通過nginx代理無密碼訪問開啟了x-pack驗證的elasticsearch
阿新 • • 發佈:2018-11-04
在有些工具中,並沒有提供elasticsearch的使用者名稱密碼介面,而如果elasticsearch開啟了x-pack驗證,使用者名稱密碼又是必須引數。如果去修改工具實現,代價又太大,所以我們可以選擇使用nginx反向代理,使用nginx為請求增加驗證,達到無密碼訪問相容老工具的目的。
首先,elasticsearch中配置允許通過請求頭來驗證:
http.cors.allow-headers: Authorization
然後我們先使用curl 加上-u -v引數來訪問elasticsearch,觀察請求體:
curl --user elastic:123456 -v "http://127.0.0.1:11111" * About to connect() to 127.0.0.1 port 11111 (#0) * Trying 127.0.0.1... * Connected to 127.0.0.1 (127.0.0.1) port 11111 (#0) * Server auth using Basic with user 'elastic' > GET / HTTP/1.1 > Authorization: Basic ZWxhc3RpYzoxMjM0NTY= > User-Agent: curl/7.29.0 > Host: 127.0.0.1:11111 > Accept: */* > < HTTP/1.1 200 OK < Server: nginx/1.12.2 < Date: Tue, 30 Oct 2018 07:42:06 GMT < Content-Type: application/json; charset=UTF-8 < Content-Length: 491 < Connection: keep-alive < { "name" : "es-wk-node-1", "cluster_name" : "es-wk1", "cluster_uuid" : "Dc1CiavHRzSCtt4yzImVrA", "version" : { "number" : "6.4.2", "build_flavor" : "default", "build_type" : "tar", "build_hash" : "04711c2", "build_date" : "2018-09-26T13:34:09.098244Z", "build_snapshot" : false, "lucene_version" : "7.4.0", "minimum_wire_compatibility_version" : "5.6.0", "minimum_index_compatibility_version" : "5.0.0" }, "tagline" : "You Know, for Search" }
通過與不加-u(–user)引數的對比,可以發現差別就是請求頭多了一個Authorization引數,而其值是固定的,所以我們在nginx中配置為請求新增此請求頭即可。
server { listen 11111; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { # proxy_set_header user elastic:123456; proxy_set_header Authorization 'Basic ZWxhc3RpYzoxMjM0NTY='; proxy_pass http://127.0.0.1:19200; } }
這時候去掉-u引數再使用curl訪問elasticsearch發現就成功了。