3

I am completely new to elasticsearch but I like it very much. The only thing I can't find and can't get done is to secure elasticsearch for production systems. I read a lot about using nginx as a proxy in front of elasticsearch but I never used nginx and never worked with proxies.

Is this the typical way to secure elasticsearch in production systems?

If so, are there any tutorials or nice reads that could help me to implement this feature. I really would like to use elasticsearch in our production system instead of solr and tomcat.

Improve this question

4 Answers 4

Reset to default
2

There's an article about securing Elasticsearch which covers quite a few points to be aware of here: http://www.found.no/foundation/elasticsearch-security/ (Full disclosure: I wrote it and work for Found)

There's also some things here you should know: http://www.found.no/foundation/elasticsearch-in-production/

To summarize the summary:

At the moment, Elasticsearch does not consider security to be its job. Elasticsearch has no concept of a user. Essentially, anyone that can send arbitrary requests to your cluster is a “super user”.

  1. Disable dynamic scripts. They are dangerous.
  2. Understand the sometimes tricky configuration is required to limit access controls to indexes.
  3. Consider the performance implications of multiple tenants, a weakness or a bad query in one can bring down an entire cluster!
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for your answer. I did everything as mentioned in the article above. Now iam at the point where i try to install nginx as proxy server in front of elasticsearch. But i dont really know what the exact advantage of this is. I have a nginx server as a proxy which is called over xxx.xxx.xxx.xxx. In nginx i check if its a GET Request and i also check if the ip Adress is from my server. After that my proxy passes me to elasticsearch. Is that the correct way? Or am i missing something to make it really safe? Thanks!
2

Proxying ES traffic through nginx with, say, basic auth enabled is one way of handling this (but use HTTPS to protect the credentials). Even without basic auth in your proxy rules, you might, for instance, restrict access to various endpoints to specific users or from specific IP addresses.

What we do in one of our environments is to use Docker. Docker containers are only accessible to the world AND/OR other Docker containers if you explicitly define them as such. By default, they are blind. In our docker-compose setup, we have the following containers defined:

  • nginx - Handles all web requests, serves up static files and proxies API queries to a container named 'middleware'

  • middleware - A Java server that handles and authenticates all API requests. It interacts with the following three containers, each of which is exposed only to middleware:

    • redis
    • mongodb
    • elasticsearch

The net effect of this arrangement is the access to elasticsearch can only be through the middleware piece, which ensures authentication, roles and permissions are correctly handled before any queries are sent through.

A full docker environment is more work to setup than a simple nginx proxy, but the end result is something that is more flexible, scalable and secure.

Improve this answer

Comments

0

Here's a very important addition to the info presented in answers above. I would have added it as a comment, but don't yet have the reputation to do so.

While this thread is old(ish), people like me still end up here via Google.

Main point: this link is referenced in Alex Brasetvik's post:

https://www.elastic.co/blog/found-elasticsearch-security

He has since updated it with this passage:

Update April 7, 2015: Elastic has released Shield, a product which provides comprehensive security for Elasticsearch, including encrypted communications, role-based access control, AD/LDAP integration and Auditing. The following article was authored before Shield was available.

You can find a wealth of information about Shield here: here

A very key point to note is this requires version 1.5 or newer.

Improve this answer

Comments

0

Ya I also have the same question but I found one plugin which is provide by elasticsearch team i.e shield it is limited version for production you need to buy a license and please find attached link for your perusal.

https://www.elastic.co/guide/en/shield/current/index.html

Improve this answer

1 Comment

Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.