Home Explore Help
Register Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 0c500e5264
Branches Tags
elasticsearch
/
docs
/
reference
/
security
/
using-ip-filtering.asciidoc

using-ip-filtering.asciidoc 6.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170 
  1. [role="xpack"]
    2. 

  2. [[ip-filtering]]
    3. 

  3. == Restricting connections with IP filtering
    4. 

  4. 

  5. You can apply IP filtering to application clients, node clients, or transport
    6. 

  6. clients, remote cluster clients, in addition to other nodes that are attempting to join the cluster.
    7. 

  7. 

  8. If a node's IP address is on the denylist, the {es} {security-features} allow
    9. 

  9. the connection to {es} but it is be dropped immediately and no requests are
    10. 

  10. processed.
    11. 

  11. 

  12. NOTE: Elasticsearch installations are not designed to be publicly accessible
    13. 

  13.       over the Internet. IP Filtering and the other capabilities of the
    14. 

  14.       {es} {security-features} do not change this condition.
    15. 

  15. 

  16. [discrete]
    17. 

  17. === Enabling IP filtering
    18. 

  18. 

  19. The {es} {security-features} contain an access control feature that allows or
    20. 

  20. rejects hosts, domains, or subnets. If the
    21. 

  21. <<operator-privileges,{operator-feature}>> is enabled, only operator users can
    22. 

  22. update these settings.
    23. 

  23. 

  24. You configure IP filtering by specifying the `xpack.security.transport.filter.allow` and
    25. 

  25. `xpack.security.transport.filter.deny` settings in `elasticsearch.yml`. Allow rules
    26. 

  26. take precedence over the deny rules.
    27. 

  27. 

  28. IMPORTANT: Unless explicitly specified, `xpack.security.http.filter.*` and
    29. 

  29. `xpack.security.remote_cluster.filter.*` settings default to
    30. 

  30. the corresponding `xpack.security.transport.filter.*` setting's value.
    31. 

  31. 

  32. [source,yaml]
    33. 

  33. --------------------------------------------------
    34. 

  34. xpack.security.transport.filter.allow: "192.168.0.1"
    35. 

  35. xpack.security.transport.filter.deny: "192.168.0.0/24"
    36. 

  36. --------------------------------------------------
    37. 

  37. 

  38. The `_all` keyword can be used to deny all connections that are not explicitly
    39. 

  39. allowed.
    40. 

  40. 

  41. [source,yaml]
    42. 

  42. --------------------------------------------------
    43. 

  43. xpack.security.transport.filter.allow: [ "192.168.0.1", "192.168.0.2", "192.168.0.3", "192.168.0.4" ]
    44. 

  44. xpack.security.transport.filter.deny: _all
    45. 

  45. --------------------------------------------------
    46. 

  46. 

  47. IP filtering configuration also support IPv6 addresses.
    48. 

  48. 

  49. [source,yaml]
    50. 

  50. --------------------------------------------------
    51. 

  51. xpack.security.transport.filter.allow: "2001:0db8:1234::/48"
    52. 

  52. xpack.security.transport.filter.deny: "1234:0db8:85a3:0000:0000:8a2e:0370:7334"
    53. 

  53. --------------------------------------------------
    54. 

  54. 

  55. You can also filter by hostnames when DNS lookups are available.
    56. 

  56. 

  57. [source,yaml]
    58. 

  58. --------------------------------------------------
    59. 

  59. xpack.security.transport.filter.allow: localhost
    60. 

  60. xpack.security.transport.filter.deny: '*.google.com'
    61. 

  61. --------------------------------------------------
    62. 

  62. 

  63. [discrete]
    64. 

  64. === Disabling IP Filtering
    65. 

  65. 

  66. Disabling IP filtering can slightly improve performance under some conditions.
    67. 

  67. To disable IP filtering entirely, set the value of the `xpack.security.transport.filter.enabled`
    68. 

  68. setting in the `elasticsearch.yml` configuration file to `false`.
    69. 

  69. 

  70. [source,yaml]
    71. 

  71. --------------------------------------------------
    72. 

  72. xpack.security.transport.filter.enabled: false
    73. 

  73. --------------------------------------------------
    74. 

  74. 

  75. You can also disable IP filtering for the transport protocol but enable it for
    76. 

  76. HTTP only.
    77. 

  77. 

  78. [source,yaml]
    79. 

  79. --------------------------------------------------
    80. 

  80. xpack.security.transport.filter.enabled: false
    81. 

  81. xpack.security.http.filter.enabled: true
    82. 

  82. --------------------------------------------------
    83. 

  83. 

  84. [discrete]
    85. 

  85. === Specifying TCP transport profiles
    86. 

  86. 

  87. <<transport-profiles,TCP transport profiles>>
    88. 

  88. enable Elasticsearch to bind on multiple hosts. The {es} {security-features} enable you to apply
    89. 

  89. different IP filtering on different profiles.
    90. 

  90. 

  91. [source,yaml]
    92. 

  92. --------------------------------------------------
    93. 

  93. xpack.security.transport.filter.allow: 172.16.0.0/24
    94. 

  94. xpack.security.transport.filter.deny: _all
    95. 

  95. transport.profiles.client.xpack.security.filter.allow: 192.168.0.0/24
    96. 

  96. transport.profiles.client.xpack.security.filter.deny: _all
    97. 

  97. --------------------------------------------------
    98. 

  98. 

  99. NOTE: When you do not specify a profile, `default` is used automatically.
    100. 

  100. 

  101. [discrete]
    102. 

  102. === HTTP filtering
    103. 

  103. 

  104. You may want to have different IP filtering for the transport and HTTP protocols.
    105. 

  105. 

  106. [source,yaml]
    107. 

  107. --------------------------------------------------
    108. 

  108. xpack.security.transport.filter.allow: localhost
    109. 

  109. xpack.security.transport.filter.deny: '*.google.com'
    110. 

  110. xpack.security.http.filter.allow: 172.16.0.0/16
    111. 

  111. xpack.security.http.filter.deny: _all
    112. 

  112. --------------------------------------------------
    113. 

  113. 

  114. [discrete]
    115. 

  115. === Remote cluster (API key based model) filtering
    116. 

  116. 

  117. If other clusters connect <<remote-clusters-api-key,using API key
    118. 

  118. authentication>> for {ccs} or {ccr}, you may want to have different IP filtering
    119. 

  119. for the remote cluster server interface.
    120. 

  120. 

  121. [source,yaml]
    122. 

  122. --------------------------------------------------
    123. 

  123. xpack.security.remote_cluster.filter.allow: 192.168.1.0/8
    124. 

  124. xpack.security.remote_cluster.filter.deny: 192.168.0.0/16
    125. 

  125. xpack.security.transport.filter.allow: localhost
    126. 

  126. xpack.security.transport.filter.deny: '*.google.com'
    127. 

  127. xpack.security.http.filter.allow: 172.16.0.0/16
    128. 

  128. xpack.security.http.filter.deny: _all
    129. 

  129. --------------------------------------------------
    130. 

  130. 

  131. NOTE: Whether IP filtering for remote cluster is enabled is controlled by
    132. 

  132. `xpack.security.transport.filter.enabled` as well. This means filtering for
    133. 

  133. the remote cluster and transport interfaces must be enabled or disabled together.
    134. 

  134. But the exact allow and deny lists can be different between them.
    135. 

  135. 

  136. [discrete]
    137. 

  137. [[dynamic-ip-filtering]]
    138. 

  138. === Dynamically updating IP filter settings
    139. 

  139. 

  140. In case of running in an environment with highly dynamic IP addresses like cloud
    141. 

  141. based hosting, it is very hard to know the IP addresses upfront when provisioning
    142. 

  142. a machine. Instead of changing the configuration file and restarting the node,
    143. 

  143. you can use the _Cluster Update Settings API_. For example:
    144. 

  144. 

  145. [source,console]
    146. 

  146. --------------------------------------------------
    147. 

  147. PUT /_cluster/settings
    148. 

  148. {
    149. 

  149.   "persistent" : {
    150. 

  150.     "xpack.security.transport.filter.allow" : "172.16.0.0/24"
    151. 

  151.   }
    152. 

  152. }
    153. 

  153. --------------------------------------------------
    154. 

  154. 

  155. You can also dynamically disable filtering completely:
    156. 

  156. 

  157. [source,console]
    158. 

  158. --------------------------------------------------
    159. 

  159. PUT /_cluster/settings
    160. 

  160. {
    161. 

  161.   "persistent" : {
    162. 

  162.     "xpack.security.transport.filter.enabled" : false
    163. 

  163.   }
    164. 

  164. }
    165. 

  165. --------------------------------------------------
    166. 

  166. // TEST[continued]
    167. 

  167. 

  168. NOTE: In order to avoid locking yourself out of the cluster, the default bound
    169. 

  169.       transport address will never be denied. This means you can always SSH into
    170. 

  170.       a system and use curl to apply changes.
    171.