dokku-elasticsearch-plugin icon indicating copy to clipboard operation
dokku-elasticsearch-plugin copied to clipboard

Published 20 hours ago verified publisher icon jezdez

Block all non-localhost connections by default

Open blag opened this issue 10 years ago • 4 comments

Installing this on a public-facing web server leaves the elasticsearch server open to the world on port 9200.

There are two ways to fix this.

  1. From ServerFault:

    iptables -A INPUT -p tcp -s localhost --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j DROP

  2. From StackOverflow: In /etc/elasticsearch/elasticsearch.yml:

    network.host: 127.0.0.1

I'm not entirely sure how to fix this without forking the Docker image, because that will only fix it for me, not for everybody. Is there a good way to do this?

blag avatar Jun 03 '14 09:06 blag

I'm hit by ES vulnerability and want to use docker/dokku to host next one and this is exactly issue I want to understand. I need to run ES and allow only whitelisted clients to connect.

To approach it, I thought of following scenario.

  1. deploy elasticsearch by this plugin.
  2. create simple node.js proxy run it by dokku.
  3. link elasticsearch container to proxy.
  4. prevent access to 9200/9300 by commands you posted above.

It seems like by doing that elasticsearch.yml could be default, except dynamic scripts have to be disabled since it's the source of vulnerability as well.

I don't see any command to update elasticsearch.yml, can it be changed inside the container?

If you solved that issue, I would really appreciate your experience.

alexbeletsky avatar Jul 07 '14 18:07 alexbeletsky

I did end up simply forking this entire project - Docker files and everything.

Here is my Dockerfile repository: https://github.com/blag/dokku-elasticsearch-dockerfiles

And here is my dokku plugin repository: https://github.com/blag/dokku-elasticsearch-plugin

I have updated my dockerfiles repository to add a VOLUME for /etc/elasticsearch, so you should be able to modify elasticsearch.yml outside of the Docker image (once you have mounted it), and then restart the container with the new settings.

I will add the infrastructure to mount the VOLUME and restart the container to my dokku plugin fork tonight.

blag avatar Jul 07 '14 18:07 blag

I have updated my dokku plugin to have a config directory in ~dokku/$APP/elasticsearch/volumes/config

Note that this new code is untested, but it solves part of your problem.

blag avatar Jul 07 '14 19:07 blag

@blag great.. I think I'll stick to your plugin then. Will dig into code a bit later. Thanks for you help.

alexbeletsky avatar Jul 07 '14 20:07 alexbeletsky