Hello everyone,
i'am currently trying to setup the geoip service of elasticsearch.
I'am mainly following the steps outlined in the documentation:
Now i came across the circumstance that the geoip service requires to connect to "storage.googleapis.com ".
I would like to avoid to open up the firewall entirely for this domain.
Have any of you already had experience with this topic and maybe found the means, how one could further restrict this to e.g. particular subdomains ?
There is an open issue in this regard, however it unfortunately remains unresolved.
opened 10:48AM - 27 May 22 UTC
>enhancement
:Data Management/Ingest Node
Team:Data Management
### Description
When calling into the GeoIP download service hosted by Elasti… c a URL for storage.googleapis.com is returned. The expectation is that the client (in this case Elasticsearch) needs to use that URL to download the MaxMind binary.
For example:
```
curl -v https://geoip.elastic.co/v1/database?elastic_geoip_service_tos=agree
```
returns
```
[{"age":161147,"md5_hash":"5aeeec352b14508c55a028afd2842c4a","name":"GeoLite2-ASN.tgz","provider":"maxmind","updated":1652745666,"url":"https://storage.googleapis.com/elastic-paisano-production/maxmind/GeoLite2-ASN.tgz?X-Goog-Algorithm=GOOG4-RSA-SHA256&X-Goog-Credential=elastic-paisano-production%40elastic-apps-163815.iam.gserviceaccount.com%2F20220517%2Fhenk%2Fstorage%2Fgoog4_request&X-Goog-Date=20220517T145441Z&X-Goog-Expires=86400&X-Goog-SignedHeaders=host&X-Goog-Signature=9eb2bc85bbea28d698caeaebf1b31770652179b97833b13de97d4535156ac472de00a33e6b5cbba92ad73a7a1ff044dce9b41b1325f7691f210ae487e4786edf9469c107e07e0c7e57100626d5cce2852ec754376165959f2478d84e968b094e9a0c839fb74fcf0060de8ebd6385222a35565db70ee3bed7d67176cecf2a1f8b212a048957655ec6fad5e6204e8cb2894b6aca39b1fecda1daa7bcf706822cab1edd9cbeccdd9aadaf491963c8836ac41ceda3a44a155871aeb04fc2ade63547770455ff37230deb6cb0708f4c5fb62c61ac3884ada46a34d450f6c1eeb5080a9893a70d65d77fd8957a38cb56856235be84adc10ccdb82a79c465ea6c3d9cd9"},{"age":160322,"md5_hash":"59604824545074e1091d6c044288c08d","name":"GeoLite2-City.tgz","provider":"maxmind","updated":1652745667,"url":"https://storage.googleapis.com/elastic-paisano-production/maxmind/GeoLite2-City.tgz?X-Goog-Algorithm=GOOG4-RSA-SHA256&X-Goog-Credential=elastic-paisano-production%40elastic-apps-163815.iam.gserviceaccount.com%2F20220517%2Fhenk%2Fstorage%2Fgoog4_request&X-Goog-Date=20220517T145441Z&X-Goog-Expires=86400&X-Goog-SignedHeaders=host&X-Goog-Signature=2bbb45b66979524d9c540de5087a607f137aaff0ca09803147362b6678d04efa48b301e02cc69d2958e8999a867100ebb1d3461f1152e6f37cf5987459e3dbb032c0dc6ebdaf1b8d470e11a0b32e3a35a1bf97213eda3301da5a4634ae80cf452c97802f252f0a6aa928e0b2ce43900f92fbe537a0725a44150b42840c2cc92513ed1476e65069262cfe49093a7ad80071632f1c88dfb7839bba0e4dd0070c57423ed69102302afad0b087f3b607255bdb66296b43bcf8babb13205cefe9ea3c6f63bb3218c735af07ab6327958e8f00e4be0fdc16f2a721d463cdde9663b583c2906e43b91601ba40e19836a5bc0b6da548893971e72f6220c980d1f16a2e43"},{"age":160718,"md5_hash":"20aa89b8c4dfd19279c029913dbaf* Connection #0 to host geoip.elastic.co left intact
8a2","name":"GeoLite2-Country.tgz","provider":"maxmind","updated":1652745666,"url":"https://storage.googleapis.com/elastic-paisano-production/maxmind/GeoLite2-Country.tgz?X-Goog-Algorithm=GOOG4-RSA-SHA256&X-Goog-Credential=elastic-paisano-production%40elastic-apps-163815.iam.gserviceaccount.com%2F20220517%2Fhenk%2Fstorage%2Fgoog4_request&X-Goog-Date=20220517T145441Z&X-Goog-Expires=86400&X-Goog-SignedHeaders=host&X-Goog-Signature=1cb0a55115b5a34447475ec3b47ea2ca0d5b46e3adb4ed19bfd3f247eff71a8adade1c19a42b86b42f5ee2a4dea4ce5ee414c832d608039af3dd77df236081d81ac8cfc1a06caa47fd52568549bfbee768c9d00e24a31874762979b2910f71b3a051b80d60e6be000cf510253d229003a4bdb42fd06212377020b9307cfa6c9f2518b86910baa0fa6d4443b63d5f9ab14fe544c0f1c2279205bad281f619a34945cc1779896a0452e815a3652d10c9c7d8f568a3c095e967abb30d8cb9c3f85030ce00984f33f1abdb5c0aafb2faab2257beb63bfb164b21dba742cdda2c85f29703002a2e747a39f1172208625c32be920b2bb1bc50a7a70e8219a2a81cfe8f"}]
```
In most cases this works fine.
However, there are some security conscientious users that don't want to have to talk directly to storage.googleapis.com (to minimize the number of possible 3rd parties they reach out to).
Additionally, this extra call makes the (mostly) air gapped + local proxy configuration and possibly trust store (TLS certs) configuration a bit more challenging, also forcing the users to open in their firewalls the entire `storage.googleapis.com` domain.
We would like to change this and use either subdomains (`xxx.storage.googleapis.com`, which could be configured in firewalls in a better way) or embed everything in `elastic.co` addresses (proxying it in Elastic public infrastructure).
Thank you!