awselasticsearch

Add basic authentication and TLS using Apache

Install the Apache web server

To install the Apache web server execute the following commands:

    $ sudo apt-get install apache2

Add HTTP basic authentication

To add basic authentication to ElasticSearch it is necessary to configure Apache as a reverse proxy. Follow these steps:

  • Install Apache web server as described below.

  • Create a new VirtualHost at /etc/apache2/sites-available/elasticsearch-http-vhost.conf with the following content:

      <VirtualHost 127.0.0.1:80 _default_:80>
        ServerAlias *
        ProxyPass / http://127.0.0.1:9200/
        ProxyPassReverse / http://127.0.0.1:9200/
        AllowEncodedSlashes On
        <Location />
          AuthType Basic
          AuthName "Introduce your ElasticSearch creadentials."
          AuthBasicProvider file
          AuthUserFile /opt/bitnami/passwd
          Require user bitnami
        </Location>
      </VirtualHost>
    
  • Execute the following command to generate the Apache passwords file:

      $ sudo htpasswd -c /opt/bitnami/passwd bitnami
    

    Where /opt/bitnami/passwd is the file that will be created and bitnami is the new user. You will be prompted for a new password and its confirmation.

    TIP: In case you want to use a different user from bitnami, you can change the command by executing sudo htpasswd -c /opt/bitnami/apachePasswords . Then, edit the /etc/apache2/sites-available/elasticsearch-http-vhost.conf file by adding the following directive:

     Require user <your user>
    

    To use a different password file, add the following directive to the /etc/apache2/sites-available/elasticsearch-http-vhost.conf file:

     AuthUserFile <your password file>
    
  • Enable the new created virtual host:

          $ sudo ln -s /etc/apache2/sites-available/elasticsearch-http-vhost.conf /etc/apache2/sites-enabled/
    
  • Enable the mod_proxy and mod_proxy_http modules:

          $ sudo a2enmod proxy_http
    
  • Check that the configuration is correct:

      $ sudo apachectl configtest
    
  • Restart the Apache server:

      $ sudo systemctl restart apache2
    
  • Try to access your server and check you are not authorized:

      $ curl -L 127.0.0.1
    
  • Access it using the credentials (replace bitnami with your user in case you have changed it):

      $ curl -L http://bitnami:<password>@127.0.0.1/
    

Add TLS support and HTTPS basic authentication

  • Install Apache web server as described above.

  • Configure the certificate

    • Option 1: Using your own domain

    If you are using your own domain, download the bncert tool to create the certificates using Let’s Encrypt. Ensure that the domain’s DNS configuration correctly reflects the host’s IP address before executing the commands below. This DNS configuration can be checked using a website like https://www.whatsmydns.net/.

      $ sudo wget -O bncert-linux-x64.run https://downloads.bitnami.com/files/bncert/latest/bncert-linux-x64.run
      $ sudo mkdir /opt/bitnami/bncert
      $ sudo mv bncert-linux-x64.run /opt/bitnami/bncert/
      $ sudo chmod +x /opt/bitnami/bncert/bncert-linux-x64.run
      $ sudo ln -s /opt/bitnami/bncert/bncert-linux-x64.run /opt/bitnami/bncert-tool
    
    • Option 2: Using localhost as domain

    If you are not using your own domain and want to use localhost, create the file /tmp/createCertificates.sh with the following content:

      openssl req -x509 -out localhost.crt -keyout localhost.key \
      -newkey rsa:2048 -nodes -sha256 \
      -subj '/CN=localhost' -extensions EXT -config <( \
      printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
    

    Now, execute the file:

      $ sudo bash /tmp/createCertificates.sh
    

    The files localhost.crt and localhost.key should have been generated.

  • Create a new VirtualHost at /etc/apache2/sites-available/elasticsearch-https-vhost.conf with the following content:

      <VirtualHost 127.0.0.1:443 _default_:443>
        ServerAlias *
        SSLCertificateFile "/opt/bitnami/localhost.crt"
        SSLCertificateKeyFile "/opt/bitnami/localhost.key"
        ProxyPass / http://127.0.0.1:9200/
        ProxyPassReverse / http://127.0.0.1:9200/
        <Location />
          AuthType Basic
          AuthName "Introduce your ElasticSearch creadentials."
          AuthBasicProvider file
          AuthUserFile /opt/bitnami/passwd
          Require user bitnami
        </Location>
      </VirtualHost>
    

    Replace the following lines by the path to your certificates:

      SSLCertificateFile "/opt/bitnami/localhost.crt"
      SSLCertificateKeyFile "/opt/bitnami/localhost.key"
    
  • Execute the following command to generate the Apache passwords file:

      $ sudo htpasswd -c /opt/bitnami/passwd bitnami
    

    Where /opt/bitnami/passwd is the file that will be created and bitnami is the new user. You will be prompted for a new password and its confirmation.

    TIP: In case you want to use a different user from bitnami, you can change the command by executing sudo htpasswd -c /opt/bitnami/apachePasswords . Then, edit the /etc/apache2/sites-available/elasticsearch-https-vhost.conf file by adding the following directive:

       Require user <your user>
    

    To use a different password file, add the following directive to the /etc/apache2/sites-available/elasticsearch-https-vhost.conf file:

       AuthUserFile <your password file>
    
  • Enable the new created virtual host:

          $ sudo ln -s /etc/apache2/sites-available/elasticsearch-https-vhost.conf /etc/apache2/sites-enabled/
    
  • Enable the mod_proxy, mod_proxy_http, mod_ssl and mod_rewrite modules:

          $ sudo a2enmod proxy_http ssl rewrite
    
  • Check that the configuration is correct:

      $ sudo apachectl configtest
    
  • Restart the Apache server:

      $ sudo systemctl restart apache2
    
  • Try to access your server and check you are not authorized:

      $ curl -kL https://127.0.0.1
    
  • Access it using the credentials (replace bitnami with your user in case you have changed it):

      $ curl -kL https://bitnami:<password>@127.0.0.1/
    

Use both configurations at the same time

It is possible to use both configurations at the same using the same passwords file, so you only have to create it once.

Also, the VirtualHost could be place either in different files or in the same file. The content of the following files could be merged:

/etc/apache2/sites-available/elasticsearch-https-vhost.conf and /etc/apache2/sites-available/elasticsearch-http-vhost.conf

Last modification May 10, 2022