如何在Elasticsearch 5.2.0中仅从选定的设备/计算机启用远程访问？ [英] How do I enable remote access in Elasticsearch 5.2.0 from selected devices/computers only?

问题描述

目前，我正在数字海洋服务器中运行 elasticsearch 5.2.0 。要远程访问 rest apis 弹性搜索，我在 config / elasticsearch.yml 文件中进行了以下更改：

  network.host：0.0.0.0 
  

有了这个变化，我可以访问弹性搜索apis从任何地方使用请求：

  http：// server_url：9200 / ... 
  

但是，我只想从本地和所选设备/计算机


例如：仅从 localhost（服务器内）和 computerA ，我已经尝试配置为：

  network.host：[_computerAIp _，_ local_] 
  

但它不工作。如何配置以实现此要求？

解决方案

elasticsearch network.host



从你的代码看，你似乎在误解它与ip过滤的客户端的ip地址。

在elasticsearch.yml配置中，您可以执行以下操作 -

1）更改http流量端口是9200）对于传入http流量使用 http.port：9200 。

2）更改传输客户端的tcp端口对于使用 transport.tcp.port：9300 的节点到节点通信。

3）您可以更改弹性搜索绑定地址对于弹性搜索服务器，使用 network.bind_host：192.168.0.1 来监听流量。您可以将其更改为network.bind_host：localhost以限制公共访问。

有关配置的更多详细信息，请参阅这个和官方文档。

现在，为了实现你所尝试的，我建议你使用屏蔽插件，现在可以使用X-Pack。
Shield提供IP过滤支持，您可以在其中定义可以访问弹性搜索的IP地址。

屏蔽插件将允许您阻止，允许IP地址访问您的弹性搜索服务器通过扩展相同的elasticsearch.yml文件。成功安装屏蔽插件后，您将能够在elasticsearch.yml文件中使用 shield module。

  shield.transport.filter.enabled：false 
 shield.http.filter.enabled：true 
 shield.transport.filter.allow：[192.168.0.1，192.168。 0.2，192.168.0.3，192.168.0.4] 
 shield.transport.filter.deny：_all 
  

现在在elasticsearch.yml中的这些设置将是硬设置，每次更改后，您可能必须重新启动服务器。由于您提到选定的设备和计算机，并且这些设备的IP地址动态更改。然后弹性还暴露设置/配置/更改通过其REST api进行IP过滤的IP地址，如下所示，您可以随时更改IP地址，而无需重新启动

  curl -XPUT localhost：9200 / _cluster / settings -d'{
persistent：{
shield.transport.filter.allow：172.16.0.0/24 
} 
}'
 
 curl -XPUT localhost：9200 / _cluster / settings -d'{
persistent：{
shield.transport .filter.enabled：false 
} 
}'
  

这个很好的REST api用于动态更改弹性的IP地址以及屏蔽的其他功能，如身份验证，授权，文档级别角色可以帮助您构建一个真正有趣的控制台界面/应用程序来管理弹性搜索集群。

还请参阅弹性搜索屏蔽 ip filt更多配置信息。

希望这有帮助。

Currently, I am running elasticsearch 5.2.0 in my digital ocean server.To remotely access the rest apis of elasticsearch, I made following change in config/elasticsearch.yml file:

network.host: 0.0.0.0

With this change, I am able to access the elasticsearch apis from anywhere using request:

http://server_url:9200/......

But, I want to access the elasticsearch apis only from local and selected devices/computers.

for eg: to access only from localhost(within server) and computerA, I have tried configuring as:

network.host: [_computerAIp_,_local_]

But its not working. How do I configure to achieve this requirement?

解决方案

elasticsearch network.host settings in elasticsearch.yml is to set bind address for incoming http traffic and node to node communication.

From the look of your bit of code it seems you are misinterpreting it with ip address of the clients for ip filtering.

Here in elasticsearch.yml configuration you can do the following -

1) change http traffic port (default is 9200) for incoming http traffic using http.port: 9200.

2) change tcp port for transport clients for node to node communication using transport.tcp.port: 9300.

3) you can change elasticsearch bind address for elasticsearch server where to listen for traffic using network.bind_host: 192.168.0.1. You can change this to 'network.bind_host: localhost' to restrict public access.

More more detailed info on configuration please refer this and official documentation.

Now to achieve what you are trying i suggest you to use shield plugin which now comes free with X-Pack. Shield offers IP filtering support where you can define IP address who can access your elasticsearch.

Shield plugin will allow you to block, allow ip addresses for accessing your elasticsearch server by extending the same elasticsearch.yml file. After successfully installing shield plugin you will be able to use shield module in elasticsearch.yml file.

shield.transport.filter.enabled: false
shield.http.filter.enabled: true
shield.transport.filter.allow: [ "192.168.0.1", "192.168.0.2", "192.168.0.3", "192.168.0.4" ]
shield.transport.filter.deny: _all

Now these settings in elasticsearch.yml will be hard settings and after every change you may have to restart your server. Since you mentioned selected devices and computers and if the IP address for those devices changes dynamically. Then elastic also expose setting/configuring/changing IP address for IP filtering over their REST api as follows where you can change IP addresses on the fly without any restart

curl -XPUT localhost:9200/_cluster/settings -d '{
    "persistent" : {
        "shield.transport.filter.allow" : "172.16.0.0/24"
    }
}'

curl -XPUT localhost:9200/_cluster/settings -d '{
    "persistent" : {
        "shield.transport.filter.enabled" : false
    }
}'

This nice REST api for dynamically changing IP address for elastic along with other features of shield like authentication, authorization, document level roles can help you build a really fancy console interface/application for managing your elasticsearch cluster.

Please also refer the elasticsearch shield ip filtering documentation for more configuration info.

Hope this helps.

这篇关于如何在Elasticsearch 5.2.0中仅从选定的设备/计算机启用远程访问？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！