1

I'm using the PHP elasticsearch client.

How do I secure the data on my production server by blocking access via the browser?

http://api.*************.co.uk:9200

Improve this question

1 Answer 1

Reset to default
0

Edit: After chatting, your issue turned out to be that you didn't want to expose ES to the outside world, only to your app. The solution was the bind ES to the local interface by setting:

network.host: 127.0.0.1

Previous answer:

Typically, you would run nginx (or another webserver) which performs basic authentication, and then proxy requests to Elasticsearch.

This is a stripped down config which may help you. Consider using SSL/TLS for your server, since BasicAuth passwords are sent in the clear otherwise.

server {
  listen 80 default_server;
  server_name your.server.address.com;
  client_max_body_size 50M;

  location / {
    # Pass requests to ElasticSearch
    proxy_pass http://localhost:9200;
    proxy_redirect off;

    proxy_set_header  X-Real-IP  $remote_addr;
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header  Host $http_host;

    # For CORS Ajax
    proxy_pass_header Access-Control-Allow-Origin;
    proxy_pass_header Access-Control-Allow-Methods;
    proxy_hide_header Access-Control-Allow-Headers;
    add_header Access-Control-Allow-Headers 'X-Requested-With, Content-Type';
    add_header Access-Control-Allow-Credentials true;

    # Authorize access
    auth_basic           "ElasticSearch";
    auth_basic_user_file /etc/elasticsearch/passwords;
  }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Do you have anything for Apache? I'm not using nginx
Not off the top of my head but it should translate pretty directly. Set up a vhost that uses BasicAuth and proxies to ES.
I'm trying to get my head around how it actually works. Elasticsearch is installed on the same server as my application so whatever vhost I create, elasticsearch is available on port 9200. The only way I can think of is if there is someway to redirect all traffic on port 9200 to a php script where I can check for http basic authentication?
sod it, I've changed my server to nignx.
You would bind ES to 127.0.0.1, so it's not reachable on port 9200 outside of local requests. Then, you would proxy external requests on 80 (or even 9200, if you wanted to bind there) to localhost:9200.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.