Secure Your Elasticsearch Cluster With Basic Auth Using Nginx and SSL From Letsencrypt
In this tutorial we will setup a reverse proxy using nginx to translate and load balance traffic through to our elasticsearch nodes. We will also protect our elasticsearch cluster with basic auth and use letsencrypt to retrieve free ssl certificates.
We want to allow certain requests to be bypassed from authentication such as getting status from the cluster and certain requests we want to enforce authentication, such as indexing and deleting data.
Install Nginx:
Install nginx and the dependency package to create basic auth:
1
$ apt install nginx apache2-utils -y
Configure Nginx for Reverse Proxy
We want to access our nginx proxy on port 80: 0.0.0.0:80 and the requests should be proxied through to elasticsearch private addresses: 10.0.0.10:9200 and 10.0.0.11:9200. Traffic will be load balanced between our 2 nodes.
Now make requests to elasticsearch via your nginx reverse proxy:
123
$ curl -H 'Content-Type: application/json' -u 'admin:admin' http://myproxy.domain.com/_cat/indices?v
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open first-index 1o6yM7tCSqagqoeihKM7_g 5130 40.6kb 20.3kb
Letsencrypt SSL Certificates
Add free SSL Certificates to your reverse proxy. Install certbot:
$ certbot --manual certonly -d myproxy.domain.com -m my@email.com --preferred-challenges dns --agree-tos
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for myproxy.domain.com
You will be prompted to make a dns change, since we requested the dns challenge. While this screen is here, we can go our dns provider and make the TXT record change as shown below:
1234567891011121314151617181920212223
Please deploy a DNS TXT record under the name
_acme-challenge.myproxy.domain.com with the following value:
xLP4y_YJvdAK7_aZMJ50gkudTDeIC3rX0x83aNJctGw
Before continuing, verify the record is deployed.
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/myproxy.domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/myproxy.domain.com/privkey.pem
Your cert will expire on 2019-07-01. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew" - If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Update Nginx Config
Now that we have our ssl certificates, we need to update our nginx config to enable ssl, redirect http to https and point the ssl certificates and ssl private keys to the certificates that we retrieved from letsencrypt.