Securing elasticsearch (and solr) and other REST interfaces..

I use Logstash. Since v1.2.2 (with a few fixes, which made it actually handle webserver access logs properly :) - It's been a fun tool to do amazing things with. That and elastic search with the Kibana interface..

Only problem is that default kibana setup, just accesses elasticsearch directly (port 9200) - and elasticsearch has NO concept of users, authorization etc.

ie. EVERYONE can DELETE your data.. or modify them. or..

The standard solution for this, is ofcourse to only allow access to elasticsearch, through a proxy (actually some are working on writing their own proxy for elasticsearch.. why oh why..)

I found some doing some nginx and not much else.

I generally prefer to use standard, well proven, quality software - and reuse my knowledge in existing software, whereever it makes sense (I have to learn about new stuff everyday.. but since it's my responsibility to ensure things actually work in production.. I tend to prefer safer bets, and require some testing of new things :)

Hence I found a way to proxy with apache.. Here's my ruleset which fits kibana ordinary use.. and I hope it can be of use to others. .and improvements are ofcourse welcome.

It's just some REST filtering - based on elasticsearch urls.. it could easily be used for filtering access to any REST service. Add some <Location.. with authentication if you would like the log to show WHO actually did what :)

  #allow the files used for kibana app - served locally
  RewriteRule ^/$ - [L]
  RewriteRule ^/(app|css|font|img|vendor)/.* - [L]
  RewriteRule ^/(config.js|index.html)?$ - [L]
 
  #allow what kibana needs for searching
  RewriteCond %{REQUEST_METHOD} ^(get) [NC]
  RewriteRule ^(.*/_mapping|/_nodes.*|/_status|/_aliases)$ - [L]
  RewriteCond %{REQUEST_METHOD} ^(post) [NC]
  RewriteRule ^.*/_search$ - [L]

  #allow read and save of kibana settings
  RewriteCond %{REQUEST_METHOD} ^(get|put) [NC]
  RewriteRule ^/kibana-int/.*$ - [L]

  RewriteEngine On
  ServerSignature Off
  Options +FollowSymLinks


  #end up disallowing everything that hasn't been specificly allowed (whitelist)

  RewriteRule ^(.*)$ - [F,L]

  ProxyRequests off

# elastic search queries..
 # Set global proxy timeouts
  <Proxy http://localhost:9200>
    ProxySet connectiontimeout=5 timeout=90
  </Proxy>

  # Proxy for _aliases and .*/_search
  <LocationMatch "^(/_aliases|.*/_search|.*/_mapping|/_cluster.*|/_status.*|/_nodes)$">
    ProxyPassMatch http://localhost:9200
    ProxyPassReverse http://localhost:9200
  </LocationMatch>

# Proxy for kibana-int/{dashboard,temp} stuff
  <LocationMatch "^(/kibana-int/dashboard/|/kibana-int/temp).*$">
    ProxyPassMatch http://localhost:9200
    ProxyPassReverse http://localhost:9200
  </LocationMatch>

0 comments on Securing elasticsearch (and solr) and other REST interfaces..