Block all non-localhost connections by default

jezdez / dokku-elasticsearch-plugin

[unmaintained] A working Elasticsearch plugin for Dokku (run Docker with -icc=true)

32 stars 15 forks source link

Block all non-localhost connections by default #8

Open blag opened 10 years ago

blag commented 10 years ago

Installing this on a public-facing web server leaves the elasticsearch server open to the world on port 9200.

There are two ways to fix this.

From ServerFault:

iptables -A INPUT -p tcp -s localhost --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j DROP

From StackOverflow: In /etc/elasticsearch/elasticsearch.yml:
```
network.host: 127.0.0.1
```

I'm not entirely sure how to fix this without forking the Docker image, because that will only fix it for me, not for everybody. Is there a good way to do this?

alexbeletsky commented 10 years ago

I'm hit by ES vulnerability and want to use docker/dokku to host next one and this is exactly issue I want to understand. I need to run ES and allow only whitelisted clients to connect.

To approach it, I thought of following scenario.

deploy elasticsearch by this plugin.
create simple node.js proxy run it by dokku.
link elasticsearch container to proxy.
prevent access to 9200/9300 by commands you posted above.

It seems like by doing that elasticsearch.yml could be default, except dynamic scripts have to be disabled since it's the source of vulnerability as well.

I don't see any command to update elasticsearch.yml, can it be changed inside the container?

If you solved that issue, I would really appreciate your experience.

blag commented 10 years ago

I did end up simply forking this entire project - Docker files and everything.

Here is my Dockerfile repository: https://github.com/blag/dokku-elasticsearch-dockerfiles

And here is my dokku plugin repository: https://github.com/blag/dokku-elasticsearch-plugin

I have updated my dockerfiles repository to add a VOLUME for /etc/elasticsearch, so you should be able to modify elasticsearch.yml outside of the Docker image (once you have mounted it), and then restart the container with the new settings.

I will add the infrastructure to mount the VOLUME and restart the container to my dokku plugin fork tonight.

blag commented 10 years ago

I have updated my dokku plugin to have a config directory in ~dokku/$APP/elasticsearch/volumes/config

Note that this new code is untested, but it solves part of your problem.

alexbeletsky commented 10 years ago

@blag great.. I think I'll stick to your plugin then. Will dig into code a bit later. Thanks for you help.