Last active
May 2, 2016 19:37
-
-
Save notpeter/70244930756e2166e2ffc1c021bbc88a to your computer and use it in GitHub Desktop.
SSL Reverse Proxy for Elasticsearch (GET only, HTTP Basic Auth & and path restrictions)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Place this config block inside the http scope of your nginx config. | |
| # Replace with your DNS server. (e.g. VPC 10.12.0.0/16 -> 10.12.0.2) | |
| resolver 8.8.8.8 valid=60s ipv6=off; | |
| server { | |
| listen 9201; | |
| ssl on; | |
| server_name whatever.domain.org; | |
| ssl_certificate /etc/nginx/ssl/whatever.domain.org.crt; | |
| ssl_certificate_key /etc/nginx/ssl/whatever.domain.org.key; | |
| ssl_protocols TLSv1.2 TLSv1.1 TLSv1; | |
| ssl_prefer_server_ciphers on; | |
| ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; | |
| # generate with: openssl dhparam -out dhparam.pem 4096 | |
| ssl_dhparam /etc/nginx/ssl/dhparam.pem; | |
| # We use a variable so nginx doesn't resovle DNS only at startup. | |
| set $upstream_endpoint http://xyz-abc.us-west-1.es.amazonaws.com:9200; | |
| # install htpasswd: sudo apt-get install apache2-utils | |
| # generate pass hash: htpasswd -c /etc/nginx/htpasswd.elasticsearch username1 | |
| auth_basic "Protected"; | |
| auth_basic_user_file htpasswd.elasticsearch; | |
| if ($request_method !~ "GET") { | |
| return 403; | |
| break; | |
| } | |
| location ~ ^/(_nodes|_cluster|_shutdown) { | |
| return 403; | |
| } | |
| location ~ { | |
| proxy_pass http://$upstream_endpoint; | |
| proxy_http_version 1.1; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment