简单的方法使弹性搜索服务器只读 [英] easy way to make an elasticsearch server read-only

问题描述

只需将一堆json数据上传到弹性搜索服务器即可获得基本查询API即可，很多选项非常简单

It's really easy to just upload a bunch of json data to an elasticsearch server to have a basic query api, with lots of options

我只想知道是否有简单的方式发布它，防止人们修改它。

I'd just like to know if there's and easy way to publish it all preventing people from modifying it

从默认设置，服务器打开，将收到一个DELETE或PUT http消息，将修改数据。

From the default setting, the server is open ot receive a DELETE or PUT http message that would modify the data.

是否有某种设置将其配置为只读？或者我应该配置某种http代理来实现吗？

Is there some kind of setting to configure it to be read-only? Or shall I configure some kind of http proxy to achieve it?

（我是一个弹性搜索新手）

(I'm an elasticsearch newbie)

推荐答案

如果要将Elasticsearch API公开为只读，我认为最好的方法是将Nginx放在它的前面，并拒绝除了GET之外的所有请求。一个示例配置如下所示：

If you want to expose the Elasticsearch API as read-only, I think the best way is to put Nginx in front of it, and deny all requests except GET. An example configuration looks like this:

# Run me with:
#
#     $ nginx -c path/to/this/file
#
# All requests except GET are denied.

worker_processes  1;
pid               nginx.pid;

events {
    worker_connections  1024;
}

http {

  server {

    listen       8080;
    server_name  search.example.com;

    error_log   elasticsearch-errors.log;
    access_log  elasticsearch.log;

    location / {
      if ($request_method !~ "GET") {
        return 403;
        break;
      }

      proxy_pass http://localhost:9200;
      proxy_redirect off;

      proxy_set_header  X-Real-IP  $remote_addr;
      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header  Host $http_host;
    }

  }

}

然后：

curl -i -X GET http://localhost:8080/_search -d '{"query":{"match_all":{}}}'
HTTP/1.1 200 OK

curl -i -X POST http://localhost:8080/test/test/1 -d '{"foo":"bar"}'
HTTP/1.1 403 Forbidden

curl -i -X DELETE http://localhost:8080/test/
HTTP/1.1 403 Forbidden

请注意，恶意用户仍然可能会弄乱您的服务器，例如发送错误的脚本有效内容，这将使弹性搜索被卡住，但是对于大多数目的而言，这种方法将会很好。

Note, that a malicious user could still mess up your server, for instance sending incorrect script payloads, which would make Elasticsearch get stuck, but for most purposes, this approach would be fine.

如果您需要更多的关于代理的控制，您可以使用更复杂的Nginx配置，或写一个专用的代理，例如。在Ruby或Node.js中。

If you would need more control about the proxying, you can either use more complex Nginx configuration, or write a dedicated proxy eg. in Ruby or Node.js.

请参阅此示例用于更复杂的基于Ruby的代理。

See this example for a more complex Ruby-based proxy.

这篇关于简单的方法使弹性搜索服务器只读的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！