0

I have installed on my VPS Elasticsearch and it allows me to reach results this way

curl -XGET 'localhost:9200/customer/external/1?pretty&pretty'

However security do not allow me to reach results outside of localhost.

Here is an advice to set elasticsearch.yml to network.host: 0.0.0.0, but this expose whole API to everyone - it is possible delete indices by anyone as well. I have read also about limit all other requests, except GET, on the nginx level.

Any of these solutions makes no sense for me. I want some simple solution, to be able to reach results outside of localhost. How can I achieve that as simple as possible? Should I stick with Elasticsearch Clients?

Pavol Travnik
  • 853
  • 3
  • 14
  • 32
  • You can use an [SSH tunnel](http://stackoverflow.com/questions/37425761/ssh-tunnel-for-elasticsearch) from your host to the one on which ES runs. – Val Jan 24 '17 at 07:49
  • My point is to create a website, where I can use search and go through results. I seek similar function as google search bar has. But I do not understand the point, how anyone can use GET method, while all others are forbidden. How can I ask outside of localhost via HTTP request only for results of elasticsearch? Imagine, that only this request would be possible `curl -XGET 'mydomain.com:9200/customer/external/1?pretty&pretty'` – Pavol Travnik Jan 24 '17 at 08:04
  • If you intend to query ES directly from client-side Javascript within your website, then I strongly advise against it. You should have some kind of backend server inbetween that relays the calls. – Val Jan 24 '17 at 08:15
  • That is why I was suspicious about solutions I saw before. I would like to see a real simple implementation of this f.e. written in PHP or another backend language if possible. So are [Elasticsearch Clients](https://www.elastic.co/guide/en/elasticsearch/client/index.html) an answer? – Pavol Travnik Jan 24 '17 at 09:31
  • Yes, using the ES PHP client from within your PHP code, you have a full freedom of calling whatever you like in ES without having to open your ES cluster to the world. There are of course other more involved solutions (using [XPack Security](https://www.elastic.co/guide/en/x-pack/current/xpack-security.html), formerly Shield), but for starters this is more than good enough. – Val Jan 24 '17 at 09:34
  • Hi, so I finally made same solution and I would like to know about your opinion. I used Flask to manage HTTP calls in json. Basically it manage access to my local localhost. Is this solution safe enough? 1. User use POST method to send a json on server. (he can not use other method) 2. Then it is parsed in Flask (security will be handeled later) 3. Flask calls elasticsearch. 4. Flask returns back response in json format back to user. https://github.com/pavoltravnik/examples/blob/master/page.py – Pavol Travnik Jan 25 '17 at 16:34
  • As long as you have some application in the middle (here Flask) that relays the client calls, you're good. That's not immune to other bugs, though ;-) – Val Jan 25 '17 at 16:37
  • Yes, I understand that. So I think you answered my question by your second comment. Thank you! – Pavol Travnik Jan 25 '17 at 17:29

0 Answers0