Security, best practice when using ES with custom Frontend


since Elastic released some of the security features from X-Pack, I'm wondering if something did change in the security related best practices, as for example to have a Proxy installed before ES. I have a couple of semi-related open questions:

  1. Let's presume I would have a Gold or Platinum subscription, then I would have the SSO-Features enabled, correct? I'm wondering if I can use ES as an authentication backend for a web-frontend application without any other backend/proxy in between? Would it be a good practice?

  2. If I want to use the Basic-Subscription, what should I do then? I guess the best option is to roll-out my own backend, that handles SSO authentication and provides a REST-API that is completly decoupled from the ES Rest-endpoint, but this requires the most work.

  3. What are the dangers of using ES through a Proxy from a web-frontend, in a simple configuration, without long RegEx-Rules? Ok, if it is completly open, it makes the proxy obsolete. So, what typical rules do you use? I imagine to block DELETE's and PUT's for example and make specific indexes read-only or not accessbile at all. But that's it, isn't it?

What is your way to go in an enterprise envrioment? My feeling is to do it as in 2.


Both OpenID Connect and SAML are available in Platinum only.

You could. We describe how to do this for OpenID Connect in our docs and we will be shortly publishing the same guide for SAML

If you need single sign on to an external system, then there is no alternative I'm afraid, you need to build something on your own. Either in your web application or as a custom elasticsearch realm.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.