Setup ElasticSearch to be exposed publicly in read-only mode

[renoirb]

Once we have many indices opened for our infrastructure such as Discuss, MediaWiki, Notes, we might want to open up the possibility to make queries from the open web.

We can’t open ElasticSearch to the wide open without limiting capabilities. We could then use NGINX as a proxy and ensure only non compromising read actions are allowed. Refer to this article on elasticsearch docs

Configuration summary

Note do not use as is, there are more things to limit, and has to be tested.

frontend server (i.e. the ones with public IP address), add a virtual host (e.g. search.webplatform.org) similar to this.

  # List all elastic nodes internally
  upstream upstream_elasticsearch {
    server 10.10.10.2:9200;
    server 10.10.10.3:9200;
    server 10.10.10.4:9200; 
    keepalive 15;
  }

  server {
    server_name search.webplatform.org;
    listen 80;

    location ~* ^(/_cluster|/_nodes) {
      return 403;
      break;
    }

    location / {
      proxy_pass http://upstream_elasticsearch;
      proxy_http_version 1.1;
      proxy_set_header Connection "Keep-Alive";
      proxy_set_header Proxy-Connection "Keep-Alive";
      proxy_redirect off;
    }
  }