Simple HTTPS connection to ES

Hello !

It's my first time here, so I hope I have done things well.

I am currently working on a project using ES.

I have the following setup :

  • One serveur where ES is running in HTTP : ES_SERVER
  • One Website in HTTP : CLIENT
  • One Website in HTTPS : ADMINISTRATION

The CLIENT website perform http request to ES_SERVER in AJAX from the browser.

I want to perform the followin evolution :

I want the ADMINISTRATION website to be able to perform request to the ES_SERVER.

At the beggining, I wanted to do it in ajax, from the browser.
However, it is not possible to perform request to a server without encryption from an HTTPS connection.

So, I decided to put SSL and HTTPS to my ES_SERVER.

Now that it is done, I understand that it is not possible to just call "https://ES_SERVER"

So my questions are the following :

  • Is it possible to perform an AJAX call, from the browser, to an ES_SERVER in HTTPS ? (I think I understand it is not possible)

  • What is the right way to interact from a browser to a ES_SERVER using HTTPS ? (I think using a curl request from the server side is better than I currently do with the ajax request client-side)

  • is there any way to connect to ES_SERVER without any password or user ? (Then again, if from server side, it is not really an issue)

If the situation is not clear, feel free to ask any questions.

Thank you for your answeres,

Why is that ? What issue did you encounter that lead you to think that?

Yes, it is. See also the CORS related settings in https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-http.html.

I'm not really sure we can answer this question for you. From a functionality/feature perspective, It depends on your use case . From a security perspective there are potential risks with both approaches and, as usual, the devil is in the implementation details. A very prominent difference that might help you select what's best for you is that with the ajax request option, you need to give Elasticsearch credentials ( i.e. replicate all your ADMINISTRATION users to Elasticsearch and keep their passwords in sync) to all your ADMINISTRATION website users as they will make the requests via their browsers. On the contrary, if you handle requests on the backend side with i.e. curl, then you can keep your existing authentication scheme for the ADMINISTRATION website and use a single ES user to make all the requests to ES ( Note that this can be tricky if not all your users should have the same access to the same data in Elasticsearch )

You can enable anonymous access as described in https://www.elastic.co/guide/en/elastic-stack-overview/7.3/anonymous-access.html if that fits your use case/requirements.

Thanks a lot for your answerers !

Well, I have this error in the browser : net::ERR_CONNECTION_REFUSED

But I give no credential in any way in my ajax request.
That's what led me to think my implementation was wrong to begin with.

Thanks, I did not tried with http.cors.allow-credentials.

The way things work for my project,

There is one ADMINISTRATION server with different users, and there is multiple CLIENT website, who use the same ES_SERVER, but with different indexes. The client is public and accessible for everyone, whereas the ADMINISTRATION is for a selected few.

Either way, If I understand you correctly

I'm not security expert, but I think it is a risk to let the public thing with no protection whatsoever have the credentials.

I think it is not an issue to use the same ES user, since all data are compartimented within indexes, and if I set everything in curl, there is no simple way for the client to access other's data.

So If I understand clearly :

I have to use the auth system of ES, creat ONE ES user with rights for everything, but set every request serverside with CURL.

Do I have to set PKI realm for that purpose ?

Can I do that with .p12 file ?

Thank you !

I didn't mean that you should give your Elasticsearch credentials to all your users. I meant that you could create users ( one for every one of your existing user ) so every user can make requests to Elasticsearch on their own with any of the permissions you want to allow them to have.

There is no point to have a single ES user that has read access to everything from every CLIENT WEBSITE. If one of your CLIENT websites gets compromised, then an attacker gets access to all the data in Elasticsearch. Since your data is already compartmentalized, you should probably better create 1 Elasticsearch user per CLIENT website and give each one read access to only the specific index that it will need to make queries for, for the given CLIENT website.

No, not exactly, see above.

No, you can use any of the existing realms that your license level covers to authenticate your users to Elasticsearch.

I'm not sure I understand this question.