How to Restrict Enterprise Search to a specific Domain Origin

MCL · March 2, 2021, 7:01am

Hi,

We just set up enterprise search for our website. We use the query suggestion api (/api/as/v1/engines/{ENGINE_NAME}/query_suggestion) on our frontend.

Since our endpoint and public key are exposed, how can we restrict so that the api only allows requests from our domain?

I tried to set up CORS by adding these two lines to elasticsearch.yml

http.cors.enabled: true
http.cors.allow-origin: https://www.domain.com

But it doesn't seem to work. I can still access the api from another domain.

What's the right way to restrict the origin?

Thanks!

Irina_Truong · March 2, 2021, 7:01pm

Great question! I wish I had a great answer. Right now, there's no out-of-the-box support for this feature in Enterprise Search. You might be able to achieve this by proxying requests through nginx (or similar) and configuring CORS on that level.

MCL · March 3, 2021, 1:37am

Great, thanks for the suggestion. Latency might be an issue but I'll have to give it a try to know

oleksiy-elastic · March 3, 2021, 2:32pm

Latency should not be a huge issue as long as the proxy is located near the Enterprise Search cluster. If you're running a self-managed deployment, running in the same VM or, at least, the same availability zone is recommended. For Elastic Cloud deployments, I'd recommend using the same cloud provider and the same region as your deployment. Then the extra latency should be sub-1ms.

constancecchen · March 3, 2021, 5:28pm

I've also filed an internal enhancement request for potentially adding this Enterprise Search config option in the future. Thanks so much for the suggestion @MCL!