Use Nginx as proxy to prevent create/update/delete operations on ElasticSearch via JavaScript client-side

Question

I have a local ElasticSearch server, made public by Nginx that prevents POST, PUT and DELETE requests. It's my Nginx configuration enough in order to prevent operations beyond information fetching? Do you suggest improvements?

  upstream elasticsearch {
      server localhost:9200;
  }

  server {
      listen 7777;

      location / {
        return 403;
        limit_except PUT POST DELETE {
          proxy_pass http://elasticsearch;
        }
        proxy_redirect off;
      }

  }

Thank you.

[UPDATE]

My configuration after deagh's advice:

  upstream elasticsearch {
      server localhost:9200;
  }

  server {
      listen 7777;

      location / {
        return 403;
        limit_except PUT POST DELETE {
          proxy_pass http://elasticsearch;
        }
        proxy_redirect off;
      }

      location ~* ^(/_cluster|/_nodes|/_shutdown) {
        return 403;
        break;
      }

  }

Answer 1

You should also take care about connections to the different elasticsearh locations like

• _cluster
• _nodes
• _shutdown

You can find more information about a working (and secure) setup of nginx and elasticsearch in the documentation => http://www.elasticsearch.org/blog/playing-http-tricks-nginx/

Answer 2

Thank you, I wasn't aware that you have to protect Elastic X_X

I found a few more _commands via Kibana that you don't normally need and can be blacklisted, in the sense that you can enter a password if you do need it.

# 2020-01-07
# Whitelist: _count, _mget, _search
# Greylist (blacklisted anyway): _analyze, _msearch, _validate
# Blacklist:
location ~* /_(aliases|all|analyze|bulk|cache|cluster|data_frame|delete_by_query|field_caps|flush|forcemerge|ilm|ingest|license|mapping|mappings|migration|ml|monitoring|msearch|mtermvectors|nodes|refresh|scripts|security|shutdown|snapshot|sql|tasks|template|upgrade|update_by_query|validate|watcher)
{
    auth_basic "Elastic1";
    auth_basic_user_file /etc/nginx/.htpasswd;  # create with Apache tool htpasswd

    include proxy_params;
    proxy_cookie_domain <HOSTNAME> $server_name;
    proxy_pass http://10.0.0.1:9201;
}

location /
{
    # Blacklist: CONNECT, DELETE, PATCH, PUT, TRACE
    # Whitelist:
    limit_except GET HEAD OPTIONS POST
    {
        auth_basic "Elastic1";
        auth_basic_user_file /etc/nginx/.htpasswd;  # create with Apache tool htpasswd
    }

    include proxy_params;
    proxy_cookie_domain <HOSTNAME> $server_name;
    proxy_pass http://10.0.0.1:9201;
}