GeoIP Service Elasticsearch requires connection to storage.googleapis.com

marmai16 · October 10, 2024, 9:55am

Hello everyone,

i'am currently trying to setup the geoip service of elasticsearch.

I'am mainly following the steps outlined in the documentation:

Now i came across the circumstance that the geoip service requires to connect to "storage.googleapis.com".

I would like to avoid to open up the firewall entirely for this domain.

Have any of you already had experience with this topic and maybe found the means, how one could further restrict this to e.g. particular subdomains ?

There is an open issue in this regard, however it unfortunately remains unresolved.

github.com/elastic/elasticsearch

[geoip] GeoIP download service requires client connection to storage.googleapis.com

opened 10:48AM - 27 May 22 UTC

eedugon

>enhancement :Data Management/Ingest Node Team:Data Management

### Description When calling into the GeoIP download service hosted by Elasti…c a URL for storage.googleapis.com is returned. The expectation is that the client (in this case Elasticsearch) needs to use that URL to download the MaxMind binary. For example: ``` curl -v https://geoip.elastic.co/v1/database?elastic_geoip_service_tos=agree ``` returns ``` [{"age":161147,"md5_hash":"5aeeec352b14508c55a028afd2842c4a","name":"GeoLite2-ASN.tgz","provider":"maxmind","updated":1652745666,"url":"https://storage.googleapis.com/elastic-paisano-production/maxmind/GeoLite2-ASN.tgz?X-Goog-Algorithm=GOOG4-RSA-SHA256&X-Goog-Credential=elastic-paisano-production%40elastic-apps-163815.iam.gserviceaccount.com%2F20220517%2Fhenk%2Fstorage%2Fgoog4_request&X-Goog-Date=20220517T145441Z&X-Goog-Expires=86400&X-Goog-SignedHeaders=host&X-Goog-Signature=9eb2bc85bbea28d698caeaebf1b31770652179b97833b13de97d4535156ac472de00a33e6b5cbba92ad73a7a1ff044dce9b41b1325f7691f210ae487e4786edf9469c107e07e0c7e57100626d5cce2852ec754376165959f2478d84e968b094e9a0c839fb74fcf0060de8ebd6385222a35565db70ee3bed7d67176cecf2a1f8b212a048957655ec6fad5e6204e8cb2894b6aca39b1fecda1daa7bcf706822cab1edd9cbeccdd9aadaf491963c8836ac41ceda3a44a155871aeb04fc2ade63547770455ff37230deb6cb0708f4c5fb62c61ac3884ada46a34d450f6c1eeb5080a9893a70d65d77fd8957a38cb56856235be84adc10ccdb82a79c465ea6c3d9cd9"},{"age":160322,"md5_hash":"59604824545074e1091d6c044288c08d","name":"GeoLite2-City.tgz","provider":"maxmind","updated":1652745667,"url":"https://storage.googleapis.com/elastic-paisano-production/maxmind/GeoLite2-City.tgz?X-Goog-Algorithm=GOOG4-RSA-SHA256&X-Goog-Credential=elastic-paisano-production%40elastic-apps-163815.iam.gserviceaccount.com%2F20220517%2Fhenk%2Fstorage%2Fgoog4_request&X-Goog-Date=20220517T145441Z&X-Goog-Expires=86400&X-Goog-SignedHeaders=host&X-Goog-Signature=2bbb45b66979524d9c540de5087a607f137aaff0ca09803147362b6678d04efa48b301e02cc69d2958e8999a867100ebb1d3461f1152e6f37cf5987459e3dbb032c0dc6ebdaf1b8d470e11a0b32e3a35a1bf97213eda3301da5a4634ae80cf452c97802f252f0a6aa928e0b2ce43900f92fbe537a0725a44150b42840c2cc92513ed1476e65069262cfe49093a7ad80071632f1c88dfb7839bba0e4dd0070c57423ed69102302afad0b087f3b607255bdb66296b43bcf8babb13205cefe9ea3c6f63bb3218c735af07ab6327958e8f00e4be0fdc16f2a721d463cdde9663b583c2906e43b91601ba40e19836a5bc0b6da548893971e72f6220c980d1f16a2e43"},{"age":160718,"md5_hash":"20aa89b8c4dfd19279c029913dbaf* Connection #0 to host geoip.elastic.co left intact 8a2","name":"GeoLite2-Country.tgz","provider":"maxmind","updated":1652745666,"url":"https://storage.googleapis.com/elastic-paisano-production/maxmind/GeoLite2-Country.tgz?X-Goog-Algorithm=GOOG4-RSA-SHA256&X-Goog-Credential=elastic-paisano-production%40elastic-apps-163815.iam.gserviceaccount.com%2F20220517%2Fhenk%2Fstorage%2Fgoog4_request&X-Goog-Date=20220517T145441Z&X-Goog-Expires=86400&X-Goog-SignedHeaders=host&X-Goog-Signature=1cb0a55115b5a34447475ec3b47ea2ca0d5b46e3adb4ed19bfd3f247eff71a8adade1c19a42b86b42f5ee2a4dea4ce5ee414c832d608039af3dd77df236081d81ac8cfc1a06caa47fd52568549bfbee768c9d00e24a31874762979b2910f71b3a051b80d60e6be000cf510253d229003a4bdb42fd06212377020b9307cfa6c9f2518b86910baa0fa6d4443b63d5f9ab14fe544c0f1c2279205bad281f619a34945cc1779896a0452e815a3652d10c9c7d8f568a3c095e967abb30d8cb9c3f85030ce00984f33f1abdb5c0aafb2faab2257beb63bfb164b21dba742cdda2c85f29703002a2e747a39f1172208625c32be920b2bb1bc50a7a70e8219a2a81cfe8f"}] ``` In most cases this works fine. However, there are some security conscientious users that don't want to have to talk directly to storage.googleapis.com (to minimize the number of possible 3rd parties they reach out to). Additionally, this extra call makes the (mostly) air gapped + local proxy configuration and possibly trust store (TLS certs) configuration a bit more challenging, also forcing the users to open in their firewalls the entire `storage.googleapis.com` domain. We would like to change this and use either subdomains (`xxx.storage.googleapis.com`, which could be configured in firewalls in a better way) or embed everything in `elastic.co` addresses (proxying it in Elastic public infrastructure).

Thank you!

Topic		Replies	Views
GeoIP problems Elasticsearch	9	36	November 1, 2024
Issues with GeopIP resolution Elasticsearch	5	427	November 4, 2020
Self host cluster no geoip data Elasticsearch	5	146	May 24, 2024
Disable geoip Elasticsearch docker	3	4639	April 29, 2022
Can you manually curl geoip.elastic.co to get geo data? Elasticsearch	3	946	February 9, 2022

GeoIP Service Elasticsearch requires connection to storage.googleapis.com

Related topics