Secure ElasticSearch with Nginx

ElasticSearch is a distributed, open source search and analytics engine, designed for horizontal scalability, reliability, and easy management. The whole architecture is fully REST and allows us execute each operation through HTTP call.
So it is possible to create a new index (aka database in the sql world), a new type (aka table in the sql work) or add a new document (aka tuple/row in the sql world) with just a simple HTTP POST. On the other hand, it is possible to delete an index with just a simple HTTP DELETE.

Sadly Elastic does not provide a free plugin to secure the ElasticSearch cluster. The official plugin is called Shield and is included in the three subscription (Developer, Gold, Platinum) sold by Elastic. The most common free plug in available online is Search Guard, you can download the source code fromGithub.

A solution that I prefer is to use Nginx (pronounced ‘engine x ‘) . It is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server, known for its high performance, stability, rich feature set, simple configuration, and low resource consumption. Nginx allows us to protect the ElasticSearch cluster and to control which HTTP methods are allowed or not.

To install Nginx on your Ubuntu 14.04 machine follow these steps:

To start the Nginx service

or stop it

Basic configuration

This configuration file defines the server listen port (9200 in the example) and a proxy location (in the example ElasticSearch is running on the port 9100). The user and password details are defined in the esLogin file.

To define a new password file, the tool htpasswd (or similar) can be used.
To create a new user (guest) and save the information to a file (esLogin), run:

To load the configuration file to nginx use the follow command:

After this your Nginx proxy should be up and running!
We can check the proxy configuration with cURL. Trying to execute an HTTP GET against the proxy without auth header will give us an HTTP 401 error.

401

Running an HTTP Delete will give us an HTTP 403 error (in the config file we denied the HTTP Delete method).

403

In this way we have secured our ElasticSearch cluster adding a basic HTTP Authentication and a self-protection against involuntary HTTP Delete (that can ruin our data without a way back). If you need to delete your data you can run the DELETE command from the cluster avoiding the proxy.

The use of Nginx is afaik the best (free) solution due to the simplicty of configuration and the low resource usage of the proxy server (you can even run it on the ES master node of the cluster and balance it between the nodes)

You can find more information about the ElasticSearch and Nginx integration on the official blog: https://www.elastic.co/blog/playing-http-tricks-nginx

Matteo