Protecting my data

danielr · November 28, 2013, 8:37pm

Here's a question I couldn't find an answer to by searching the web..
How do I protect my data from being attacked by hostile sources?

I mean.. does anyone who has my server's ip can just send a DELETE request
and kill my index?

I found solutions like reverse http and proxy servers.
But is there no out of the box one?

10X

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/5c56bd68-df96-49df-b21b-d9a530fe0e25%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

dadoonet · November 28, 2013, 8:50pm

No. Nothing out of the box.
Nginx is nice for that.

--
David Pilato | Technical Advocate | Elasticsearch.com
@dadoonet | @elasticsearchfr

Le 28 novembre 2013 at 21:37:15, DanielR (danielrastaziv@gmail.com) a écrit:

Here's a question I couldn't find an answer to by searching the web..
How do I protect my data from being attacked by hostile sources?

I mean.. does anyone who has my server's ip can just send a DELETE request and kill my index?

I found solutions like reverse http and proxy servers.
But is there no out of the box one?

10X

You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/5c56bd68-df96-49df-b21b-d9a530fe0e25%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/etPan.5297ac86.8f2b15e.3e14%40MacBook-Air-de-David.local.
For more options, visit https://groups.google.com/groups/opt_out.

danielr · November 28, 2013, 9:02pm

Ok.. that's what i thought..
also. I found this plugin supported by elasticsearch that can configure
nginx for me.

Do you know anything about it?

On Thursday, November 28, 2013 10:50:14 PM UTC+2, David Pilato wrote:

No. Nothing out of the box.
Nginx is nice for that.

--
David Pilato | Technical Advocate | Elasticsearch.com
@dadoonet https://twitter.com/dadoonet | @elasticsearchfrhttps://twitter.com/elasticsearchfr

Le 28 novembre 2013 at 21:37:15, DanielR (danielr...@gmail.com<javascript:>)
a écrit:

Here's a question I couldn't find an answer to by searching the web..
How do I protect my data from being attacked by hostile sources?

I mean.. does anyone who has my server's ip can just send a DELETE request
and kill my index?

I found solutions like reverse http and proxy servers.
But is there no out of the box one?

10X

You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearc...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/5c56bd68-df96-49df-b21b-d9a530fe0e25%40googlegroups.com
.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/a81acc13-7ce4-4999-861a-3a0840b6ccf7%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

karmi · November 28, 2013, 9:48pm

I found this plugin supported by elasticsearch that can configure nginx
for me.

GitHub - sous-chefs/elasticsearch: Development repository for the elasticsearch cookbook

See the GitHub - sous-chefs/elasticsearch: Development repository for the elasticsearch cookbook
section of the README: the cookbook allows you to define the users and
passwords, and automatically installs and configures Nginx with these
settings. You can check it with the provided Vagrant configuration, or you
can follow this tutorial:
Elasticsearch Platform — Find real-time answers at scale | Elastic

For an example of denying methods in Nginx configuration, see e.g. this
StackOverflow answer: lua - nginx proxy_pass based on whether request method is POST, PUT or DELETE - Stack Overflow

Karel

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/be9941af-a7f4-4c7b-bf10-6abcef508008%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

danielr · November 28, 2013, 9:52pm

I think i got it!
but what if a already have ES installed.
Do i really need to start all over again??

On Thursday, November 28, 2013 11:48:08 PM UTC+2, Karel Minařík wrote:

I found this plugin supported by elasticsearch that can configure nginx

for me.

GitHub - sous-chefs/elasticsearch: Development repository for the elasticsearch cookbook

See the
GitHub - sous-chefs/elasticsearch: Development repository for the elasticsearch cookbook of the README: the cookbook allows you to define the users and
passwords, and automatically installs and configures Nginx with these
settings. You can check it with the provided Vagrant configuration, or you
can follow this tutorial:
Elasticsearch Platform — Find real-time answers at scale | Elastic

For an example of denying methods in Nginx configuration, see e.g. this
StackOverflow answer: lua - nginx proxy_pass based on whether request method is POST, PUT or DELETE - Stack Overflow

Karel

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/d4d778e1-ea2e-46e8-b77e-9d7926300343%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

karmi · November 28, 2013, 10:42pm

No, you can install just the proxy with the Chef cookbook, or you can extract the configuration and set up Nginx separately.

Karel

On 28. 11. 2013, at 22:52, DanielR danielrastaziv@gmail.com wrote:

I think i got it!
but what if a already have ES installed.
Do i really need to start all over again??

On Thursday, November 28, 2013 11:48:08 PM UTC+2, Karel Minařík wrote:

I found this plugin supported by elasticsearch that can configure nginx for me.

GitHub - sous-chefs/elasticsearch: Development repository for the elasticsearch cookbook

See the GitHub - sous-chefs/elasticsearch: Development repository for the elasticsearch cookbook section of the README: the cookbook allows you to define the users and passwords, and automatically installs and configures Nginx with these settings. You can check it with the provided Vagrant configuration, or you can follow this tutorial: Elasticsearch Platform — Find real-time answers at scale | Elastic

For an example of denying methods in Nginx configuration, see e.g. this StackOverflow answer: lua - nginx proxy_pass based on whether request method is POST, PUT or DELETE - Stack Overflow

Karel

--
You received this message because you are subscribed to a topic in the Google Groups "elasticsearch" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/elasticsearch/xPoCuSKkX40/unsubscribe.
To unsubscribe from this group and all its topics, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/d4d778e1-ea2e-46e8-b77e-9d7926300343%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/E99E5DBA-0EAF-4F67-9B59-0434AA6B4B5A%40gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

danielr · November 29, 2013, 3:40pm

so all need to do is install chef cookbook and configure proxy in my
run_list?
and it will work for my existing Elasticsearch installation?

On Friday, November 29, 2013 12:42:11 AM UTC+2, Karel Minařík wrote:

No, you can install just the proxy with the Chef cookbook, or you can
extract the configuration and set up Nginx separately.

Karel

On 28. 11. 2013, at 22:52, DanielR <danielr...@gmail.com <javascript:>>
wrote:

I think i got it!
but what if a already have ES installed.
Do i really need to start all over again??

On Thursday, November 28, 2013 11:48:08 PM UTC+2, Karel Minařík wrote:

I found this plugin supported by elasticsearch that can configure nginx

for me.

GitHub - sous-chefs/elasticsearch: Development repository for the elasticsearch cookbook

See the
GitHub - sous-chefs/elasticsearch: Development repository for the elasticsearch cookbook of the README: the cookbook allows you to define the users and
passwords, and automatically installs and configures Nginx with these
settings. You can check it with the provided Vagrant configuration, or you
can follow this tutorial:
Elasticsearch Platform — Find real-time answers at scale | Elastic

For an example of denying methods in Nginx configuration, see e.g. this
StackOverflow answer: lua - nginx proxy_pass based on whether request method is POST, PUT or DELETE - Stack Overflow

Karel

--
You received this message because you are subscribed to a topic in the
Google Groups "elasticsearch" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/elasticsearch/xPoCuSKkX40/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
elasticsearc...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/d4d778e1-ea2e-46e8-b77e-9d7926300343%40googlegroups.com
.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/a463d1af-b0a0-4197-9fbe-549762acb0bd%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

karmi · November 29, 2013, 4:03pm

so all need to do is install chef cookbook and configure proxy in my run_list?

Yes, download the cookbook to the server (scp, knife upload, etc), and include "elasticsearch::proxy" in your run_list.

Configure the Nginx proxy accordingly. See e.g. https://github.com/elasticsearch/cookbook-elasticsearch/blob/master/Vagrantfile#L151-L153

and it will work for my existing Elasticsearch installation?

By default, it will point to localhost:9200, see https://github.com/elasticsearch/cookbook-elasticsearch/blob/master/templates/default/elasticsearch_proxy.conf.erb#L26

By the way, do notice that the stock template doesn't provide any filtering of HTTP methods, as you originally wanted.

Karel

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/D3774514-C08B-4650-9D4C-3B17DAF0D1E4%40gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

danielr · November 29, 2013, 4:13pm

my node.json looks like this:

{

"run_list": ["recipe[elasticsearch::plugins]",

            "recipe[elasticsearch::nginx]",

            "recipe[elasticsearch::proxy]" ],


"plugins" : {

  "karmi/elasticsearch-paramedic" : {}

},


"nginx" : {

  "users" : [ { "username" : "USERNAME", "password" : "PASSWORD" } ],

  "allow_cluster_api" : true

}

}

and i keep getting the same error

"Chef::Exceptions::CookbookNotFound: Cookbook elasticsearch not found. If
you're loading elasticsearch from another cookbook, make sure you configure
the dependency in your metadata"

I think maybe I extracted it in the wrong directory..

On Friday, November 29, 2013 6:03:22 PM UTC+2, Karel Minařík wrote:

so all need to do is install chef cookbook and configure proxy in my
run_list?

Yes, download the cookbook to the server (scp, knife upload, etc), and
include "elasticsearch::proxy" in your run_list.

Configure the Nginx proxy accordingly. See e.g.
https://github.com/elasticsearch/cookbook-elasticsearch/blob/master/Vagrantfile#L151-L153

and it will work for my existing Elasticsearch installation?

By default, it will point to localhost:9200, see
https://github.com/elasticsearch/cookbook-elasticsearch/blob/master/templates/default/elasticsearch_proxy.conf.erb#L26

By the way, do notice that the stock template doesn't provide any
filtering of HTTP methods, as you originally wanted.

Karel

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/5f58f846-04c5-41dd-937d-4d09df940db7%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

karmi · November 29, 2013, 4:23pm

and i keep getting the same error

"Chef::Exceptions::CookbookNotFound: Cookbook elasticsearch not found. If you're loading elasticsearch from another cookbook, make sure you configure the dependency in your metadata"

I think maybe I extracted it in the wrong directory..

Yes, that might be true -- maybe follow some tutorial from Opscode to set up your system correctly.

Karel

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/B3ED98AA-D019-41C7-9CE3-28386D6CB8A0%40gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

danielr · December 1, 2013, 6:32am

Gave up on the cookbook..
I just went and installed nginx myself.

If i got that right, I need to use ngx_http_dav_module and deny PUT and
DELETE requests, Right?

But no i have a different problem!

On Friday, November 29, 2013 6:23:48 PM UTC+2, Karel Minařík wrote:

and i keep getting the same error

"Chef::Exceptions::CookbookNotFound: Cookbook elasticsearch not found.
If you're loading elasticsearch from another cookbook, make sure you
configure the dependency in your metadata"

I think maybe I extracted it in the wrong directory..

Yes, that might be true -- maybe follow some tutorial from Opscode to set
up your system correctly.

Karel

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/e7b6d986-355e-4164-b54c-879e7d7ccab1%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

jprante · December 1, 2013, 10:13am

It's easy as that

server {
location / { limit_except PUT DELETE {
proxy_pass http://127.0.0.1:9200;
}
}}

Jörg

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAKdsXoHmPGqvW4gGTzFOviLbuS_p_wYGgZpVov%2BM8c8gEiO%2BPA%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

danielr · December 1, 2013, 9:26pm

10X!
that worked

On Sunday, December 1, 2013 12:13:13 PM UTC+2, Jörg Prante wrote:

It's easy as that

server {
location / { limit_except PUT DELETE {
proxy_pass http://127.0.0.1:9200;
}
}}

Jörg

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/8d78b939-7601-48e4-96ba-6b19e8853ba6%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.