背景
最近公司安全检查,elasticsearch http端口处于开放状态,虽然在内网但依然风险很大.解决安全问题的套路基本上有两个:一个是官方的shield;还有一个是search guard.shield需要license,果断放弃.实际考察了一下search guard.东西不错但配置繁琐些,需要生产证书.而且不支持关闭node验证.公司大部分程序是java client开发的,这就意味着所有上线应用都要重新加证书才能正常工作,兄弟门改完了还得回归测试,成本有点高.于是想到了万能的nginx,反向代理+basic auth基本能够解决问题.
实施步骤
首先要修改elasticsearch.yml,加上下面一行来绑定http地址到127.0.0.1(只允许本地访问)
http.host: 127.0.0.1
然后重启elasticsearch,现在9200端口只对本地开放,其他机器上访问全都被拒.
接下来配置nginx反向代理及ssl
生成ssl证书及密钥
openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout eshttp.key \
-x509 -days 3650 -out eshttp.crt
生成basic auth所需密码文件
printf "admin:$(openssl passwd -crypt admin)\n" >>htpasswd
conf.d/upstream.conf
upstream eslocalhttp {
server 127.0.0.1:9200 max_fails=3 fail_timeout=4s weight=9;
}
conf.d/open_eshttpproxy.conf
server {
server_name eshttproxy;
listen 8080;
ssl on;
ssl_certificate /etc/nginx/conf.d/eshttp.crt;
ssl_certificate_key /etc/nginx/conf.d/eshttp.key;
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/htpasswd;
proxy_redirect off;
proxy_bind 127.0.0.1;
proxy_pass http://eslocalhttp;
}
}
最后编写docker-compose.yml
# For elasticsearch local http proxy
version: '2'
services:
esproxy-nginx:
image: nginx:alpine
cpuset: '0'
volumes:
- /etc/localtime:/etc/localtime:ro
- ./conf.d:/etc/nginx/conf.d
network_mode: "host"
container_name: esproxy-nginx
启动docker
sudo docker-compse up -d
现在可以通过https://yourip:8080/ 访问elasticsearch的restful了
完整项目见:https://github.com/jiashiwen/eshttpproxy