You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fixed security problem in ip authentication.
security problem introduced in commit 53d1cf8
changes:
- remove usage of 'Host' header to identify client's ip
- the request ip is used to ip authenticate direct connected clients
- add usage of trusted proxy chain
- the trusted proxy chain is used to ip authenticate indirect connected clients
- added unit and integration tests
- updated log messages
remove uncompatible code
Download the current version from https://github.com/Asquera/elasticsearch-http-basic/releases and copy it to `plugins/http-basic`.
19
27
20
28
## Configuration
21
29
22
-
The plugin is disabled by default. Enabling basic authorization will disable the default HTTP Transport module.
30
+
Once the plugin is installed it can be configured in the [elasticsearch modules configuration file](http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/setup-configuration.html#settings). See the [elasticserach directory layout information](http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/setup-dir-layout.html) for more information about the default paths of an ES installation.
|`http.basic.enabled`| true |**true** disables the default ES HTTP Transport module |
35
+
|`http.basic.user`| "admin" ||
36
+
|`http.basic.password`| "admin_pw" ||
37
+
|`http.basic.ipwhitelist`|["localhost", "127.0.0.1"]| uses Host Name Resolution from [java.net.InetAddress](http://docs.oracle.com/javase/7/docs/api/java/net/InetAddress.html)|
38
+
|`http.basic.trusted_proxy_chains`|[]| Set an array of trusted proxies ips chains |
39
+
|`http.basic.log`| false | enables plugin logging to ES log. Unauthenticated requests are always logged. |
40
+
|`http.basic.xforward`| "" | most common is [X-Forwarded-For](http://en.wikipedia.org/wiki/X-Forwarded-For)|
41
+
42
+
Be aware that the password is stored in plain text.
43
+
44
+
## Ip based authentication
45
+
46
+
A client is **authenticated iff** its **request** is **trusted** and its **ip is whitelisted**.
47
+
A Request from a client connected *directly* (direct client) is **trusted**. Its ip is the request ip.
48
+
A Request form a client connected *via proxies* (remote client) is **trusted iff** there is a tail
49
+
subchain of the request chain that matches a tail subchain of the trusted proxy chains.
50
+
51
+
**A tail subchain** of a chain "*A,B,C*" is a subchain that matches it by the end.
52
+
Example: the 3 tail subchains of the ip chain *A,B,C* are:
The request chain of a remote client is obtained following these steps:
57
+
58
+
- read the request's xforward configured header field.
59
+
- remove the xforwarded defined client's ip (first listed ip as defined by X-F
F438
orwarded-For) from it.
60
+
- append the request ip to it.
61
+
62
+
The ip chain of a remote client is the ip previous to the longest trusted tail subchain .Is the ip used to check
63
+
against the whitelist.
64
+
65
+
66
+
### Request chain checks
67
+
68
+
Having the following configuration:
69
+
70
+
http.basic.xforward = 'X-Forwarded-For'
71
+
http.basic.trusted_proxy_chains = ["B,C", "Z"]
72
+
73
+
#### Trusted cases:
74
+
75
+
- A remote client with ip *A* connects to [server] via proxies with ips *B* and *C*. *X-Forwarded-For* header has "*A,B*", removing the client's ip "*A*" and adding the request ip *C*, the resulting chain *B,C* matches a trusted tail subchain. Client's ip is A.
76
+
77
+
[A] --> B --> C --> [server]
78
+
79
+
- A remote client with ip *A* connects to [server] via proxies with ips *R*, *P*, *B* and *C*. *X-Forwarded-For* header has "*A,R,P,B*".
80
+
Removing the client's ip "*A*" and adding the request ip *C* , the resulting chain ** matches a trusted tail subchain. **note**: in this case "*P*" is taken as the client's ip, and checked against the white list. Client's ip is P.
81
+
82
+
[A] --> R --> P --> B --> C --> [server]
83
+
84
+
- A remote client with ip *A* connects to [server] via *C*. *X-Forwarded-For* header has
85
+
*A*, removing the client's ip *A* and adding the request ip *C*, the resulting chain *C* matches a trusted tail subchain. Client's ip is A.
86
+
87
+
[A] --> C --> [server]
88
+
89
+
- client *A* connects directly to [server]. *X-Forwarded-For* header is not set. Client's ip is A.
90
+
91
+
[A] --> [server]
92
+
93
+
#### Untrusted cases:
94
+
95
+
- A remote client with ip *A* connects to [server] via *D*. *X-Forwarded-For* header has
96
+
"*A*", removing the client's ip "*A*" and adding the request ip *D*, the resulting chain *D* doesn't match any trusted sub ip chain.
97
+
98
+
[A] --> D --> [server]
99
+
100
+
- A remote client with ip *X* connects to proxy with ip *C* passing a faked *X-Forwarded-For* header "*R*". *C* will check the IP of the request and add it to the *X-Forwarded-For* field. the server will receive and *X-Forwarded-For* header
101
+
as: "*R,X*", remove the client's ip "*R*", add the request ip "*C*" and finally drop the request, as "*X,C*" doesn't match the trusted ip.
102
+
103
+
[X] -- R --> C --> [server]
104
+
105
+
106
+
### configuration example
107
+
108
+
The following code enables plugin logging, sets user and password, sets chain
109
+
"1.1.1.1,2.2.2.2" as trusted , whitelists ip 3.3.3.3 and defines xforward
0 commit comments