Thanks a lot. That means, plugins like Jetty (for Elasticsearch) have limited or no use in real scenarios where we anyway need to hide the elasticsearch port from the external world.
Regards, Pradeep On Monday, September 22, 2014 1:46:43 PM UTC-7, Jörg Prante wrote: > Exactly, even with SSL and Basic authentication on port 80/443, you still > must not expose port 9200/9300 to the public. > > You should route all HTTP requests over port 80/443, where you can control > the traffic, for your teams sharing ES. > > Jörg > > On Mon, Sep 22, 2014 at 10:12 PM, Pradeep Narayan <[email protected] > <javascript:>> wrote: > >> Hi - I went over the following article on securing elasticsearch: >> >> http://www.elasticsearch.org/blog/scripting-security/ >> >> I have a question on the specific point below: >> >> 1*. Don’t run Elasticsearch open to the public* >> >> *Elasticsearch is not designed to be a public facing service, it’s >> intended to be used by your application via the API. By exposing >> Elasticsearch to the world you run the risk of denial-of-service attacks if >> a malicious user discovers your production Elasticsearch system. In >> addition, prior to the 1.2.x release an attacker can use dynamic scripting >> to perform arbitrary code execution on the machine that Elasticsearch is >> hosted on if Elasticsearch is open to the public.* >> >> *Because of this, it is highly recommended that Elasticsearch be run from >> behind a firewall, allowing only your development application or Kibana >> servers to communicate with it. You should block both port 9200 as well as >> port 9300 from all machines not part of your development environment.* >> >> Even if we secure the endpoint with SSL and Basic authentication using >> Jetty <https://github.com/sonian/elasticsearch-jetty>, is it still not >> fine to expose Elasticsearch? How different is this from any service that >> is publicly exposed? We have scenarios where we want to share Elasticsearch >> cluster b/w multiple teams and securing elasticsearch behind Jetty seems >> like the best option. Please advise. >> >> Regards, >> >> Pradeep >> >> -- >> You received this message because you are subscribed to the Google Groups >> "elasticsearch" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/elasticsearch/9baa7ea2-cec0-4ea1-b31a-8b024e58f2ab%40googlegroups.com >> >> <https://groups.google.com/d/msgid/elasticsearch/9baa7ea2-cec0-4ea1-b31a-8b024e58f2ab%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/3a9a401d-b2af-4c70-b5e7-76417e0b1b6a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
