Question 98025 in Nginx Question posted in
The official documentation can be found here.

How to remotely connect to a local elasticsearch server – in a secure way ofc – Nginx

I have been playing around with creating a webapp that uses elasticsearch to perform queries. Currently, everything is in production, thus on the localhost, let’s say elasticsearch runs at 123.123.123.123:9200. All fun and games, but once the webapplication (react) is finished, the webapp should be able to send the queries to the current local elastic search db.

I have been reading around on how to get this done in a proper and most of all secure way. Summary of this all is currently:
"First off, exposing an Elasticsearch node directly to the internet without protections in front of it is usually bad, bad news." (see here: Accessing elasticsearch from a public domain name or IP).
Another interesting blog I found: https://code972.com/blog/2017/01/dont-be-ransacked-securing-your-elasticsearch-cluster-properly-107.

The problem with the above-mentioned sources is that they are a bit older, and thus I am not sure whether they are up to date.
Therefore the following questions:

  • Is nginx sufficient to act as a secure middleman, passing the queries from the end-users to elastic?
  • What is the difference at that point with writing a backend into the react application (e.g. using node and express)?
  • What is the added value taking into account the built-in security from elasticsearch (usernames, password, apikey, certificates, https,…)?
  • I am reading a lot about using a VPN or tunneling. I have the impression that these solutions are more geared towards a corporate-collaborative approach. Let’s say I am running my front-end on a live server, I can use tunneling to show my work to colleagues, my employer. VPN would be more realistic for allowing employees -wish I had them, just a cs student here- to access e.g. the database within my private network (let’s say an employee needs to access kibana to adapt something, let’s say an API-key – just making something up here), he/she could use a VPN connection for that.

Thank you so much for helping me clarify the above-mentioned points!

Tags:

2

Answers


  1. 0

    TLS, authorisation and access control are free for the Elastic Stack, and have been for a while. I’d start by looking at the docs, as it’s an easy way to natively secure your cluster

    • for nginx, it can be useful for rate limiting, or blocking specific queries for eg. however it’s another thing to configure and maintain
    • from a client POV it would really only matter if you are using the official Elasticsearch clients, and you use nginx and make changes to the way the API would respond to the client (eg path rewrites, rate limiting)
    • it’s free, it’s native, it’s easy to manage via Kibana
    • I’d follow the docs to secure Elasticsearch and then see if you need this at some point in the future. this would be handled outside Elasticsearch anyway, and you’d still want to secure Elasticsearch
    Login or Signup to reply.
  2. 0

    The point in exposing Elasticsearch nodes directly to the internet is a higher vulnerability in principle. You should follow the rule of the least "surface" of your system on the internet.

    A good practice is to hide from the internet whatever doesn’t need to be there, although well protected. It takes ~20mins to get cyber attacks on any exposed service (see a showcase).

    So I suggest you install a private network, such as a traditional VPN or an SDP product such as Shieldoo Mesh.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search