pelias / dashboard

Pelias dashboard built with the Dashing framework
7 stars 12 forks source link

HTTPS and basic auth #32

Open phlegx opened 1 year ago

phlegx commented 1 year ago

Hi there!

As far as I have seen the Dashboard does not support SSL connection to Elasticsearch with a self signed certificate.

Furthermore it seems that also Basic Auth is not supported.

Are there any plans to include these two things? From what I have seen and experienced is that the other Pelias components support all of this.

Best Martin

related https://github.com/pelias/api/issues/1668#issuecomment-1852197244

missinglink commented 1 year ago

Hi Martin, none of the Pelias components supply basic auth or SSL.

The reason for this is that SSL can be complex, particularly when considering things like no downtime certificate renewal.

If you'd like to secure your Pelias installation it's recommended that you use an SSL appliance in front of your installation, either a proxy server such as NGINX, or a cloud load balancer.

I'm closing this issue as transport layer security, access control and authentication are considered out of scope and better handled at other layers of the stack.

phlegx commented 1 year ago

Hello @missinglink

I think they do: It is even in the config file where you can set the protocol as well as also the basic auth. In the default coinfiguration you only see protocol: https://github.com/pelias/config/blob/master/config/defaults.json#L2

I have pelias API atm for example currently running with auth auth": "elastic:xxxxxxx" and http.

best Martin

missinglink commented 1 year ago

Oh yes I misunderstood, you're talking about between the application and elastic not between the application and the user.

All the other codebases use a nodejs elastic client whereas this uses a ruby client.

We'd be happy to accept a PR to bring the two into parity.

spammads commented 1 year ago

+1 Would also appreciate this as my Elasticsearch-Cluster is deployed via operator, which defaults to a Basic-Auth.