IMPORTANT NOTICE: versions 1.0.4 is insecure and should not be used.
They have a bug that allows an attacker to get ip authentication by setting
its ip on the 'Host' header.
HTTP Basic / Ip auth for ElasticSearch
This plugin provides an extension of ElasticSearchs HTTP Transport module to enable HTTP basic authentication and/or
Ip based authentication.
Requesting / does not request authentication to simplify health check configuration.
There is no way to configure this on a per index basis.
A client is Ip authenticated iff its request is trusted and its ip is whitelisted.
A Request from a client connected directly (direct client) is by definition trusted. Its ip is the request ip.
A Request form a client connected via proxies (remote client) is trusted iff there is a tail
subchain of the request chain that matches a tail subchain of the trusted proxy chains.
A tail subchain of a chain "A,B,C" is a subchain that matches it by the end.
Example: the 3 tail subchains of the ip chain A,B,C are:
A remote client with ip A connects to [server] via proxies with ips B and C. X-Forwarded-For header has "A,B", removing the client's ip "A" and adding the request ip C, the resulting chain B,C matches a trusted tail subchain. Client's ip is A.
[A] --> B --> C --> [server]
A remote client with ip A connects to [server] via proxies with ips R, P, B and C. X-Forwarded-For header has "A,R,P,B".
Removing the client's ip "A" and adding the request ip C , the resulting chain ** matches a trusted tail subchain. note: in this case "P" is taken as the client's ip, and checked against the white list. Client's ip is P.
[A] --> R --> P --> B --> C --> [server]
A remote client with ip A connects to [server] via C. X-Forwarded-For header has
A, removing the client's ip A and adding the request ip C, the resulting chain C matches a trusted tail subchain. Client's ip is A.
[A] --> C --> [server]
client A connects directly to [server]. X-Forwarded-For header is not set. Client's ip is A.
[A] --> [server]
Untrusted cases:
A remote client with ip A connects to [server] via D. X-Forwarded-For header has
"A", removing the client's ip "A" and adding the request ip D, the resulting chain D doesn't match any trusted sub ip chain.
[A] --> D --> [server]
A remote client with ip X connects to proxy with ip C passing a faked X-Forwarded-For header "R". C will check the IP of the request and add it to the X-Forwarded-For field. the server will receive and X-Forwarded-For header
as: "R,X", remove the client's ip "R", add the request ip "C" and finally drop the request, as "X,C" doesn't match the trusted ip.
[X] -- R --> C --> [server]
configuration example
The following code enables plugin logging, sets user and password, sets chain
"1.1.1.1,2.2.2.2" as trusted , whitelists ip 3.3.3.3 and defines xforward
header as the common 'X-Forwarded-For':
note: localhost is a whitelisted ip as default.
Considering a default configuration with my_username and my_password configured.
Correct credentials
$ curl -v localhost:9200 # works (returns 200) (by default localhost is configured as whitelisted ip)
$ curl -v --user my_username:my_password no_local_host:9200/foo # works (returns 200) (if credentials are set in configuration)
Wrong credentials
$ curl -v --user my_username:wrong_password no_local_host:9200/ # health check, returns 200 with "{\"OK\":{}}" although Unauthorized
$ curl -v --user my_username:password no_local_host:9200/foo # returns 401
Development
Testing
Maven is configured to run the unit and integration tests. This plugin makes
use of ES Integration Tests
We can configure at the cli the version of ES we want to test against:
mvn -Delasticsearch.version=1.5.2 -Dtests.security.manager=false test runs all tests
mvn -Delasticsearch.version=1.5.2 -Dtests.security.manager=false integration runs integration tests only
Packaging
mvn -Delasticsearch.version=1.5.2 -Dtests.security.manager=false package packages the plugin in a jar file
请发表评论