Proxy / Forwarder security issue

Hi I am trialing ECE and I have setup secure route to a new cluster and that works fine. I get a access denied when I try and access it from anywhere except the host I allowed.

But I can hit the frc-services-forwarders-services-forwarder (port 9244) on a server that is only a allocator. If I spoof the address for the cluster ie. add the cluster-id.ece-address.local to the allocator ip in the host file I can access the cluster anywhere I do this change.

This raise some security concerns, also that communication looks to be frc-services-forwarders-services-forwarder http only. Does the poxy terminate the tls connection and its http to the elasticsearch cluster or is the something missing.

It is intended that the services forwarder allows any allocator to make an HTTP request to any other allocator via the proxy - it's how Kibana and Stack monitoring work.

In terms of security, the Services Forwarder route looks like: cluster instance -> (http) localhost:9244 -> (https) proxy -> (https) -> other cluster

So all network traffic is encrypted (provided each allocator host blocks 9244 access from external IPs, eg via iptables). In-memory traffic is unencrypted (but of course the allocator contains all the data unencrypted to local users anyway)

Does that address your concerns?


So if I understand correctly Services Forwarder is used for services on that host to send data to other clusters.
The internal cluster transport e.g for shard moving is all done via TLS.

Does the proxy do any TLS termination or is the termination of my connection done at the elastic cluster?

Is there any documentation for security hardening ECE, I saw nothing about needing to iptable off 9244?

That's exactly right yes

The proxy terminates TLS and has its own internal certification for proxy<->ES/Kibana communications.

The list of which ports you should allow (the implication being that all others should be blocked) is here:

(It doesn't mention 9244 because it's intended to be blocked) It would probably be good if we linked to this from and also were more explicit on that page that other ports should be blocked (at least inbound), I think?


That has been very helpful

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.