Exactly, even with SSL and Basic authentication on port 80/443, you still must not expose port 9200/9300 to the public.
You should route all HTTP requests over port 80/443, where you can control the traffic, for your teams sharing ES. Jörg On Mon, Sep 22, 2014 at 10:12 PM, Pradeep Narayan <[email protected]> wrote: > Hi - I went over the following article on securing elasticsearch: > > http://www.elasticsearch.org/blog/scripting-security/ > > I have a question on the specific point below: > > 1*. Don’t run Elasticsearch open to the public* > > *Elasticsearch is not designed to be a public facing service, it’s > intended to be used by your application via the API. By exposing > Elasticsearch to the world you run the risk of denial-of-service attacks if > a malicious user discovers your production Elasticsearch system. In > addition, prior to the 1.2.x release an attacker can use dynamic scripting > to perform arbitrary code execution on the machine that Elasticsearch is > hosted on if Elasticsearch is open to the public.* > > *Because of this, it is highly recommended that Elasticsearch be run from > behind a firewall, allowing only your development application or Kibana > servers to communicate with it. You should block both port 9200 as well as > port 9300 from all machines not part of your development environment.* > > Even if we secure the endpoint with SSL and Basic authentication using > Jetty <https://github.com/sonian/elasticsearch-jetty>, is it still not > fine to expose Elasticsearch? How different is this from any service that > is publicly exposed? We have scenarios where we want to share Elasticsearch > cluster b/w multiple teams and securing elasticsearch behind Jetty seems > like the best option. Please advise. > > Regards, > > Pradeep > > -- > You received this message because you are subscribed to the Google Groups > "elasticsearch" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/elasticsearch/9baa7ea2-cec0-4ea1-b31a-8b024e58f2ab%40googlegroups.com > <https://groups.google.com/d/msgid/elasticsearch/9baa7ea2-cec0-4ea1-b31a-8b024e58f2ab%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAKdsXoHDsD1%2B0w_ueXjepVH3ST2yOgcA_E9XuQ9uQ%3DfPTUhQAA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
