search

logsearch / logsearch-boshrelease

A BOSH-scalable Elasticsearch+Logstash+Kibana release
http://www.logsearch.io
Apache License 2.0
57 stars 46 forks source link

Ports 5601 and 9200 accessible from outside the elasticsearch VM #166

Closed petar-petrov-sap closed 9 years ago

petar-petrov-sap commented 9 years ago

Hi,

Current setup for elasticsearch_master VM is to have 3 jobs:

The nginx serves as an HTTP proxy for elasticsearch and kibana. However ports 5601 (kibana) and 9200 (elasticsearch) remain open to the outside net (bind to 0.0.0.0). Furthermore, what is the point of having elasticsearch accessible via "api.*" URL from outside? I think the whole configuration for elasticsearch should be removed from nginx because kibana access it directly on 127.0.0.1:9200.

If you want me I can propose a change in git to fix that.

Kind regards, Petar Petrov

dpb587 commented 9 years ago

A few things to answer here...

First, in general, we bind ports to all interfaces to avoid complications in complex networks. We assume you will be using virtual firewall rules to restrict traffic within and external to the cluster. This is because deployments can vary in security requirements and we can't fully codify the release to meet everybody's needs, instead favoring you utilizing your cloud's features. I'd recommend designing your rules so they are geared to allow only the traffic you expect and want (vs blocking all the ports which may be listening).

The purpose of the api/nginx job is to proxy and filter requests in order to block destructive requests. For example, we don't want our users to be deleting documents or changing mappings - we only want them to be able to search data. So, our kibana configurations are pointed to this proxy instead of directly at elasticsearch, and we use regular firewall rules to block user access to port 9200.

The kibana(4) job defaults to 127.0.0.1:80 because in our environment we reuse the api where we can be a bit more restrictive about the requests we support. If you care to avoid the colocation, you can currently update the kibana.elasticsearch property to be 127.0.0.1:9200 so it does talk to elasticsearch directly.

Depending on your setup, you don't need to colocate all three jobs on your master nodes. If you have very high requirements, elasticsearch master can run on independently. Likewise, you don't need to run both api and kibana if you don't care about potentially malicious requests or the kibana4 frontend, respectively.

Let me know if I can answer or clarify anything else.