Elasticsearch Ip restriction using NGINX

navyagoli · June 28, 2017, 4:00pm

Hi,

I have elasticsearch instance running in my linux server on xxx.xxx.1.75: 9201.

I have installed and configured NGINX on another server xxx.xx.1.89 and set the proxy for the elasticsearch to be running on port 5001i.e., it is able to access from xxx.xxx.1.89:5001.

But when I try to access the elasticsearch using port xxx.xxx.1.75:9201 it is running good, which I don't want to happen.

I want to restrict the access of elasticsearch cluster only through NGINX reverse proxy server i.e., xxx.xx.1.89:5001 but not directly from xxx.xx.1.75:9201.

Please help me to solve this.

thanks.

niraj_kumar · June 29, 2017, 4:50pm

Can you describe more about your environment? Like whether it is on cloud, on-premise infra.

If you are on cloud like AWS, GCE , Azure you can restrict the data layer ( ES ) using security groups, to be accessible only from the nginx which will be your public facing server.

I am not sure whether you can do it on an on-premise with no access to firewall. If you can nginx on the same instance where ES is installed you can make elasticsearch listen on localhost instead of IP and route nginx proxy to 127.0.0.1:9201 instead. Which will allow only nginx to talk to elasticsearch.

--
Niraj

navyagoli · June 30, 2017, 8:14am

My environment is an on premise environment.

Is there any way to change elasticsearch.yml file by changing "http.host " so that elasticsearch is restricted by nginx of other server.

I have tried with http.host: 127.0.0.1 in elasticsearch.yml and configured that in nginx.conf as 127.0.0.1:9001 previously and it is working fine.

The only thing I want to do is to access this elasticsearch from other nginx reverse proxy server.

Help me solve this.

thanks

niraj_kumar · June 30, 2017, 10:01pm

Well you can try a iptables trick something like this.

iptables -A INPUT -p tcp --dport 22 -s YourIP -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

Replace the port 22 with the elasticsearch port and YOUR IP with IP of nginx.

navyagoli · July 3, 2017, 1:25pm

I used the command :

sudo firewall-cmd --zone=trusted --add-source=xxx.xx.1.75 to allow the traffic from elasticsearch to the NGINX server on xxx.xx.1.89.

And tried to access it through nginx by specifying it in nginx.conf.

Still it show 502 BAD Gateway error.

niraj_kumar · July 3, 2017, 4:21pm

Did you try telnetting from nginx server to check whether nginx can talk to that port. And also trying it from different system whether the firewall actually worked.

navyagoli · July 4, 2017, 4:20pm

Thank you very much for the assistance.

I followed your suggestions and resolved the issue.

niraj_kumar · July 5, 2017, 6:14pm

Glad it worked for you.

system · August 2, 2017, 6:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.