You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Mar 4, 2019. It is now read-only.
Copy file name to clipboardExpand all lines: README.md
+93-11Lines changed: 93 additions & 11 deletions
Original file line number
Diff line number
Diff line change
@@ -1,8 +1,9 @@
1
1
# HTTP Basic auth for ElasticSearch
2
2
3
-
This plugin provides an extension of ElasticSearchs HTTP Transport module to enable HTTP Basic authorization.
3
+
This plugin provides an extension of ElasticSearchs HTTP Transport module to enable HTTP Basic authorization and
4
+
Ip based authorization.
4
5
5
-
Requesting / does not request authentication to simplify health check configuration.
6
+
Requesting `/` does not request authentication to simplify health check configuration.
6
7
7
8
There is no way to configure this on a per index basis.
8
9
@@ -22,35 +23,116 @@ Download the current version from https://github.com/Asquera/elasticsearch-http-
22
23
23
24
Once the plugin is installed it can be configured in the [elasticsearch modules configuration file](http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/setup-configuration.html#settings). See the [elasticserach directory layout information](http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/setup-dir-layout.html) for more information about the default paths of an ES installation.
|`http.basic.enabled`| true |**true** disables the default ES HTTP Transport module |
29
+
|`http.basic.user`| "admin" ||
30
+
|`http.basic.password`| "admin_pw" ||
31
+
|`http.basic.ipwhitelist`|["localhost", "127.0.0.1"]| uses Host Name Resolution from [java.net.InetAddress](http://docs.oracle.com/javase/7/docs/api/java/net/InetAddress.html)|
32
+
|`http.basic.trusted_proxy_chains`|[]| Set an array of trusted proxies ips chains |
33
+
|`http.basic.log`| false | enables plugin logging to ES log. Unauthenticated requests are always logged. |
34
+
|`http.basic.xforward`| "" | most common is [X-Forwarded-For](http://en.wikipedia.org/wiki/X-Forwarded-For)|
33
35
34
36
Be aware that the password is stored in plain text.
35
37
38
+
## Ip based authentication
39
+
40
+
A client is **authenticated iff** its **request** is **trusted** and its **ip is whitelisted**.
41
+
A Request from a client connected *directly* (direct client) is **trusted**. Its ip is the request ip.
42
+
A Request form a client connected *via proxies* (remote client) is **trusted iff** there is a tail
43
+
subchain of the request chain that matches a tail subchain of the trusted proxy chains.
44
+
45
+
**A tail subchain** of a chain "*A,B,C*" is a subchain that matches it by the end.
46
+
Example: the 3 tail subchains of the ip chain *A,B,C* are:
The request chain of a remote client is obtained following these steps:
51
+
52
+
- read the request's xforward configured header field.
53
+
- remove the xforwarded defined client's ip (first listed ip as defined by X-Forwarded-For) from it.
54
+
- append the request ip to it.
55
+
56
+
The ip chain of a remote client is the ip previous to the longest trusted tail subchain .Is the ip used to check
57
+
against the whitelist.
58
+
59
+
60
+
### Request chain checks
61
+
62
+
Having the following configuration:
63
+
64
+
http.basic.xforward = 'X-Forwarded-For'
65
+
http.basic.trusted_proxy_chains = ["B,C", "Z"]
66
+
67
+
#### Trusted cases:
68
+
69
+
- A remote client with ip *A* connects to [server] via proxies with ips *B* and *C*. *X-Forwarded-For* header has "*A,B*", removing the client's ip "*A*" and adding the request ip *C*, the resulting chain *B,C* matches a trusted tail subchain. Client's ip is A.
70
+
71
+
[A] --> B --> C --> [server]
72
+
73
+
- A remote client with ip *A* connects to [server] via proxies with ips *R*, *P*, *B* and *C*. *X-Forwarded-For* header has "*A,R,P,B*".
74
+
Removing the client's ip "*A*" and adding the request ip *C* , the resulting chain ** matches a trusted tail subchain. **note**: in this case "*P*" is taken as the client's ip, and checked against the white list. Client's ip is P.
75
+
76
+
[A] --> R --> P --> B --> C --> [server]
77
+
78
+
- A remote client with ip *A* connects to [server] via *C*. *X-Forwarded-For* header has
79
+
*A*, removing the client's ip *A* and adding the request ip *C*, the resulting chain *C* matches a trusted tail subchain. Client's ip is A.
80
+
81
+
[A] --> C --> [server]
82
+
83
+
- client *A* connects directly to [server]. *X-Forwarded-For* header is not set. Client's ip is A.
84
+
85
+
[A] --> [server]
86
+
87
+
#### Untrusted cases:
88
+
89
+
- A remote client with ip *A* connects to [server] via *D*. *X-Forwarded-For* header has
90
+
"*A*", removing the client's ip "*A*" and adding the request ip *D*, the resulting chain *D* doesn't match any trusted sub ip chain.
91
+
92
+
[A] --> D --> [server]
93
+
94
+
- A remote client with ip *X* connects to proxy with ip *C* passing a faked *X-Forwarded-For* header "*R*". *C* will check the IP of the request and add it to the *X-Forwarded-For* field. the server will receive and *X-Forwarded-For* header
95
+
as: "*R,X*", remove the client's ip "*R*", add the request ip "*C*" and finally drop the request, as "*X,C*" doesn't match the trusted ip.
96
+
97
+
[X] -- R --> C --> [server]
98
+
99
+
36
100
### configuration example
37
101
38
-
The following code enables plugin logging, and sets user and password:
102
+
The following code enables plugin logging, sets user and password, sets chain
103
+
"1.1.1.1,2.2.2.2" as trusted , whitelists ip 3.3.3.3 and defines xforward
0 commit comments