Elassticsearch實現IP白名單有兩種方式,一種是使用xpack提供的Http Filter功能來實現,另外一種是使用Nginx實現IP的過濾,其中第一種為Elasticsearch的收費功能。下面對兩種實現方式進行詳細介紹。
本次使用的Elasticsearch版本為6.8.3。
使用xpack提供的HTTP Filter功能實現IP白名單
注意:但此功能是白金和黃金許可的一部分,是收費功能。
elasticsearch.yml 配置示例:
xpack.security.http.filter.enabled: true xpack.security.http.filter.allow: "172.31.6.21" xpack.security.http.filter.deny: "172.31.6.0/24" xpack.security.http.filter.allow: [ "172.31.6.20", "172.31.6.21", "172.31.6.22"] xpack.security.http.filter.deny: _all xpack.security.transport.filter.enabled: true xpack.security.transport.filter.allow: [ "172.31.6.20", "172.31.6.21", "172.31.6.22"] xpack.security.transport.filter.deny: _all
使用Nginx反向代理實現IP過濾
有三種方式可以實現IP過濾,具體內容如下。
利用$remote_addr參數進行訪問的分發限制
配置示例:
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 19200;
server_name localhost;
# 白名單及代理轉發
if ($remote_addr !~ ^(100.110.15.16|100.110.15.17|100.110.15.18|127.0.0.1)) {
rewrite ^.*$ /maintence.php last;
}
location / {
# Elasticsearch服務代理
proxy_pass http://172.31.6.21:9200;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 15601;
server_name localhost;
# 白名單及代理轉發
if ($remote_addr !~ ^(100.110.15.16|100.110.15.17|100.110.15.18|127.0.0.1)) {
rewrite ^.*$ /maintence.php last;
}
location / {
# Kibana服務代理
proxy_pass http://172.31.6.21:5601;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
使用$http_x_forwarded_for參數進行訪問的分發限制
配置示例:
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 19200;
server_name localhost;
# 白名單及代理轉發
if ($http_x_forwarded_for !~ ^(100.110.15.16|100.110.15.17|100.110.15.18|127.0.0.1)) {
rewrite ^.*$ /maintence.php last;
}
location / {
# Elasticsearch服務代理
proxy_pass http://172.31.6.21:9200;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 15601;
server_name localhost;
# 白名單及代理轉發
if ($http_x_forwarded_for !~ ^(100.110.15.16|100.110.15.17|100.110.15.18|127.0.0.1)) {
rewrite ^.*$ /maintence.php last;
}
location / {
# Kibana服務代理
proxy_pass http://172.31.6.21:5601;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
利用nginx的allow、deny參數進行訪問限制
配置示例:
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 19200;
server_name localhost;
# 白名單及代理轉發
allow 172.31.6.22; #白名單
allow 192.168.0.0/24; #白名單
allow 127.0.0.1; #白名單
deny all; #拒絕其他訪問
location / {
# Elasticsearch服務代理
proxy_pass http://172.31.6.21:9200;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 15601;
server_name localhost;
# 白名單及代理轉發
allow 172.31.6.22; #白名單
allow 192.168.0.0/24; #白名單
allow 127.0.0.1; #白名單
deny all; #拒絕其他訪問
location / {
# Kibana服務代理
proxy_pass http://172.31.6.21:5601;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
另外,Nginx也可以式實現對ip的訪問頻率等內容的限制,詳細的使用方式可以參考Nginx官網或如下博客:
https://blog.51cto.com/qiangsh/1768124
參考文檔:
https://www.elastic.co/guide/en/elasticsearch/reference/6.8/ip-filtering.html#_enabling_ip_filtering
https://www.cnblogs.com/sanduzxcvbnm/p/13723811.html
https://cloud.tencent.com/developer/article/1026848