Let’s say… you have a product that has some Elasticsearch output, which deals with parsing and indexes, and also comes with a nice dashboard, etc., and let’s suppose… you would like to use this built-in functionality.
And let’s say… the product in question wants to connect to Elasticsearch in an unauthenticated manner over HTTP.
SOLUTION: We can set up the stunnel config as described below.
ATTENTION THOUGH: We should think of additional countermeasures so that not just anyone can access this unauthenticated HTTP listener that allows direct access to Elasticsearch.
# cat /etc/stunnel/stunnel.conf [remote] client = yes accept = 9100 connect = elasticsearch.neteyelocal:9200 cert = /neteye/local/elasticsearch/conf/certs/admin.crt.pem key = /neteye/local/elasticsearch/conf/certs/private/admin.key.pem
This configuration uses the administrative key for Elasticsearch, allowing the unauthenticated client to have all rights on the Elasticsearch database.
# systemctl enable stunnel --now
This turns on stunnel immediately.
## run this on all receiving nodes firewall-cmd --add-port=9100/tcp --permanent firewall-cmd --reload
These commands are necessary to enable the above configured stunnel to accept incoming connections.
If you want to limit the connections to specific senders, please see the firewall-cmd documentation, or use a firewall that “hides” NetEye from the rest of the network.
Until now we’ve configured stunnel to allow an unauthorized HTTP client to have full access to Elasticsearch, using the admin certificate specified in the stunnel.conf file above.
If you want to change these full access rights to a more specific, limited role, you should follow all the following steps:
Did you learn from this article? Perhaps you’re already familiar with some of the techniques above? If you find security issues interesting, maybe you could start in a cybersecurity or similar position here at Würth Phoenix.