Greetings,
I recently stumbled onto Nginx while researching a way to protect my Elasticsearch server without using Elastic Shield.
My setup has a Windows Server box containing a webserver which has Kibana deployed on port 8080. The box also runs Elasticsearch as a service which listens to port 9200. The Kibana webapplication is protected by a filter which checks the HTTP-request header for the user-id and checks a database if this user-id is allowed to access Kibana.
Unfortunatly, Kibana has to send queries and requests to Elasticsearch from the user's browser. Hence Elasticsearch has to be accessible for the user. This allows unauthorized users to send REST-requests to the Elasticsearch server, making this a potential security threat.
My solution to this problem would be to implement Nginx as a reverse proxy on the box, forcing the HTTP-requests to pass Nginx before being allowed to access Elasticsearch, which would then only accessible on the box's localhost. The authentication would be processed by Nginx's http_auth_request_module, but I don't quite understand how to implement a service to which I redirect this auth request to.
I found this StackOverflow page to be the most insightful: http://stackoverflow.com/questions/25340630/how-can-i-set-up-an-automatic-authentication-layer-in-nginx
, but it still doesn't explain how to actually implement the authentication service.
My preferred way of writing this service would be through Java and wrapping it as a service. I understand that the service should return the HTTP-code 200 if the authentication is succesful and something else if it isn't. I'd like to process the HTTP-request in the same way I processed the HTTP-request in the filter I used to validate Kibana-users.
Any tips to get me started on writing a Java-application that would act as an authentication service?
If this isn't possible in Java, is there a way to do it in Perl or Python?
Thanks