Once we have many indices opened for our infrastructure such as Discuss, MediaWiki, Notes, we might want to open up the possibility to make queries from the open web.
We can’t open ElasticSearch to the wide open without limiting capabilities. We could then use NGINX as a proxy and ensure only non compromising read actions are allowed. Refer to this article on elasticsearch docs
Configuration summary
Note do not use as is, there are more things to limit, and has to be tested.
frontend server (i.e. the ones with public IP address), add a virtual host (e.g. search.webplatform.org) similar to this.
# List all elastic nodes internally
upstream upstream_elasticsearch {
server 10.10.10.2:9200;
server 10.10.10.3:9200;
server 10.10.10.4:9200;
keepalive 15;
}
server {
server_name search.webplatform.org;
listen 80;
location ~* ^(/_cluster|/_nodes) {
return 403;
break;
}
location / {
proxy_pass http://upstream_elasticsearch;
proxy_http_version 1.1;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Proxy-Connection "Keep-Alive";
proxy_redirect off;
}
}
Once we have many indices opened for our infrastructure such as Discuss, MediaWiki, Notes, we might want to open up the possibility to make queries from the open web.
We can’t open ElasticSearch to the wide open without limiting capabilities. We could then use NGINX as a proxy and ensure only non compromising read actions are allowed. Refer to this article on elasticsearch docs
Configuration summary
Note do not use as is, there are more things to limit, and has to be tested.
frontend server (i.e. the ones with public IP address), add a virtual host (e.g.
search.webplatform.org) similar to this.