Hi I am trialing ECE and I have setup secure route to a new cluster and that works fine. I get a access denied when I try and access it from anywhere except the host I allowed.
But I can hit the frc-services-forwarders-services-forwarder (port 9244) on a server that is only a allocator. If I spoof the address for the cluster ie. add the cluster-id.ece-address.local to the allocator ip in the host file I can access the cluster anywhere I do this change.
This raise some security concerns, also that communication looks to be frc-services-forwarders-services-forwarder http only. Does the poxy terminate the tls connection and its http to the elasticsearch cluster or is the something missing.
It is intended that the services forwarder allows any allocator to make an HTTP request to any other allocator via the proxy - it's how Kibana and Stack monitoring work.
In terms of security, the Services Forwarder route looks like: cluster instance -> (http) localhost:9244 -> (https) proxy -> (https) -> other cluster
So all network traffic is encrypted (provided each allocator host blocks 9244 access from external IPs, eg via iptables). In-memory traffic is unencrypted (but of course the allocator contains all the data unencrypted to local users anyway)
So if I understand correctly Services Forwarder is used for services on that host to send data to other clusters.
The internal cluster transport e.g for shard moving is all done via TLS.
Does the proxy do any TLS termination or is the termination of my connection done at the elastic cluster?
Is there any documentation for security hardening ECE, I saw nothing about needing to iptable off 9244?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.