How to secure a Digital Ocean Elasticsearch cluster?

Question

I need to expose my ES cluster to the world, and am securing it via Nginx with a proxy *:9201 -> localhost:9200 (working).

However, in order to form a cluster, I am trying to use the private network on DigitalOcean to get the nodes to talk to each other.

How can I expose the node-node transport on the private network interface unsecured, while not exposing port 9200 to the world?

I am trying something like

network.publish_host: 10.128.97.184
http.port: 9200
discovery.zen.ping.multicast.enabled: false
discovery.zen.ping.unicast.hosts: 10.128.97.184,10.128.97.185

in elasticsearch.yml but it's not working, probably because the port 9300 might also be nginx-protected?

my nginx file looks like

root@els-node-1:~# cat /etc/nginx/sites-enabled/elasticsearch 
server {
  listen                *:9201;
  access_log            /var/log/nginx/elasticsearch.access.log;

  location / {
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/htpasswd;
    proxy_pass http://localhost:9200;
    proxy_read_timeout 90;
  }

}

And I am able to form the cluster, but I can't see how to secure the external 9200 (disable it to all but 127.0.0.1) and keep the internal interface open for addessses like 10.x.x.x

Thanks for help!

Answer 1

Even if you use the private network, your ES cluster is not secure as anybody within the same Digital Ocean private network can still access your nodes through the open ports 9200 and 9300 (and potentially other services). Your best bet is to secure your boxes via iptables and only white list the IPs you know are your own servers. Drop all incoming and forwarded packages and add explicit rules for the other nodes in the cluster only. Also, use network.bind_host instead of network.publish_host and in addition set up ES to use the eth1 interface only, checkout the ES network docs for details.