generalelasticsearch

Add basic authentication and TLS using Apache

Install the Apache web server

To install the Apache web server execute the following commands:

  • Debian:

    $ sudo apt-get install apache2
    
  • CentOS:

    $ sudo apt-get install httpd
    

Add HTTP basic authentication

To add basic authentication to ElasticSearch it is necessary to configure Apache as a reverse proxy. Follow these steps:

  • Install Apache web server as described below.

  • Extra steps only for CentOS:

    Edit /etc/httpd/conf/httpd.conf and add the following line at the end of the file:

    IncludeOptional sites-enabled/*.conf
    

    Create the VirtualHost file:

    $ sudo mkdir /etc/httpd/sites-available
    $ sudo mkdir /etc/httpd/sites-enabled
    
  • Create a new VirtualHost with the following content. If you are using Debian create it at /etc/apache2/sites-available/elasticsearch-http-vhost.conf, if you are using CentOS create it at /etc/httpd/sites-available/elasticsearch-http-vhost.conf:

    <VirtualHost 127.0.0.1:80 _default_:80>
      ServerAlias *
      ProxyPass / http://127.0.0.1:9200/
      ProxyPassReverse / http://127.0.0.1:9200/
      AllowEncodedSlashes On
      <Location />
        AuthType Basic
        AuthName "Introduce your ElasticSearch creadentials."
        AuthBasicProvider file
        AuthUserFile /opt/bitnami/passwd
        Require user bitnami
      </Location>
    </VirtualHost>
    
  • Execute the following command to generate the Apache passwords file:

    $ sudo htpasswd -c /opt/bitnami/passwd bitnami
    

    Where /opt/bitnami/passwd is the file that will be created and bitnami is the new user. You will be prompted for a new password and its confirmation.

    TIP: In case you want to use a different user from bitnami, you can change the command by executing sudo htpasswd -c /opt/bitnami/apachePasswords . Then, edit the /etc/apache2/sites-available/elasticsearch-http-vhost.conf in Debian, or /etc/httpd/sites-available/elasticsearch-http-vhost.conf in CentOS, by adding the following directive:

     Require user <your user>
    

    To use a different password file, add the following directive to the /etc/apache2/sites-available/elasticsearch-http-vhost.conf file in Debian, or /etc/httpd/sites-available/elasticsearch-http-vhost.conf in CentOS:

     AuthUserFile <your password file>
    
  • Enable the new created virtual host:

    • Debian:

      $ sudo ln -s /etc/apache2/sites-available/elasticsearch-http-vhost.conf /etc/apache2/sites-enabled/
      
    • CentOS:

      $ sudo ln -s /etc/httpd/sites-available/elasticsearch-http-vhost.conf /etc/httpd/sites-enabled/
      
  • Enable the mod_proxy and mod_proxy_http modules:

    • Debian:

      $ sudo a2enmod proxy_http
      
    • CentOS:

    To check if these modules are installed execute the command below:

    $ httpd -M
    

    If this modules don’t appear in the list, you can enable them by editing the /etc/httpd/conf.modules.d/00-base.conf file to add these lines:

    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_http_module modules/mod_proxy_http.so
    
  • Check that the configuration is correct:

    $ sudo apachectl configtest
    
  • Restart the Apache server:

    $ sudo systemctl restart apache2
    
  • Try to access your server and check you are not authorized:

    $ curl -L 127.0.0.1
    
  • Access it using the credentials (replace bitnami with your user in case you have changed it):

    $ curl -L http://bitnami:<password>@127.0.0.1/
    

Add TLS support and HTTPS basic authentication

  • Install Apache web server as described above.

  • Configure the certificate

    • Option 1: Using your own domain

    If you are using your own domain, download the bncert tool to create the certificates using Let’s Encrypt. Ensure that the domain’s DNS configuration correctly reflects the host’s IP address before executing the commands below. This DNS configuration can be checked using a website like https://www.whatsmydns.net/.

    $ sudo wget -O bncert-linux-x64.run https://downloads.bitnami.com/files/bncert/latest/bncert-linux-x64.run
    $ sudo mkdir /opt/bitnami/bncert
    $ sudo mv bncert-linux-x64.run /opt/bitnami/bncert/
    $ sudo chmod +x /opt/bitnami/bncert/bncert-linux-x64.run
    $ sudo ln -s /opt/bitnami/bncert/bncert-linux-x64.run /opt/bitnami/bncert-tool
    
    • Option 2: Using localhost as domain

    If you are not using your own domain and want to use localhost, create the file /tmp/createCertificates.sh with the following content:

    openssl req -x509 -out localhost.crt -keyout localhost.key \
    -newkey rsa:2048 -nodes -sha256 \
    -subj '/CN=localhost' -extensions EXT -config <( \
    printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
    

    Now, execute the file:

    $ sudo bash /tmp/createCertificates.sh
    

    The files localhost.crt and localhost.key should have been generated.

  • Extra steps only for CentOS:

    Edit /etc/httpd/conf/httpd.conf and add the following line at the end of the file:

    IncludeOptional sites-enabled/*.conf
    

    Create the VirtualHost file:

    $ sudo mkdir /etc/httpd/sites-available
    $ sudo mkdir /etc/httpd/sites-enabled
    
  • Create a new VirtualHost with the following content. If you are using Debian create it at /etc/apache2/sites-available/elasticsearch-https-vhost.conf, if you are using CentOS create it at /etc/httpd/sites-available/elasticsearch-https-vhost.conf:

    <VirtualHost 127.0.0.1:443 _default_:443>
      ServerAlias *
      SSLCertificateFile "/opt/bitnami/localhost.crt"
      SSLCertificateKeyFile "/opt/bitnami/localhost.key"
      ProxyPass / http://127.0.0.1:9200/
      ProxyPassReverse / http://127.0.0.1:9200/
      <Location />
        AuthType Basic
        AuthName "Introduce your ElasticSearch creadentials."
        AuthBasicProvider file
        AuthUserFile /opt/bitnami/passwd
        Require user bitnami
      </Location>
    </VirtualHost>
    

    Replace the following lines by the path to your certificates:

    SSLCertificateFile "/opt/bitnami/localhost.crt"
    SSLCertificateKeyFile "/opt/bitnami/localhost.key"
    
  • Execute the following command to generate the Apache passwords file:

    $ sudo htpasswd -c /opt/bitnami/passwd bitnami
    

    Where /opt/bitnami/passwd is the file that will be created and bitnami is the new user. You will be prompted for a new password and its confirmation.

    TIP: In case you want to use a different user from bitnami, you can change the command by executing sudo htpasswd -c /opt/bitnami/apachePasswords . Then, edit the /etc/apache2/sites-available/elasticsearch-https-vhost.conf in Debian, or /etc/httpd/sites-available/elasticsearch-https-vhost.conf in CentOS, by adding the following directive:

       Require user <your user>
    

    To use a different password file, add the following directive to the /etc/apache2/sites-available/elasticsearch-https-vhost.conf file in Debian, or /etc/httpd/sites-available/elasticsearch-https-vhost.conf in CentOS:

       AuthUserFile <your password file>
    
  • Enable the new created virtual host:

    • Debian:

      $ sudo ln -s /etc/apache2/sites-available/elasticsearch-https-vhost.conf /etc/apache2/sites-enabled/
      
    • CentOS:

      $ sudo ln -s /etc/httpd/sites-available/elasticsearch-https-vhost.conf /etc/httpd/sites-enabled/
      
  • Enable the mod_proxy, mod_proxy_http, mod_ssl and mod_rewrite modules:

    • Debian:

      $ sudo a2enmod proxy_http ssl rewrite
      
    • CentOS:

    To check if these modules are installed execute the command below:

    $ httpd -M
    

    If this modules don’t appear in the list, you can enable them by editing the /etc/httpd/conf.modules.d/00-base.conf file to add these lines:

    LoadModule rewrite_module modules/mod_rewrite.so
    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_http_module modules/mod_proxy_http.so
    
  • Check that the configuration is correct:

    $ sudo apachectl configtest
    
  • Restart the Apache server:

    $ sudo systemctl restart apache2
    
  • Try to access your server and check you are not authorized:

    $ curl -kL https://127.0.0.1
    
  • Access it using the credentials (replace bitnami with your user in case you have changed it):

    $ curl -kL https://bitnami:<password>@127.0.0.1/
    

Use both configurations at the same time

It is possible to use both configurations at the same using the same passwords file, so you only have to create it once.

Also, the VirtualHost could be place either in different files or in the same file. The content of the following files could be merged:

  • Debian:

/etc/apache2/sites-available/elasticsearch-https-vhost.conf and /etc/apache2/sites-available/elasticsearch-http-vhost.conf

  • CentOS:

/etc/httpd/sites-available/elasticsearch-https-vhost.conf and /etc/httpd/sites-available/elasticsearch-http-vhost.conf

Last modification August 27, 2020