Hi,
I have a 3 node cluster with
a) XXX.XXX.X.59 as master
b) XXX.XXX.X.60 and XXX.XXX.X.61 as data nodes.
I have installed searchguard plugin on all these nodes and generated TLS certificates by running install_demo_configuration.sh script.
now I want to restrict the communication of this cluster to other external IPs say: XXX.XXX.X.70, XXX.XXX.X.62 those were not in cluster i.e., I shouldn’t be able to query or connect to ES cluster other than these IPs.
Do I need to generate certificates for above IPs also?
How can I do this. What changes do I need to make for elasticsearch.yml file
Please provide me assistance.
Search Guard does not provide IP whitelisting for the following reaons:
-
It’s more in the domain of loadbalancers, firewalls or proxies
-
If you have a production setup with multiple nodes, you will have a loadbalancer anyways
-
IPs can be spoofed, so relying on IP whitelisting does not give you high security standards
We might consider IP whitelisting for SG6, but at the moment you can’t do it with SG alone.
···
On Thursday, June 22, 2017 at 12:55:25 PM UTC+2, Goli Navya wrote:
Hi,
I have a 3 node cluster with
a) XXX.XXX.X.59 as master
b) XXX.XXX.X.60 and XXX.XXX.X.61 as data nodes.
I have installed searchguard plugin on all these nodes and generated TLS certificates by running install_demo_configuration.sh script.
now I want to restrict the communication of this cluster to other external IPs say: XXX.XXX.X.70, XXX.XXX.X.62 those were not in cluster i.e., I shouldn’t be able to query or connect to ES cluster other than these IPs.
Do I need to generate certificates for above IPs also?
How can I do this. What changes do I need to make for elasticsearch.yml file
Please provide me assistance.
Is IP whitelisting possible with NGINX ?
Absolutely, there’s plenty of tutorials out there.
···
On Thursday, June 22, 2017 at 1:11:43 PM UTC+2, Goli Navya wrote:
Is IP whitelisting possible with NGINX ?