博客 / 正文
Seamlessly Adding Proxy and Basic Security to Elasticsearch
INFINI Gateway
2022-03-31

If you have multiple or older versions of Elasticsearch, or if you haven’t set up TLS and authentication, anyone can potentially access Elasticsearch directly. By using the INFINI Gateway, you can quickly fix this issue.

Forwarding Requests using Elasticsearch Filter #

First, define an Elasticsearch resource as follows:

elasticsearch:
  - name: prod
    enabled: true
    endpoint: http://192.168.3.201:9200

Then, use the following filter to forward requests to the Elasticsearch resource named prod:

- elasticsearch:
    elasticsearch: prod

For more details about this filter, please refer to the documentation: elasticsearch filter

Adding Basic Authentication #

Let’s add basic authentication to restrict access to the target cluster:

- basic_auth:
    valid_users:
      medcl: passwd

Enabling TLS #

If you have set up authentication but haven’t enabled TLS, it’s still not secure because HTTP is a plaintext protocol and can easily leak passwords. Configure the following:

- name: my_es_entry
  enabled: true
  router: my_router
  max_concurrency: 10000
  network:
    binding: 0.0.0.0:8000
  tls:
    enabled: true

Now you can access the prod Elasticsearch cluster using the address https://localhost:8000.

Note that the binding address here is 0.0.0.0, which means it listens on all network interfaces on the machine. For security reasons, you may want to modify it to listen only on the local address or a specific network interface IP.

Compatibility with HTTP Access #

If you have legacy systems that cannot switch to the new cluster, you can provide a new port for HTTP access:

- name: my_unsecure_es_entry
  enabled: true
  router: my_router
  max_concurrency: 10000
  network:
    binding: 0.0.0.0:8001
  tls:
    enabled: false

Now you can access the prod Elasticsearch cluster using the address http://localhost:8001.

Complete Configuration #

elasticsearch:
  - name: prod
    enabled: true
    endpoint: http://192.168.3.201:9200

entry:
  - name: my_es_entry
    enabled: true
    router: my_router
    max_concurrency: 10000
    network:
      binding: 0.0.0.0:8000
    tls:
      enabled: true
  - name: my_unsecure_es_entry
    enabled: true
    router: my_router
    max_concurrency: 10000
    network:
      binding: 0.0.0.0:8001
    tls:
      enabled: false

flow:
  - name: default_flow
    filter:
      - basic_auth:
          valid_users:
            medcl: passwd
      - elasticsearch:
          elasticsearch: prod
router:
  - name: my_router
    default_flow: default_flow

The Result #

Now, when accessing Elasticsearch through the gateway, login credentials are required, as shown below:

热门文章
标签
Easysearch x
Gateway x
Console x
Products
INFINI Pizza
INFINI Easysearch
INFINI Scale
INFINI Gateway
INFINI Console
Solutions
Hybird Search Database
One-Stop Search Platform
Support
FAQs
Documentation
Downloads
Customer Portal
About
Company
Contact
Careers
400-139-9200 hello@infini.ltd
Copyright © 2023 INFINI Labs