman with https:// format
When I deployed to Cloud Run, and mentioned the custom port (the port specified in spring)
and tested using URL from dashboard
https://..blah..run.app
I am getting error/message
Bad Request
This combination of host and port requires TLS.
What configuration is required on Cloud Run to resolve this?
The url as I see on service details page has htpps://...
EDIT:
If Cloudrun does not need me to take case of SSL, I can remove the application properties entries
server.ssl.key-store-type=PKCS12
server.ssl.key-store=classpath:key/keystore.p12
server.ssl.key-store-password=${lets.secret}
server.ssl.key-alias=someCertAlias
server.ssl.enabled=true
So Can I get an answer on whether to remove SSL from spring?
If cloudrun always uses http, all my calls use redirectConnector, which seems pointless
The Cloud Run Service listens on HTTP and HTTPS. Your application running in the container must listen on a port configured with HTTP only.
FYI: For a public facing web server, you should almost always enable HTTP. Otherwise, when a user enters www.example.com in the browser, the user will receive a connect error. This not always the case, for example .dev gTLDs, but is good practice. When a user connects to Cloud Run with the HTTP protocol, Cloud Run will redirect the user to HTTPS and connect to your application using the HTTP protocol.

How to expose my Elastic Search server to the internet?

I've done installed my ElasticSearch (ES) Server on a VPS Centos. I did test the ES inside the Server and it response correctly.
My next step, is to allow my website which is host on a different web host to access and index its data content into my ES server.
My question is, what is the recommended way of exposed the ES to the internet, so my website can access to it to perform index and search? Is there's authentication method that I need to install ?
You need to include network.host:0.0.0.0 in your elasticsearch.yml file so that it listens on the non-loopback address and after that, if your app-server and ES are both in the same VPC, app-server will be able to connect to ES(provided if you exposed 9200 port in security group(in case of AWS).
And hopefully, your app-server port is exposed to the internet which internally connects to ES, you should not expose 9200 port of ES or Elasticsearch to the internet.
If you want an extra layer of security, you can enable x-pack basic which is included in the free tier and can be enabled using xpack.security.enabled: true in elasticsearch.config.
Refer x-pack features and configuration for more info.

elasticsearch transport-couchbase plugin refusing connection on port 9091

On my server I have installed elasticsearch-2.2.1 and couchbase server version 4.1.0. The aim is to transfer data from bucket x on couchbase to elastic search.
Ive installed the transport-couchbase plugin on elastic-search which will basically allow for xdcr from the server to elastic search.
As I understand it, transport-couchbase listens by default on port 9091 so in essence I'm supposed to create a cluster reference that points to that port (both couchbase and elastic search are installed on the same machine).
When I try create the reference I get an internal server error. The logs don't give me much information regarding the issue and I can ping the port. However when I try to telnet the machine on the port it refuses connection.
the server is sitting behind a proxy and i am starting to think that the issue lies within either couchbase server or elasticsearch ( transport-couchbase plugin)
Im going out on a limb here but I think maybe im supposed to configure the plugin so that it accepts requests going through tthe proxy. If this is the issue, is there a way to embed proxy settings into the plugin so that it can accept connections for xdcr?
PS: When I did this whole process on a separate machine that isnt sitting behind a proxy, everything worked fine. So I have a strong suspicion that it is proxy issues
If you can't telnet or browse to port 9091, this most likely indicates a network config issue. The plugin binds to the interface that elasticsearch binds to. The first thing to check is that the bind_host and publish_host in elasticsearch.yml is configured to bind to an interface that allows connections from wherever the proxy is located and that the proxy is really connecting on that interface.
There is a thread in github for the bug in transport plugin where it might not bind to all interfaces :
https://github.com/couchbaselabs/elasticsearch-transport-couchbase/issues/134
The above solutions didn't work for me, however I added this line:
-Djava.net.preferIPv4Stack=true
to /etc/elasticsearch/jvm.options and it seemed fixed the issue in my case

Resources