SSL enabling the elasticsearch node library?


(Sean Pines) #1

Hi all,

New user to ElasticSearch and it's been absolutely amazing in a dev
environment so far. However one strong requirement that we have is to
ensure the cluster is secured s.t. it can only be accessed via client
certificates (SSL/TLS).

Our setup is essentially four machines, three of which are running Elastic
Search and the fourth is running an SSL enabled proxy (so I can close off
HTTP/TCP to the outside world on the ES nodes). This setup works
wonderfully; marvel works with no modifications and sense only requires
that I specify the full URL (GET https://111.111.111.111:1111/type/_search)
and I can send curl commands all day.

However, when using the ElasticsearchJS library (located
at https://github.com/elasticsearch/elasticsearch-js), I cannot find a
clean way to connect to the SSL proxy.

Editing http.js as follows will do the trick:

HttpConnector.prototype.makeReqParams = function (params) {
.........
var reqParams = {
method: params.method || 'GET',
protocol: host.protocol + ':',
auth: host.auth,
hostname: host.host,
port: host.port,
path: (host.path || '') + (params.path || ''),
headers: host.getHeaders(params.headers),
agent: this.agent
};

// Inject https/ssl options into the agent (clean way to do this?)
if (host.pfx){
reqParams.agent.options.pfx = host.pfx;
reqParams.agent.options.rejectUnauthorized = host.rejectUnauthorized;
}
..........
}

Which I'd then seed with the following:
var client = new elasticsearch.Client({
host: {
protocol: 'https',
host: '111.111.111.111',
port: '1111',
pfx: fs.readFileSync('certs/dummyCert.p12'),
rejectUnauthorized: false
}
});

I would highly prefer to not have to edit the core library code though. Is
there a way to specify your agent / agent options from the Client
constructor (or a better way of going about this in general)?
makeAgentConfig seems to only let you customize your min/max sockets.

Thanks!
Sean

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/6db70d31-2b00-4242-bee2-41c25268a816%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(system) #2