I am trying to deploy OpenSearch behind a reverse proxy (Traefik). And I am using docker and docker-compose for this purpose. I have had success with OpenSearch Dashboards. Therefore I feel that I am close to the solution, but something must be missing.
The problem is, I want to change the admin password, and for this purpose I need to enable the security plugin (If not, anybody can connect to it). But if I enable it, OpenSearch is forcing me to use SSL for connections. If I have a SSL connection, I need to generate the certificates but the connection between Traefik and OpenSearch causes the next error:
DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS
I understand that the architecture that makes sense (and I want) is that Traefik handles the SSL connections, auto-renew certificates using the server domain. And internally, traefik does plain connections without SSL to OpenSearch.
I have found that Elastic Search allows to disable the SSL connections and still keep other security features enabled, but I have not found nothing similar to OpenSearch.
I am using "SERVER_BASEPATH" and "SERVER_REWRITEBASEPATH" on OpenSearch. I have found this information on the OpenSearch Dashboards and seems that is working too for OpenSearch as the traffic is redirected correctly.
docker-compose file:
opensearch-node1:
image: opensearchproject/opensearch:latest
container_name: opensearch-node1
restart: always
environment:
- TZ=Europe/Madrid
- cluster.name=opensearch-cluster
- node.name=opensearch-node1
- discovery.seed_hosts=opensearch-node1
- cluster.initial_cluster_manager_nodes=opensearch-node1
- http.port=9200
- bootstrap.memory_lock=true
- DISABLE_INSTALL_DEMO_CONFIG=true
- "OPENSEARCH_JAVA_OPTS=-Xms1024m -Xmx1024m"
- "OPENSEARCH_INITIAL_ADMIN_PASSWORD=${adminPassword}"
# - "DISABLE_SECURITY_PLUGIN=true"
- plugins.security.ssl.transport.enforce_hostname_verification=false
- plugins.security.ssl.transport.enabled=true
- plugins.security.ssl.transport.pemkey_filepath=certs/admin-key.pem
- plugins.security.ssl.transport.pemcert_filepath=certs/admin.pem
- plugins.security.ssl.transport.pemtrustedcas_filepath=certs/root-ca.pem
- plugins.security.ssl.http.enabled=true
- plugins.security.ssl.http.pemkey_filepath=certs/admin-key.pem
- plugins.security.ssl.http.pemcert_filepath=certs/admin.pem
- plugins.security.ssl.http.pemtrustedcas_filepath=certs/root-ca.pem
- "SERVER_BASEPATH=/opensearch"
- "SERVER_REWRITEBASEPATH=true"
labels:
- "traefik.enable=true"
- "traefik.backend=opensearch-node1"
- "traefik.http.routers.opensearch.entrypoints=https"
- "traefik.http.routers.opensearch.tls.certresolver=https"
- "traefik.http.routers.opensearch.rule=(Host(`${machine_domain}`) && PathPrefix(`/opensearch`))"
- "traefik.docker.network=containers"
ulimits:
memlock:
soft: -1 # Set memlock to unlimited (no soft or hard limit)
hard: -1
nofile:
soft: 65536 # Maximum number of open files for the opensearch user - set to at least 65536
hard: 65536
volumes:
- opensearch-data1:/usr/share/opensearch/data # Creates volume called opensearch-data1 and mounts it to the container
- ./certs:/usr/share/opensearch/config/certs:ro
ports:
- 9200:9200 # REST API
- 9600:9600 # Performance Analyzer
expose:
- 9200
networks:
- containers
Currently, Traefik is redirecting correctly the traffic from my.domain.com/opensearch
to the OpenSearch docker container. But OpenSearch is refusing it:
What I want to achieve:
- Running OpenSearch behind Traefik. This simplify my configuration when deploying it on multiples servers.
- Avoiding if possible to generate custom certificates on OpenSearch, as Traefik handles them perfectly.
- Avoiding to use specific ports and/or subdomains.
What I have tested:
- Disable security plugin. That allows any access to the system.
- Creating custom certificates on OpenSearch. As described above, I am not able to connect Traefik with OpenSearch after this.
- Enable security plugin, but disabling ssl with
plugins.security.ssl.http.enabled
. The security plugin complains and the server does not start. - Trying to reuse "acme.json" from Traefik to obtain the certificates for OpenSearch. Not the perfect solution but can help in some parts of the problem.
2
Answers
Try setting the target service port, the image may expose multiple, tell Traefik explicitly which one to use, example:
If there is an issue with a custom TLS cert from your target service, you can set
insecureSkipVerify
either globally in Traefik static config or asserversTaransport
with your individual Traefik service.You can create a self-signed certificate to have a working setup, with the features you want. Here’s a simple command:
Then, update your OpenSearch configuration (
docker-compose.yml
) to point to the self-signed certificates:Make sure to mount the directory containing the SSL certificates:
You need to configure Traefik to use SSL when connecting to OpenSearch internally. You can add Traefik’s TLS options as shown:
Update Traefik’s labels: