通过nginx代理无密码访问开启了x-pack验证的elasticsearch

在有些工具中,并没有提供elasticsearch的用户名密码接口,而如果elasticsearch开启了x-pack验证,用户名密码又是必须参数。如果去修改工具实现,代价又太大,所以我们可以选择使用nginx反向代理,使用nginx为请求增加验证,达到无密码访问兼容老工具的目的。

首先,elasticsearch中配置允许通过请求头来验证:

http.cors.allow-headers: Authorization

然后我们先使用curl 加上-u -v参数来访问elasticsearch,观察请求体:

curl --user elastic:123456 -v "http://127.0.0.1:11111"

* About to connect() to 127.0.0.1 port 11111 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 11111 (#0)
* Server auth using Basic with user 'elastic'
> GET / HTTP/1.1
> Authorization: Basic ZWxhc3RpYzoxMjM0NTY=
> User-Agent: curl/7.29.0
> Host: 127.0.0.1:11111
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx/1.12.2
< Date: Tue, 30 Oct 2018 07:42:06 GMT
< Content-Type: application/json; charset=UTF-8
< Content-Length: 491
< Connection: keep-alive
< 
{
  "name" : "es-wk-node-1",
  "cluster_name" : "es-wk1",
  "cluster_uuid" : "Dc1CiavHRzSCtt4yzImVrA",
  "version" : {
    "number" : "6.4.2",
    "build_flavor" : "default",
    "build_type" : "tar",
    "build_hash" : "04711c2",
    "build_date" : "2018-09-26T13:34:09.098244Z",
    "build_snapshot" : false,
    "lucene_version" : "7.4.0",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}

通过与不加-u(–user)参数的对比,可以发现差别就是请求头多了一个Authorization参数,而其值是固定的,所以我们在nginx中配置为请求添加此请求头即可。

server {
        listen       11111;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            # proxy_set_header user elastic:123456;
            proxy_set_header Authorization 'Basic ZWxhc3RpYzoxMjM0NTY=';
            proxy_pass http://127.0.0.1:19200;
        }
}

这时候去掉-u参数再使用curl访问elasticsearch发现就成功了。

发布了153 篇原创文章 · 获赞 78 · 访问量 37万+
展开阅读全文

没有更多推荐了,返回首页

©️2019 CSDN 皮肤主题: 技术黑板 设计师: CSDN官方博客

分享到微信朋友圈

×

扫一扫,手机浏览