In production, how can I restrict general users only be able to use GET request, and all of other operations are prohibited? This should apply to both from terminal and from web browser. For example, general users cannot use curl -XDELETE 'http://www.example.com:9200/customer/external/1?pretty' in terminal. General users cannot use web browser to do any other operations to indices, except GET.
If you buy a subscription from Elastic you can get access to an Elasticsearch plugin for security which is quite comprehensive. That said, I think you just want an HTTP proxy? That'd provide some basic security so long as you are careful with the patterns you allow access to.
The subscriptions pay my salary so personally I'd prefer you use that but you've got to do what is right for you.