You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -22,35 +31,116 @@ Download the current version from https://github.com/Asquera/elasticsearch-http-
22
31
23
32
Once the plugin is installed it can be configured in the [elasticsearch modules configuration file](http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/setup-configuration.html#settings). See the [elasticserach directory layout information](http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/setup-dir-layout.html) for more information about the default paths of an ES installation.
|`http.basic.enabled`| true |**true** disables the default ES HTTP Transport module |
37
+
|`http.basic.user`| "admin" ||
38
+
|`http.basic.password`| "admin_pw" ||
39
+
|`http.basic.ipwhitelist`|["localhost", "127.0.0.1"]| uses Host Name Resolution from [java.net.InetAddress](http://docs.oracle.com/javase/7/docs/api/java/net/InetAddress.html)|
40
+
|`http.basic.trusted_proxy_chains`|[]| Set an array of trusted proxies ips chains |
41
+
|`http.basic.log`| false | enables plugin logging to ES log. Unauthenticated requests are always logged. |
42
+
|`http.basic.xforward`| "" | most common is [X-Forwarded-For](http://en.wikipedia.org/wiki/X-Forwarded-For)|
33
43
34
44
Be aware that the password is stored in plain text.
35
45
46
+
## Ip based authentication
47
+
48
+
A client is **authenticated iff** its **request** is **trusted** and its **ip is whitelisted**.
49
+
A Request from a client connected *directly* (direct client) is **trusted**. Its ip is the request ip.
50
+
A Request form a client connected *via proxies* (remote client) is **trusted iff** there is a tail
51
+
subchain of the request chain that matches a tail subchain of the trusted proxy chains.
52
+
53
+
**A tail subchain** of a chain "*A,B,C*" is a subchain that matches it by the end.
54
+
Example: the 3 tail subchains of the ip chain *A,B,C* are:
The request chain of a remote client is obtained following these steps:
59
+
60
+
- read the request's xforward configured header field.
61
+
- remove the xforwarded defined client's ip (first listed ip as defined by X-Forwarded-For) from it.
62
+
- append the request ip to it.
63
+
64
+
The ip chain of a remote client is the ip previous to the longest trusted tail subchain .Is the ip used to check
65
+
against the whitelist.
66
+
67
+
68
+
### Request chain checks
69
+
70
+
Having the following configuration:
71
+
72
+
http.basic.xforward = 'X-Forwarded-For'
73
+
http.basic.trusted_proxy_chains = ["B,C", "Z"]
74
+
75
+
#### Trusted cases:
76
+
77
+
- A remote client with ip *A* connects to [server] via proxies with ips *B* and *C*. *X-Forwarded-For* header has "*A,B*", removing the client's ip "*A*" and adding the request ip *C*, the resulting chain *B,C* matches a trusted tail subchain. Client's ip is A.
78
+
79
+
[A] --> B --> C --> [server]
80
+
81
+
- A remote client with ip *A* connects to [server] via proxies with ips *R*, *P*, *B* and *C*. *X-Forwarded-For* header has "*A,R,P,B*".
82
+
Removing the client's ip "*A*" and adding the request ip *C* , the resulting chain ** matches a trusted tail subchain. **note**: in this case "*P*" is taken as the client's ip, and checked against the white list. Client's ip is P.
83
+
84
+
[A] --> R --> P --> B --> C --> [server]
85
+
86
+
- A remote client with ip *A* connects to [server] via *C*. *X-Forwarded-For* header has
87
+
*A*, removing the client's ip *A* and adding the request ip *C*, the resulting chain *C* matches a trusted tail subchain. Client's ip is A.
88
+
89
+
[A] --> C --> [server]
90
+
91
+
- client *A* connects directly to [server]. *X-Forwarded-For* header is not set. Client's ip is A.
92
+
93
+
[A] --> [server]
94
+
95
+
#### Untrusted cases:
96
+
97
+
- A remote client with ip *A* connects to [server] via *D*. *X-Forwarded-For* header has
98
+
"*A*", removing the client's ip "*A*" and adding the request ip *D*, the resulting chain *D* doesn't match any trusted sub ip chain.
99
+
100
+
[A] --> D --> [server]
101
+
102
+
- A remote client with ip *X* connects to proxy with ip *C* passing a faked *X-Forwarded-For* header "*R*". *C* will check the IP of the request and add it to the *X-Forwarded-For* field. the server will receive and *X-Forwarded-For* header
103
+
as: "*R,X*", remove the client's ip "*R*", add the request ip "*C*" and finally drop the request, as "*X,C*" doesn't match the trusted ip.
104
+
105
+
[X] -- R --> C --> [server]
106
+
107
+
36
108
### configuration example
37
109
38
-
The following code enables plugin logging, and sets user and password:
110
+
The following code enables plugin logging, sets user and password, sets chain
111
+
"1.1.1.1,2.2.2.2" as trusted , whitelists ip 3.3.3.3 and defines xforward
0 commit comments