通过nginx代理无密码访问开启了x-pack验证的elasticsearch

87 阅读 0 评论 58 点赞

我是靠谱客的博主大胆百褶裙，这篇文章主要介绍通过nginx代理无密码访问开启了x-pack验证的elasticsearch，现在分享给大家，希望可以做个参考。

在有些工具中，并没有提供elasticsearch的用户名密码接口，而如果elasticsearch开启了x-pack验证，用户名密码又是必须参数。如果去修改工具实现，代价又太大，所以我们可以选择使用nginx反向代理，使用nginx为请求增加验证，达到无密码访问兼容老工具的目的。

首先，elasticsearch中配置允许通过请求头来验证：

复制代码

1
2
http.cors.allow-headers: Authorization

然后我们先使用curl 加上-u -v参数来访问elasticsearch，观察请求体：

复制代码

curl --user elastic:123456 -v "http://127.0.0.1:11111"

* About to connect() to 127.0.0.1 port 11111 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 11111 (#0)
* Server auth using Basic with user 'elastic'
> GET / HTTP/1.1
> Authorization: Basic ZWxhc3RpYzoxMjM0NTY=
> User-Agent: curl/7.29.0
> Host: 127.0.0.1:11111
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx/1.12.2
< Date: Tue, 30 Oct 2018 07:42:06 GMT
< Content-Type: application/json; charset=UTF-8
< Content-Length: 491
< Connection: keep-alive
< 
{
  "name" : "es-wk-node-1",
  "cluster_name" : "es-wk1",
  "cluster_uuid" : "Dc1CiavHRzSCtt4yzImVrA",
  "version" : {
    "number" : "6.4.2",
    "build_flavor" : "default",
    "build_type" : "tar",
    "build_hash" : "04711c2",
    "build_date" : "2018-09-26T13:34:09.098244Z",
    "build_snapshot" : false,
    "lucene_version" : "7.4.0",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
curl --user elastic:123456 -v "http://127.0.0.1:11111"

* About to connect() to 127.0.0.1 port 11111 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 11111 (#0)
* Server auth using Basic with user 'elastic'
> GET / HTTP/1.1
> Authorization: Basic ZWxhc3RpYzoxMjM0NTY=
> User-Agent: curl/7.29.0
> Host: 127.0.0.1:11111
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx/1.12.2
< Date: Tue, 30 Oct 2018 07:42:06 GMT
< Content-Type: application/json; charset=UTF-8
< Content-Length: 491
< Connection: keep-alive
< 
{
  "name" : "es-wk-node-1",
  "cluster_name" : "es-wk1",
  "cluster_uuid" : "Dc1CiavHRzSCtt4yzImVrA",
  "version" : {
    "number" : "6.4.2",
    "build_flavor" : "default",
    "build_type" : "tar",
    "build_hash" : "04711c2",
    "build_date" : "2018-09-26T13:34:09.098244Z",
    "build_snapshot" : false,
    "lucene_version" : "7.4.0",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}

通过与不加-u（–user)参数的对比，可以发现差别就是请求头多了一个Authorization参数，而其值是固定的，所以我们在nginx中配置为请求添加此请求头即可。

复制代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
server {
        listen       11111;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            # proxy_set_header user elastic:123456;
            proxy_set_header Authorization 'Basic ZWxhc3RpYzoxMjM0NTY=';
            proxy_pass http://127.0.0.1:19200;
        }
}