Restricting direct access to port, but allow port forwarding in Nginx

Question

I'm trying to restrict direct access to elasticsearch on port 9200, but allow Nginx to proxy pass to it.

This is my config at the moment:

server {
        listen 80;
        return 301;
}

server {

        listen *:5001;

        location / {
                auth_basic "Restricted";
                auth_basic_user_file /var/data/nginx-elastic/.htpasswd;

                proxy_pass http://127.0.0.1:9200;
                proxy_read_timeout 90;
        }
}

This almost works as I want it to. I can access my server on port 5001 to hit elasticsearch and must enter credentials as expected.

However, I'm still able to hit :9200 and avoid the HTTP authentication, which defeats the point. How can I prevent access to this port, without restricting nginx? I've tried this:

server {
        listen *:9200;
        return 404;
}

But I get:

nginx: [emerg] bind() to 0.0.0.0:9200 failed (98: Address already in use)

as it conflicts with elasticsearch.

There must be a way to do this! But I can't think of it.

EDIT:

I've edited based on a comment and summarised the question:

I want to lock down < serverip >:9200, and basically only allow access through port 5001 (which is behind HTTP Auth). 5001 should proxy to 127.0.0.1:9200 so that elasticsearch is accessible only through 5001. All other access should 404 (or 301, etc).

to get things straight: you want to protect against direct access of ES from localhost to localhost? ES has to listen on some port and in case it listens on localhost:9200 only, one has to assume, that the machine itself is "safe". so usually you would run your nginx on :9200 and ES on localhost:9200 and then proxy to protect ES from *outside*. to protect connections from localhost to localhost you will need something preventing this for local users (maybe systrace or alike can be of help here - depending on OS). — cfrick, Apr 01 '14 at 18:19
@cfrick Yes, this is what I meant. I don't think I was as clear as I should have been when mentioning localhost. I want to lock down :9200, and basically only allow access through port 5001 (which is behind HTTP Auth). 5001 should proxy to 127.0.0.1:9200 so that elasticsearch is accessible only through 5001. All other access should 404 (or 301, etc). — James, Apr 01 '14 at 20:54

score 9 · Accepted Answer · answered Apr 02 '14 at 08:02

9

add this in your ES config to ensure it only binds to localhost

network.host: 127.0.0.1
http.host: 127.0.0.1

then ES is only accessible from localhost and not the world.

make sure this is really the case with the tools of your OS. e.g. on unix:

$ netstat -an | grep -i 9200
tcp4       0      0 127.0.0.1.9200         *.*                    LISTEN

in any case I would lock down the machine using the OS firewall to really only allow the ports you want and not only rely on proper binding. why is this important? because ES also runs its cluster communication on another port (9300) and evil doers might just connect there.

answered Apr 02 '14 at 08:02

cfrick

35,203
6
56
68

1

Perfect. This is exactly what I wanted. Thanks for the heads up on 9300 too, I'll take a look. – James Apr 02 '14 at 09:18
The above seems to control :9300 binding as well. – toddkaufmann Aug 09 '14 at 16:39
1

@toddkaufmann yes, `network.host` is for the communication port 9300 and `http.host` for the client port 9200 – cfrick Aug 09 '14 at 19:54
@cfrick how would I do the exact same thing but for Kibana (on port 5601) - since it has to be public facing, being the frontend? – COB Apr 03 '20 at 15:44

Restricting direct access to port, but allow port forwarding in Nginx

1 Answers1