I am thinking of putting Nginx in front of the Elasticsearch cluster to implement a basic Authentication mechanism as well as load balancing. The core idea is to have a user who can create indices and put data in them (not read or delete). Then there will be an admin user who will have all the privileges.
While the idea is in infancy there is one immediate issue. Although I can deny certain requests sent to cluster via Nginx instance, there is no way I can prevent someone doing something wrong if he/she knows the names of the Elasticsearch nodes.
My understanding is that I can just send a curl request to actual node bypassing the proxy and maybe clean the indices. Or is there a way to make cluster nodes reject requests made directly to them and serve only requests coming from the proxy (loadbalancer)?