All geek questions in one place

How to protect a Digital Ocean Elasticsearch cluster?

I need to expose my ES cluster in the world and get it through Nginx with a proxy file *: 9201 -> localhost: 9200 (works).

However, in order to form a cluster, I try to use a private network on DigitalOcean to make the nodes talk to each other.

How can I open node-node porting on a private network interface without security without exposing port 9200 to the world?

I'm trying something like

network.publish_host: 10.128.97.184 http.port: 9200 discovery.zen.ping.multicast.enabled: false discovery.zen.ping.unicast.hosts: 10.128.97.184,10.128.97.185

in elasticsearch.yml , but it doesn’t work, perhaps because port 9300 can also be protected by nginx?

My nginx file looks like

 root@els-node-1 :~# cat /etc/nginx/sites-enabled/elasticsearch server { listen *:9201; access_log /var/log/nginx/elasticsearch.access.log; location / { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/htpasswd; proxy_pass http://localhost:9200; proxy_read_timeout 90; } }

And I can form a cluster, but I can’t figure out how to protect the external 9200 (disable it before 127.0.0.1) and leave the internal interface open for applications like 10.xxx

Thanks for the help!

+5
source share
1 answer

Even if you use a private network, your ES cluster is insecure, since someone from one private private Digital Ocean private network can access your nodes through the open ports 9200 and 9300 (and possibly other services). It is best to protect your boxes through iptables, and only the whitelist of IP addresses that you know is your own servers. Remove all incoming and forwarded packets and add explicit rules only for other nodes in the cluster. Also, use network.bind_host instead of network.publish_host and additionally configure ES to use only eth1 interface, check ES network documents for more details.

+3
source

Source: https://habr.com/ru/post/1203264/

More articles:


All Articles