NGINX as revers proxy to elasticsearch coordinator nodes

Elastic Stack Elasticsearch
1

Hi
I'm forcing in my environment setup on nginx for Elasticsearch:
-what I have a problem with the correct configuration for connect NGINX over TLS to my nodes

below You can find my configuration,maybe You can point me out what's wrong

in this part, I'm using also crt and key per node so there I need to

break it down into groups/location
Do You have some examples config with TLS?

  location /upstream {
            proxy_pass https://elasticsearch_servers;
            proxy_ssl_certificate /etc/ssl/certs/coordination_1.crt;
            proxy_ssl_certificate_key /etc/ssl/certs/coordination_1.key;
            proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            proxy_ssl_ciphers HIGH:!aNULL:!MD5;
            proxy_ssl_trusted_certificate /etc/ssl/certs/ca.crt;

nginx.conf


events {
  worker_connections  4096;  ## Default: 1024
}

http {
    #...
    upstream elasticsearch_servers {
        zone elasticsearch_servers 64K;
        server 10.242.130.225:9201;
        server 10.242.130.226:9238;
        server 10.242.130.227:9219;
   }

    server {
        listen 9200;
        server_name 10.242.130.225;
        #...

        location /upstream {
            proxy_pass https://elasticsearch_servers;
            proxy_ssl_certificate /etc/ssl/certs/coordination_1.crt;
            proxy_ssl_certificate_key /etc/ssl/certs/coordination_1.key;
            proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            proxy_ssl_ciphers HIGH:!aNULL:!MD5;
            proxy_ssl_trusted_certificate /etc/ssl/certs/ca.crt;

            proxy_ssl_verify on;
            proxy_ssl_verify_depth 2;
            proxy_ssl_session_reuse on;
        }
    }

    server {
        listen 9201 ssl;
        server_name 10.242.130.225;
        ssl_certificate /etc/ssl/certs/coordination_1.crt;
        ssl_certificate_key /etc/ssl/certs/coordination_1.key;
        ssl_client_certificate /etc/ssl/certs/ca.crt;
        ssl_verify_client optional;

        location /yourapp {
            proxy_pass https://10.242.130.225;
        #...
        }
    }

    server {
        listen 9238 ssl;
        server_name 10.242.130.226;
        ssl_certificate /etc/ssl/certs/coordination_2.crt;
        ssl_certificate_key /etc/ssl/certs/coordination_2.key;
        ssl_client_certificate /etc/ssl/certs/ca.crt;
        ssl_verify_client optional;

        location /yourapp {
            proxy_pass https://10.242.130.225;
        #...
        }
    }
    server {
        listen 9219 ssl;
        server_name 10.242.130.227;

        ssl_certificate /etc/ssl/certs/coordination_3.crt;
        ssl_certificate_key /etc/ssl/certs/coordination_3.key;
        ssl_client_certificate /etc/ssl/certs/ca.crt;
        ssl_verify_client optional;

        location /yourapp {
            proxy_pass https://10.242.130.225;
        #...
        }
    }
}

and docker-compose file:

version: "3.3"

services:
  nginx_load_balancer:
    image: nginx
    volumes:
      - /home/elasticsearch/kickstart_elk_cluster/nginx_1.conf:/etc/nginx/nginx.conf
      - /home/elasticsearch/certificates/es_coordination_3/es_coordination_3.crt:/etc/ssl/certs/coordination_3.crt
      - /home/elasticsearch/certificates/es_coordination_3/es_coordination_3.key:/etc/ssl/certs/coordination_3.key
      - /home/elasticsearch/certificates/es_coordination_2/es_coordination_2.crt:/etc/ssl/certs/coordination_2.crt
      - /home/elasticsearch/certificates/es_coordination_2/es_coordination_2.key:/etc/ssl/certs/coordination_2.key
      - /home/elasticsearch/certificates/es_coordination_1/es_coordination_1.crt:/etc/ssl/certs/coordination_1.crt
      - /home/elasticsearch/certificates/es_coordination_1/es_coordination_1.key:/etc/ssl/certs/coordination_1.key
      - /home/elasticsearch/certificates/ca/ca.crt:/etc/ssl/certs/ca.crt
    ports:
    - "9200:80"
2

should I use for this part

server {
        listen 9200;

listen 9200 ssl;

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.