Skip to content

Files

Latest commit

jochenkressinjochenkressin
corrected copyright notice
Dec 18, 2016
c61bae1 · Dec 18, 2016

History

History
102 lines (90 loc) · 2.24 KB

addendum_a_configuration_examples.md

File metadata and controls

102 lines (90 loc) · 2.24 KB

Addendum A: Configuration examples

Enabling/disabling proxy/XFF support

To prevent hostname spoofing, XFF support is enabled by default. If you do not run Elasticsearch behind a proxy, you need to disable it explicitely:

searchguard:
  dynamic:
    http:
      xff:
        enabled: false

Use HTTP basic auth and validate against the internal user database

searchguard:
  dynamic:
    authc:
      basic_internal_auth_domain: 
        enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern

Use HTTP basic auth and LDAP authentication bacjend

searchguard:
  dynamic:
    authc:
      ldap:
        enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: ldap
          config:
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
              - localhost:8389
            bind_dn: null
            password: null
            userbase: 'ou=people,dc=example,dc=com'
            usersearch: '(uid={0})'

Use the clients certificate, no additional authentication backend necessary

searchguard:
  dynamic:
    authc:
      clientcert_auth_domain:
        enabled: true
        order: 1
        http_authenticator:
          type: clientcert
          challenge: false
        authentication_backend:
          type: noop

Use the XFF/Proxy authentication, no additional authentication backend necessary

searchguard:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: true
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
        remoteIpHeader:  'x-forwarded-for'
        proxiesHeader:   'x-forwarded-by'    
    authc:
      proxy_auth_domain:
        enabled: true
        order: 1
        http_authenticator:
          type: proxy
          challenge: false
          config:
            user_header: "x-proxy-user"
            roles_header: "x-proxy-roles"
        authentication_backend:
          type: noop