In my opinion the path of least resistance is the following:
First, install the Search Guard Elasticsearch plugin and use the demo installer to generate certificates and the configuration:
Then, disable HTTPS for the moment. We will deal with it later, but eliminate sources of errors for now. In elasticsearch.yml, set:
Now start Elasticsearch and check that you can access the cluster, e.g. using admin/admin.
Next, install the Kibana plugin:
and use the minimal configuration for Search Guard. We use HTTP in the elasticsearch.url here since we disabled it in elasticsearch.yml:
Configure the Kibana internal server user
Disable SSL verification because we use self-signed demo certificates
Start Kibana and check that the login is working properly.
Next, configure logstash and filebeats to use Basic Authentication. Since this is similar to X-Pack, you can refer to the ES documentation for the settings:
In order not to run into permission problems in the first place, use the admin user. This makes sure we can test the setup without struggling with roles for the moment.
With this minimal setup, everything should work again.
The only remaining question is how you actually use the nginx proxy. Does it proxy all requests to Elasticsearch? Does it also sit in front of Kibana?
If you use it only to proxy ES requests, then you need to point Kibana, Logstash and Beats to the prody of course. And you need to make sure that the HTTP Basic Auth credentials are passed to upstream as well.
If you want to use HTTPS instead of HTTP (as you should do), then the question is where you want to terminate SSL. If you want to terminate it on the proxy then you will keep the HTTP setting in elasticsearch.yml:
But that means that the traffic between proxy and ES is unencrypted. If you want to terminate SSL on ES/SG, then you need to enable SSL in elasticsearch.yml and use SSL pass through on nginx:
You also need to configure Kibana, Logstash and Beats to use TLS, again you can refer to the ES docs on how to do that.
Hope his helps!
On Sunday, July 29, 2018 at 4:53:33 AM UTC+2, Michael Clark wrote:
ES version 6.3.1, kibana 6.3.1, logstash 6.3.1
I have nginx proxy running and filebeats pumping in logs. I want to add Search Guard but the few times i have tried in my sandbox have broken the stack. Is there a good route to take to add SG to exiting stack? I would really really appreciate any help with this as I want to ball up and cry.