And yay native API clients are nodes also, which allows them to become
proxies. So then you need to stunnel protect them also. Rinse and repeat lol
So...
1- For port 9300 bind to localhost
2- Put stunnel infront of port 9300 and configure all nodes same way to
have cluster node coms in SSL.
3- Restrict any access to 9300. (clients can become proxy nodes, so if they
are somewhere external to the ES cluster, then you could connect to them
unauthenticated/non ssl)
3- a) For port 9200 bind to localhost and put Ngnx as reverse proxy (This
is straight passthrough)
b) Or use 3rd party plugin like jetty plugin (you have to rely that the
plugin is doing the right thing and has no bugs, plus plugins are not
necessarily up to speed with latest ES releases)
It's a bit cumbersome but this secures ES to the max. Also this forces the
use of HTTP client which you then lose some of the niceties you get with
native client. (Read more here: https://github.com/searchbox-io/Jest)
On Friday, 22 August 2014 13:47:12 UTC-4, John Smith wrote:
>
> Ok so I think I figured it out and seems to be working ok. Please feel
> free to publish this or improve upon it etc... Note: client certs have not
> been tested yet.
>
> Software versions used (though I don't think it matters really)
> Ubuntu 14.04
> JDK 1.8_20
> elasticsearch 1.3.2
> stunnel4
>
> This config is for 2 node config.
>
> ________________________________________
> NODE 1
> ________________________________________
>
> Required config changes to elasticsearch.yml
>
> # First bind elasticsearch to localhost (this makes es invisible to the
> outside world)
> network.bind_host: 127.0.0.1
> transport.tcp.port: 9300
>
> # Since we are going to hide this node from the outside, we have to tell
> the rest of the nodes how he looks on the outside
> network.publish_host: <NODE 1 IP HERE>
> transport.publish_port: 9700
>
> http.port: 9200
>
> # Disable muslticast
> discovery.zen.ping.multicast.enabled: false
>
> # Since we are hiding all the nodes behind stunnel we also need to proxy
> es client requests through SSL.
> # For each additional node add 127.0.0.1:970x where x is incremented by 1
> I.e: 9702, 9703 etc...
> # Connect to NODE 2
> discovery.zen.ping.unicast.hosts: 127.0.0.1:9701
>
> stunnel.conf on NODE 1
>
> ;Proxy ssl for tcp transport.
> [es-trasnport]
> accept = <NODE 1 IP HERE>:9300
> connect = 127.0.0.1:9300
> cert = stunnel.pem
>
> ;Proxy ssl for http
> [es-http]
> accept = <NODE 1 IP HERE>:9200
> connect = 127.0.0.1:9200
> cert = stunnel.pem
>
> ;ES clustering does some local discovery.
> ;Since stunnel binds it's own ports, we pick an arbitrary port that is not
> used by other "systems/protocols"
> ; See the publish settings of elasticsearch.yml above.
> [es-transport-local]
> client = yes
> accept = <NODE 1 IP HERE>:9700
> connect = <NODE 1 IP HERE>:9300
>
> ; The ssl client tunnel for es to connect ssl to node 2.
> [es-transport-node2]
> client = yes
> accept = 127.0.0.1:9701
> connect = <NODE 2 IP HERE>:9301
>
> ;For each additional node increment x by 1, I.e: 9702, 9703 etc...
> [es-transport-nodex]
> client = yes
> accept = 127.0.0.1:970x
> connect = <NODE X IP HERE>:930x
>
> ________________________________________
> NODE 2
> ________________________________________
>
> Required config changes to elasticsearch.yml
>
> # First bind elasticsearch to localhost (this makes es invisible to the
> outside world)
> network.bind_host: 127.0.0.1
> transport.tcp.port: 9301
>
> # Since we are going to hide this node from the outside, we have to tell
> the rest of the nodes how he looks on the outside
> network.publish_host: <NODE 2 IP HERE>
> transport.publish_port: 9701
>
> http.port: 9200
>
> # Disable muslticast
> discovery.zen.ping.multicast.enabled: false
>
> # Since we are hiding all the nodes behind stunnel we also need to proxy
> es client requests through SSL.
> # For each additional node add 127.0.0.1:970x where x is incremented by 1
> I.e: 9702, 9703 etc...
> # Connect to NODE 1
> discovery.zen.ping.unicast.hosts: 127.0.0.1:9700
>
> stunnel.conf on NODE 2
>
> ;Proxy ssl for tcp transport.
> [es-trasnport]
> accept = <NODE 2 IP HERE>:9301
> connect = 127.0.0.1:9301
> cert = stunnel.pem
>
> ;Proxy ssl for http
> [es-http]
> accept = <NODE 2 IP HERE>:9200
> connect = 127.0.0.1:9200
> cert = stunnel.pem
>
> ;ES clustering does some local discovery.
> ;Since stunnel binds it's own ports, we pick an arbitrary port that is not
> used by other "systems/protocols"
> ; See the publish settings of elasticsearch.yml above.
> [es-transport-local]
> client = yes
> accept = <NODE 2 IP HERE>:9701
> connect = <NODE 2 IP HERE>:9301
>
>
> ; The ssl client tunnel for es to connect ssl to node 1.
> [es-transport-node1]
> client = yes
> accept = 127.0.0.1:9700
> connect = <NODE 1 IP HERE>:9300
>
> ;For each additional node increment x by 1, I.e: 9702, 9703 etc...
> [es-transport-nodex]
> client = yes
> accept = 127.0.0.1:970x
> connect = <NODE X IP HERE>:930x
>
>
>
>
>
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/52396cd8-af8b-4ef6-83ea-f9fd5278403f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
