Security for elasticsearch REST APIs

[ksripathi]

Since elasticsearch is running behind nginx server and which can be accissible on port 80 from everywhere outside the world, until unless we configure security for elasticsearch we can't prevent anonymous users requesting APIs

To prevent this, As elasticsearch is running behind nginx server by setting up authentication to nginx server and then allow only authenticated users to elasticsearch we can prevent this attack

[ksripathi]

Reference : https://www.ralphlepore.net/setting-up-basic-authentication-with-elasticsearch/

[ksripathi]

Configure nginx server to enable authentication to all request methods except GET requests Reference : https://www.claudiokuenzler.com/blog/645/limit-http-request-methods-in-nginx-add-authentication-except-get#.WZksVKZb_YM

[ksripathi]

Currently security for elasticsearch is implemented on nginx server level as such follows:

GET : No authentication POST, PUT and DELETE : require authentication

Document can be found at https://github.com/vlead/analytics-db/blob/refactor/src/deployment/run-elasticsearch-on-dev-env-vagrant.org in nginx server conf section

[ksripathi]

Configure nginx server to allow POST, PUT and DELETE request methods only from analytics service domain/ip

[ksripathi]

Below nginx server configuration allows POST, PUT and DELETE methods to specific ip/domain and allowed GET for all ips/domains

location / { limit_except GET { allow 192.168.33.10; deny all; } }

[travula]

can we say

allow *.vlabs.ac.in ?

Sincerely Thirumal Ravula Techincal Manager, VLEAD, Virtual Labs IIIT, Hyderabad

On Fri, Sep 1, 2017 at 4:20 PM, ksripathi notifications@github.com wrote:

Below nginx server configuration allows POST, PUT and DELETE methods to specific ip/domain and allowed GET for all ips/domains

location / { limit_except GET { allow 192.168.33.10; deny all; } }

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/vlead/analytics-db/issues/11#issuecomment-326551182, or mute the thread https://github.com/notifications/unsubscribe-auth/AGOEKNvSQgmGGPzjJ3n0xwR9lnQfJH3xks5sd-GGgaJpZM4O8grB .

[ksripathi]

Yes @travula We can have *.vlabs.ac.in as allowed domains and this will enable other services of vlabs.ac.in can also consume the service of analytics-db

Thanks

I will add and update this issue as per requirement

[ksripathi]

Query posted on stack overflow : https://stackoverflow.com/questions/46149079/nginx-allow-only-domain-ac-in-for-post-delete-put-requests

[ksripathi]

Security of analytics database is documented at : https://github.com/vlead/analytics-db/blob/refactor/src/design/index.org#security