Elasticsearch with apache2 ssl proxy

StackOverflow https://stackoverflow.com/questions/22943552

Question

Recently I have been trying to get Elasticsearch to be usable over SSL. This has taken me on a fun route between apache to nginx to apache to nginx and now finally back to apache.

I needed LDAP for authentication which is why I stopped using nginx. I followed this https://gist.github.com/jerrac/0a8bd96e6c42eb84b6f2 for configuring my apache web server. The good thing is that I am able to access it. The bad thing is elasticsearch doesn't work when trying to look for indices. I use elasticsearch-head to make sure it wasn't anything else but it seems like elasticsearch is still being blocked even though I can reach the kibana webpage. Any help would be appreciated. 

<VirtualHost *:80>

ServerAdmin systems@example.com
ServerName logstash.example.com

DocumentRoot /var/www/kibana/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/kibana/>
Options -Indexes FollowSymLinks -MultiViews
AllowOverride all
Order allow,deny
allow from all
</Directory>

 RewriteEngine on
 RewriteCond %{HTTPS} off
 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
#RewriteRule ^/(.*)$ https://logstash.example.com/$1 [R,L]

 ErrorLog /var/log/apache2/error.log
 CustomLog /var/log/apache2/access.log combined

</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin systems@example.com
    ServerName logstash.example.com

  SSLEngine on
  SSLCertificateFile           /etc/ssl/certs/wildcard.example.com.crt
  SSLCertificateKeyFile        /etc/ssl/private/wildcard.example.com.key
  SSLCACertificateFile         /etc/ssl/certs/ca-example.cert
  #RewriteEngine on
  #RewriteCond %{SERVER_NAME} !=logstash.example.com
  #RewriteRule ^/(.*)$ https://logstash.eaxmple.com/$1 [R,L]

 ErrorLog /var/log/apache2/error.log
 CustomLog /var/log/apache2/access.log combined

    DocumentRoot /var/www/kibana/
    <Directory />
            Options FollowSymLinks
            AllowOverride None
    </Directory>
    <Directory /var/www/kibana/>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride None
            Order allow,deny
            allow from all
    </Directory>
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
</Directory>
 BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [7-9]" ssl-unclean-shutdown
#ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    #<Directory "/usr/lib/cgi-bin">
    #        AllowOverride None
    #        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
    #        Order allow,deny
    #        Allow from all
    #</Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access.log combined

<Proxy http://127.0.0.1:9200>
 #<Proxy http://logstash.example.com:9200>
        ProxySet connectiontimeout=5 timeout=90
</Proxy>

# Proxy for _aliases and .*/_search
<LocationMatch "^(/_aliases|.*/_search|.*/_mapping|/_nodes)$">
        #ProxyPassMatch http://logstash.example.com:9200
        #ProxyPassReverse http://logstash.example.com:9200
    ProxyPassMatch http://127.0.0.1:9200
        ProxyPassReverse http://127.0.0.1:9200
</LocationMatch>

# Proxy for kibana-int/{dashboard,temp} stuff (if you don't want auth on /, then you will want these to be protected)
<LocationMatch "^(/kibana-int/dashboard/|/kibana-int/temp).*$">
        #ProxyPassMatch http://logstash.example.com:9200
        #ProxyPassReverse http://logstash.example.com:9200
        ProxyPassMatch http://127.0.0.1:9200
        ProxyPassReverse http://127.0.0.1:9200
</LocationMatch>

</VirtualHost>
</IfModule>
Was it helpful?

Solution

You should be able to do https://myserver/index_name/_search/ with the above configuration, if Kibana is working.

Your LocationMatches only allow very small subsets of information. You can either explicitly list your indexes (e.g., /index1/.*|/index2/.*) or come up with a more flexible mapping (e.g., have a known pattern in the index's name).

<LocationMatch "^/(_aliases|index1/.*|index2/.*|_nodes)$">

It is probably worth noting that it is very dangerous to expose your Elasticsearch database, even if it is using SSL because once you allow unfettered access, then they can fetch all data from them (among other risky operations), which defeats the purpose of encrypting the traffic for the most part.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top