Question posted in
The official documentation can be found here.

Docker – Deploying OpenSearch behind Traefik

I am trying to deploy OpenSearch behind a reverse proxy (Traefik). And I am using docker and docker-compose for this purpose. I have had success with OpenSearch Dashboards. Therefore I feel that I am close to the solution, but something must be missing.

The problem is, I want to change the admin password, and for this purpose I need to enable the security plugin (If not, anybody can connect to it). But if I enable it, OpenSearch is forcing me to use SSL for connections. If I have a SSL connection, I need to generate the certificates but the connection between Traefik and OpenSearch causes the next error:

DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS

I understand that the architecture that makes sense (and I want) is that Traefik handles the SSL connections, auto-renew certificates using the server domain. And internally, traefik does plain connections without SSL to OpenSearch.

I have found that Elastic Search allows to disable the SSL connections and still keep other security features enabled, but I have not found nothing similar to OpenSearch.

I am using "SERVER_BASEPATH" and "SERVER_REWRITEBASEPATH" on OpenSearch. I have found this information on the OpenSearch Dashboards and seems that is working too for OpenSearch as the traffic is redirected correctly.

docker-compose file:

  opensearch-node1: 
    image: opensearchproject/opensearch:latest
    container_name: opensearch-node1
    restart: always
    environment:
      - TZ=Europe/Madrid
      - cluster.name=opensearch-cluster 
      - node.name=opensearch-node1 
      - discovery.seed_hosts=opensearch-node1
      - cluster.initial_cluster_manager_nodes=opensearch-node1
      - http.port=9200
      - bootstrap.memory_lock=true
      - DISABLE_INSTALL_DEMO_CONFIG=true
      - "OPENSEARCH_JAVA_OPTS=-Xms1024m -Xmx1024m"
      - "OPENSEARCH_INITIAL_ADMIN_PASSWORD=${adminPassword}"
      # - "DISABLE_SECURITY_PLUGIN=true"
      - plugins.security.ssl.transport.enforce_hostname_verification=false
      - plugins.security.ssl.transport.enabled=true
      - plugins.security.ssl.transport.pemkey_filepath=certs/admin-key.pem
      - plugins.security.ssl.transport.pemcert_filepath=certs/admin.pem
      - plugins.security.ssl.transport.pemtrustedcas_filepath=certs/root-ca.pem
      - plugins.security.ssl.http.enabled=true
      - plugins.security.ssl.http.pemkey_filepath=certs/admin-key.pem
      - plugins.security.ssl.http.pemcert_filepath=certs/admin.pem
      - plugins.security.ssl.http.pemtrustedcas_filepath=certs/root-ca.pem
      - "SERVER_BASEPATH=/opensearch"
      - "SERVER_REWRITEBASEPATH=true"
    labels:
      - "traefik.enable=true"
      - "traefik.backend=opensearch-node1"
      - "traefik.http.routers.opensearch.entrypoints=https"
      - "traefik.http.routers.opensearch.tls.certresolver=https"
      - "traefik.http.routers.opensearch.rule=(Host(`${machine_domain}`) && PathPrefix(`/opensearch`))"
      - "traefik.docker.network=containers"
    ulimits:
      memlock:
        soft: -1 # Set memlock to unlimited (no soft or hard limit)
        hard: -1
      nofile:
        soft: 65536 # Maximum number of open files for the opensearch user - set to at least 65536
        hard: 65536
    volumes:
      - opensearch-data1:/usr/share/opensearch/data # Creates volume called opensearch-data1 and mounts it to the container
      - ./certs:/usr/share/opensearch/config/certs:ro
    ports:
      - 9200:9200 # REST API
      - 9600:9600 # Performance Analyzer
    expose:
      - 9200
    networks:
      - containers

Currently, Traefik is redirecting correctly the traffic from my.domain.com/opensearch to the OpenSearch docker container. But OpenSearch is refusing it:

What I want to achieve:

  • Running OpenSearch behind Traefik. This simplify my configuration when deploying it on multiples servers.
  • Avoiding if possible to generate custom certificates on OpenSearch, as Traefik handles them perfectly.
  • Avoiding to use specific ports and/or subdomains.

What I have tested:

  • Disable security plugin. That allows any access to the system.
  • Creating custom certificates on OpenSearch. As described above, I am not able to connect Traefik with OpenSearch after this.
  • Enable security plugin, but disabling ssl with plugins.security.ssl.http.enabled. The security plugin complains and the server does not start.
  • Trying to reuse "acme.json" from Traefik to obtain the certificates for OpenSearch. Not the perfect solution but can help in some parts of the problem.
Tags:

2

Answers


  1. 0

    Try setting the target service port, the image may expose multiple, tell Traefik explicitly which one to use, example:

      whoami:
    image: traefik/whoami:v1.8
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.mywhoami.rule=Host(`whoami.example.com`) || Host(`www.whoami.example.com`)
      - traefik.http.services.mywhoami.loadbalancer.server.port=80

    If there is an issue with a custom TLS cert from your target service, you can set insecureSkipVerify either globally in Traefik static config or as serversTaransport with your individual Traefik service.

    Login or Signup to reply.
  2. 0

    You can create a self-signed certificate to have a working setup, with the features you want. Here’s a simple command:

    openssl req -x509 -nodes -days 365 -newkey rsa:2048 
   -keyout opensearch.key -out opensearch.crt 
   -subj "/CN=localhost"

    Then, update your OpenSearch configuration (docker-compose.yml) to point to the self-signed certificates:

    opensearch-node1: 
 image: opensearchproject/opensearch:latest
 container_name: opensearch-node1
 restart: always
 environment:
   ...
   - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/certs/opensearch.key
   - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/certs/opensearch.crt
   - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/certs/opensearch.crt
   - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/certs/opensearch.key
   - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/certs/opensearch.crt
   - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/certs/opensearch.crt

    Make sure to mount the directory containing the SSL certificates:

    volumes:
 - ./certs:/usr/share/opensearch/config/certs:ro

    You need to configure Traefik to use SSL when connecting to OpenSearch internally. You can add Traefik’s TLS options as shown:

    Update Traefik’s labels:

    labels:
 - "traefik.http.services.opensearch.loadbalancer.server.scheme=https" # Use HTTPS to connect to OpenSearch
 - "traefik.http.routers.opensearch.tls=true"
 - "traefik.http.services.opensearch.loadbalancer.server.insecureSkipVerify=true" # Skip SSL verification (for dev environments only)
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search