mattweber
commented
11 years ago We use POST because not all clients can send a request body (the json request) during GET requests. This is pretty standard and the reason elasticsearch supports both.
Securing a public facing elasticsearch server really has nothing to do with this project and would be the same using any ES client (ruby, python, pure rest, etc). It sounds like you are heading down the right path with nginx proxying your requests. You can use nginx to proxy only requests that match certain url's and http methods. This would be more than enough to secure an application assuming you are not blindly proxying all incoming requests back to elasticsearch.
Another option is using something like the ruby proxy Karel wrote in this blog post: http://www.elasticsearch.org/tutorials/javascript-web-applications-and-elasticsearch/
In the future, the FullScale Labs team will be providing more information on securing elasticsearch using OAuth2 with full index level ACL's as well.
aerique
Hi guys,
I appreciate all the hard work that you put into elastic.js, but I'm a bit lost on how this could ever be used for a public facing application. I have ES running on an Amazon EC2 instance and it's currently sitting behind a nginx proxy. From what I can tell, if I run a search (using request.doSearch()) on ES using Elastic.js, it tries to POST the search request to ES. I'm curious why a post is being executed in order to retrieve data from the ES instance as opposed to a GET. If I was to use your service in a public application, I would have to allow anyone using it to be able to POST to my server, leaving me open to potential security issues.
Can anyone explain this thought process to me? I've been spending the past day or two trying to wrap my head around all this, and getting my proxy to the place where I want it so that I can securely interact with ES over AJAX.
It also might be nice to include some examples in the future on how to interact with a public instance using elastic.js
Thanks!