Securing elasticsearch and still access it via kibana

As per the subject, my goal is to prevent general external access to
elasticsearch, but still allow authenticated access from kibana.

Looking around the internet there are multiple descriptions of how to do
pieces of this, but I haven't come across a good explanation of how to pull
it all together. Hence my post here.

Using nginx, I can set up authenticated access to elasticsearch (as
per http://www.elasticsearch.org/blog/playing-http-tricks-nginx/)
However, there's also the ability to set up basic authentication for
elasticsearch with https://github.com/Asquera/elasticsearch-http-basic How
do these two differ / complement each other?

In Kibana3, I know there's the setting in config.js which instructs kibana
to connect to ES with credentials:

elasticsearch: {"http://"+window.location.hostname+":8080", 

withCredentials: true},

Does this "withCredentials" option assume the presence of
elasticsearch-http-basic auth ES plugin?

So far I have the ES basic auth working via nginx config on port 8080 (I
haven't installed elasticsearch-http-basic), but Kibana is showing a blank
page with "{{dashboard.current.title}}" and an error on the console:

Uncaught SyntaxError: Unexpected token +

app.js:8 TypeError: Cannot read property 'elasticsearch' of undefined

at new <anonymous> (http://10.2.3.174:8081/app/app.js:22:5857)

at d (http://10.2.3.174:8081/app/app.js:8:6414)

at Object.e [as instantiate] (http://10.2.3.174:8081/app/app.js:8:6527)

at Object.<anonymous> (http://10.2.3.174:8081/app/app.js:8:4811)

at Object.d [as invoke] (http://10.2.3.174:8081/app/app.js:8:6414)

at http://10.2.3.174:8081/app/app.js:8:6930

at c (http://10.2.3.174:8081/app/app.js:8:5751)

at d (http://10.2.3.174:8081/app/app.js:8:5885)

at Object.e [as instantiate] (http://10.2.3.174:8081/app/app.js:8:6527)

at Object.<anonymous> (http://10.2.3.174:8081/app/app.js:8:4811)

Cheers,

Iain

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/357fd600-0ca9-470f-8cde-24a645672d1d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

On Monday, January 19, 2015 at 4:23:16 PM UTC-5, Iain Woolf wrote:

...

In Kibana3, I know there's the setting in config.js which instructs kibana
to connect to ES with credentials:

elasticsearch: {"http://"+window.location.hostname+":8080", 

withCredentials: true},

Does this "withCredentials" option assume the presence of
elasticsearch-http-basic auth ES plugin?

So far I have the ES basic auth working via nginx config on port 8080 (I
haven't installed elasticsearch-http-basic), but Kibana is showing a blank
page with "{{dashboard.current.title}}" and an error on the console:

Uncaught SyntaxError: Unexpected token +

app.js:8 TypeError: Cannot read property 'elasticsearch' of undefined

The source of this error was a typo in the kibana config.js file. The line
should read:

elasticsearch: {*server: *"http://"+window.location.hostname+":8080",
withCredentials: true},

Now I have authentication working for elasticsearch (basic auth using
nginx), verified with curl:

curl -i 'someuser:somepasswd@10.2.3.174:8080'
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Wed, 21 Jan 2015 19:36:39 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 293
Connection: keep-alive

{
"status" : 200,
"name" : "Rage",
"version" : {
"number" : "1.3.2",
"build_hash" : "dee175dbe2f254f3f26992f5d7591939aaefd12f",
"build_timestamp" : "2014-08-13T14:29:30Z",
"build_snapshot" : false,
"lucene_version" : "4.9"
},
"tagline" : "You Know, for Search"
}

I also have basic auth for the Kibana port (again using nginx and using the
same user/pass file for both Kibana and Elasticsearch), but when loading
the Kibana web page and authenticating I get a banner alert along the top
of the page from Kibana saying "Error Could not contact Elasticsearch at
http://10.2.3.174:8080. Please ensure that Elasticsearch is reachable from
your system."

Any ideas?

Thanks,

Iain

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/0a0930b2-08d4-4153-afaa-28e88ccd6f24%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.