Protecting my data


(danielr) #1

Here's a question I couldn't find an answer to by searching the web..
How do I protect my data from being attacked by hostile sources?

I mean.. does anyone who has my server's ip can just send a DELETE request
and kill my index?

I found solutions like reverse http and proxy servers.
But is there no out of the box one?

10X :slight_smile:

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/5c56bd68-df96-49df-b21b-d9a530fe0e25%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.


(David Pilato) #2

No. Nothing out of the box.
Nginx is nice for that.

--
David Pilato | Technical Advocate | Elasticsearch.com
@dadoonet | @elasticsearchfr

Le 28 novembre 2013 at 21:37:15, DanielR (danielrastaziv@gmail.com) a écrit:

Here's a question I couldn't find an answer to by searching the web..
How do I protect my data from being attacked by hostile sources?

I mean.. does anyone who has my server's ip can just send a DELETE request and kill my index?

I found solutions like reverse http and proxy servers.
But is there no out of the box one?

10X :slight_smile:

You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/5c56bd68-df96-49df-b21b-d9a530fe0e25%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/etPan.5297ac86.8f2b15e.3e14%40MacBook-Air-de-David.local.
For more options, visit https://groups.google.com/groups/opt_out.


(danielr) #3

Ok.. that's what i thought..
also. I found this plugin supported by elasticsearch that can configure
nginx for me.

Do you know anything about it?

On Thursday, November 28, 2013 10:50:14 PM UTC+2, David Pilato wrote:

No. Nothing out of the box.
Nginx is nice for that.

--
David Pilato | Technical Advocate | Elasticsearch.com
@dadoonet https://twitter.com/dadoonet | @elasticsearchfrhttps://twitter.com/elasticsearchfr

Le 28 novembre 2013 at 21:37:15, DanielR (danielr...@gmail.com<javascript:>)
a écrit:

Here's a question I couldn't find an answer to by searching the web..
How do I protect my data from being attacked by hostile sources?

I mean.. does anyone who has my server's ip can just send a DELETE request
and kill my index?

I found solutions like reverse http and proxy servers.
But is there no out of the box one?

10X :slight_smile:

You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearc...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/5c56bd68-df96-49df-b21b-d9a530fe0e25%40googlegroups.com
.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/a81acc13-7ce4-4999-861a-3a0840b6ccf7%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.


(Karel Minarik) #4

I found this plugin supported by elasticsearch that can configure nginx
for me.

https://github.com/elasticsearch/cookbook-elasticsearch

See the https://github.com/elasticsearch/cookbook-elasticsearch#nginx-proxy
section of the README: the cookbook allows you to define the users and
passwords, and automatically installs and configures Nginx with these
settings. You can check it with the provided Vagrant configuration, or you
can follow this tutorial:
http://www.elasticsearch.org/tutorials/deploying-elasticsearch-with-chef-solo/

For an example of denying methods in Nginx configuration, see e.g. this
StackOverflow answer: http://stackoverflow.com/a/8594977/95696

Karel

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/be9941af-a7f4-4c7b-bf10-6abcef508008%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.


(danielr) #5

I think i got it!
but what if a already have ES installed.
Do i really need to start all over again??

On Thursday, November 28, 2013 11:48:08 PM UTC+2, Karel Minařík wrote:

I found this plugin supported by elasticsearch that can configure nginx

for me.

https://github.com/elasticsearch/cookbook-elasticsearch

See the
https://github.com/elasticsearch/cookbook-elasticsearch#nginx-proxysection of the README: the cookbook allows you to define the users and
passwords, and automatically installs and configures Nginx with these
settings. You can check it with the provided Vagrant configuration, or you
can follow this tutorial:
http://www.elasticsearch.org/tutorials/deploying-elasticsearch-with-chef-solo/

For an example of denying methods in Nginx configuration, see e.g. this
StackOverflow answer: http://stackoverflow.com/a/8594977/95696

Karel

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/d4d778e1-ea2e-46e8-b77e-9d7926300343%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.


(Karel Minarik) #6

No, you can install just the proxy with the Chef cookbook, or you can extract the configuration and set up Nginx separately.

Karel

On 28. 11. 2013, at 22:52, DanielR danielrastaziv@gmail.com wrote:

I think i got it!
but what if a already have ES installed.
Do i really need to start all over again??

On Thursday, November 28, 2013 11:48:08 PM UTC+2, Karel Minařík wrote:

I found this plugin supported by elasticsearch that can configure nginx for me.

https://github.com/elasticsearch/cookbook-elasticsearch

See the https://github.com/elasticsearch/cookbook-elasticsearch#nginx-proxy section of the README: the cookbook allows you to define the users and passwords, and automatically installs and configures Nginx with these settings. You can check it with the provided Vagrant configuration, or you can follow this tutorial: http://www.elasticsearch.org/tutorials/deploying-elasticsearch-with-chef-solo/

For an example of denying methods in Nginx configuration, see e.g. this StackOverflow answer: http://stackoverflow.com/a/8594977/95696

Karel

--
You received this message because you are subscribed to a topic in the Google Groups "elasticsearch" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/elasticsearch/xPoCuSKkX40/unsubscribe.
To unsubscribe from this group and all its topics, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/d4d778e1-ea2e-46e8-b77e-9d7926300343%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/E99E5DBA-0EAF-4F67-9B59-0434AA6B4B5A%40gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.


(danielr) #7

so all need to do is install chef cookbook and configure proxy in my
run_list?
and it will work for my existing Elasticsearch installation?

On Friday, November 29, 2013 12:42:11 AM UTC+2, Karel Minařík wrote:

No, you can install just the proxy with the Chef cookbook, or you can
extract the configuration and set up Nginx separately.

Karel

On 28. 11. 2013, at 22:52, DanielR <danielr...@gmail.com <javascript:>>
wrote:

I think i got it!
but what if a already have ES installed.
Do i really need to start all over again??

On Thursday, November 28, 2013 11:48:08 PM UTC+2, Karel Minařík wrote:

I found this plugin supported by elasticsearch that can configure nginx

for me.

https://github.com/elasticsearch/cookbook-elasticsearch

See the
https://github.com/elasticsearch/cookbook-elasticsearch#nginx-proxysection of the README: the cookbook allows you to define the users and
passwords, and automatically installs and configures Nginx with these
settings. You can check it with the provided Vagrant configuration, or you
can follow this tutorial:
http://www.elasticsearch.org/tutorials/deploying-elasticsearch-with-chef-solo/

For an example of denying methods in Nginx configuration, see e.g. this
StackOverflow answer: http://stackoverflow.com/a/8594977/95696

Karel

--
You received this message because you are subscribed to a topic in the
Google Groups "elasticsearch" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/elasticsearch/xPoCuSKkX40/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
elasticsearc...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/d4d778e1-ea2e-46e8-b77e-9d7926300343%40googlegroups.com
.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/a463d1af-b0a0-4197-9fbe-549762acb0bd%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.


(Karel Minarik) #8

so all need to do is install chef cookbook and configure proxy in my run_list?

Yes, download the cookbook to the server (scp, knife upload, etc), and include "elasticsearch::proxy" in your run_list.

Configure the Nginx proxy accordingly. See e.g. https://github.com/elasticsearch/cookbook-elasticsearch/blob/master/Vagrantfile#L151-L153

and it will work for my existing Elasticsearch installation?

By default, it will point to localhost:9200, see https://github.com/elasticsearch/cookbook-elasticsearch/blob/master/templates/default/elasticsearch_proxy.conf.erb#L26

By the way, do notice that the stock template doesn't provide any filtering of HTTP methods, as you originally wanted.

Karel

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/D3774514-C08B-4650-9D4C-3B17DAF0D1E4%40gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.


(danielr) #9

my node.json looks like this:

{

"run_list": ["recipe[elasticsearch::plugins]",

            "recipe[elasticsearch::nginx]",

            "recipe[elasticsearch::proxy]" ],


"plugins" : {

  "karmi/elasticsearch-paramedic" : {}

},


"nginx" : {

  "users" : [ { "username" : "USERNAME", "password" : "PASSWORD" } ],

  "allow_cluster_api" : true

}

}

and i keep getting the same error

"Chef::Exceptions::CookbookNotFound: Cookbook elasticsearch not found. If
you're loading elasticsearch from another cookbook, make sure you configure
the dependency in your metadata"

I think maybe I extracted it in the wrong directory..

On Friday, November 29, 2013 6:03:22 PM UTC+2, Karel Minařík wrote:

so all need to do is install chef cookbook and configure proxy in my
run_list?

Yes, download the cookbook to the server (scp, knife upload, etc), and
include "elasticsearch::proxy" in your run_list.

Configure the Nginx proxy accordingly. See e.g.
https://github.com/elasticsearch/cookbook-elasticsearch/blob/master/Vagrantfile#L151-L153

and it will work for my existing Elasticsearch installation?

By default, it will point to localhost:9200, see
https://github.com/elasticsearch/cookbook-elasticsearch/blob/master/templates/default/elasticsearch_proxy.conf.erb#L26

By the way, do notice that the stock template doesn't provide any
filtering of HTTP methods, as you originally wanted.

Karel

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/5f58f846-04c5-41dd-937d-4d09df940db7%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.


(Karel Minarik) #10

and i keep getting the same error

"Chef::Exceptions::CookbookNotFound: Cookbook elasticsearch not found. If you're loading elasticsearch from another cookbook, make sure you configure the dependency in your metadata"

I think maybe I extracted it in the wrong directory..

Yes, that might be true -- maybe follow some tutorial from Opscode to set up your system correctly.

Karel

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/B3ED98AA-D019-41C7-9CE3-28386D6CB8A0%40gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.


(danielr) #11

Gave up on the cookbook..
I just went and installed nginx myself.

If i got that right, I need to use ngx_http_dav_module and deny PUT and
DELETE requests, Right?

But no i have a different problem!

On Friday, November 29, 2013 6:23:48 PM UTC+2, Karel Minařík wrote:

and i keep getting the same error

"Chef::Exceptions::CookbookNotFound: Cookbook elasticsearch not found.
If you're loading elasticsearch from another cookbook, make sure you
configure the dependency in your metadata"

I think maybe I extracted it in the wrong directory..

Yes, that might be true -- maybe follow some tutorial from Opscode to set
up your system correctly.

Karel

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/e7b6d986-355e-4164-b54c-879e7d7ccab1%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.


(Jörg Prante) #12

It's easy as that

server {
location / { limit_except PUT DELETE {
proxy_pass http://127.0.0.1:9200;
}
}}

Jörg

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAKdsXoHmPGqvW4gGTzFOviLbuS_p_wYGgZpVov%2BM8c8gEiO%2BPA%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.


(danielr) #13

10X!
that worked :slight_smile:

On Sunday, December 1, 2013 12:13:13 PM UTC+2, Jörg Prante wrote:

It's easy as that

server {
location / { limit_except PUT DELETE {
proxy_pass http://127.0.0.1:9200;
}
}}

Jörg

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/8d78b939-7601-48e4-96ba-6b19e8853ba6%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.


(system) #14