I have IP to ES:
http://1.2.3.4:9200/index/_search?size=1000&q=*:*
and me or anyone can access to see data once we have IP:
{
"query" : {
"match_all" : {}
},
"from" : 0, "size" : 3000
}
But how can I secure ElasticSearch cluster so that even if you know IP - can not access data without Username/Password?
Thanks.
The basic authentication on Elasticsearch is now part of the Elastic Stack Basic License, which is free, you just need to use versions 6.8.X or 7.1.X and configure the authentication using the native realm.
This post on the elastic blog has more information about the security features, and this part of the documentation explains how to configure the security on elastic.
The basic authentication is free in Elastic Stack version 6.8.X and 7.1.X now.
If you use other Elastic Stack version, You can use own proxy basic authen. For example Nginx on Linux or IIS on windows.
PS. For more secure you can set HTTPS for Elastic API on proxy setting. (^^)
Related
I haven't created an account in fastcomet yet, but I would like to ask the following questions. The site mentions that it supports node.js applications. So that means I can upload an express application right? How about MongoDB and mongoose? I can access MongoDB by typing in the terminal
$ mongod --dbpath=data -bind_ip 127.0.0.1
And the MongoDB URL in my case is
mongodb://localhost:27017/ilovearisti
How different would it be in fastcommet? I guess I'll have to contact them for the port numbers right?
Thanks,
Theo.
FastComet Team here! Indeed, our hosting plans are fully compatible with Node.js apps and you can have your project hosted on an appropriate package.
If you plan using the MongoDB database type in particular, our experience shows it requires a server solution with more resources and a higher level of private access. This way you would be able to accommodate the operation on an environment suitable for coding with Mongoose on top of the MongoDB driver for Node.js.
As for addressing your URL query, the default IP when starting a mongo instance is set to 127.0.0.1, so it is configured as localhost and port 27017. With this in mind, you only need to make changes on the IP configuration via the mongod daemon if you are using a remote database setup with a different IP address.
Having said all of the above, we can confirm that if you have created a database called iloveiristi, the MongoDB URL will be as follows:
mongodb://localhost:27017/iloveiristi
We hope this information proves useful and we wish you good luck with your project.
Best regards!
We want to support the landing pages created on our website to be served over https on the custom domains that our user wish to server the page. So we can have the separate SSL certificate for our each user and we have a node server. We want to achieve the below things:
1) Attach multiple SSL certificates with node server.
2) We need a way to attach the certificates at any instance of time to the server eg. whenever we got a domain from our customers.
Let's Encrypt w/ Greenlock Express v3
I'm the author if Greenlock Express, which is Let's Encrypt for Node.js, Express, etc.
I'm still in the middle of writing the v3 documentation (lots of broken links to examples that haven't been converted from v2 yet), but the setup looks a little like this:
require("greenlock-express")
.init(function getConfig() {
return {
package: require("./package.json")
manager: 'greenlock-manager-fs',
cluster: false,
configFile: '~/.config/greenlock/manager.json'
};
})
.serve(httpsWorker);
function httpsWorker(server) {
// Works with any Node app (Express, etc)
var app = require("./my-express-app.js");
// See, all normal stuff here
app.get("/hello", function(req, res) {
res.end("Hello, Encrypted World!");
});
// Serves on 80 and 443
// Get's SSL certificates magically!
server.serveApp(app);
}
It uses http2 by default on node v12+, and also works with node cluster so that you can take advantage of multiple cores.
It uses SNICallback to dynamically add certificates on the fly.
Site Management
The default manager plugin uses files on the file system, but there's great documentation on how to build your own.
Just to get started, the file-based plugin looks like this:
~/.config/greenlock/manager.json:
{
"subscriberEmail": "letsencrypt-test#therootcompany.com",
"agreeToTerms": true,
"sites": [
{
"subject": "example.com",
"altnames": ["example.com", "www.example.com"]
}
]
}
Key and Certificate Management
Likewise, the default Key and Cert plugin is filesystem-based (actually based on certbot, from the early days), but there's a plugins for connecting to databases (greenlock-store-sequelize) so that you can manage your certs however you like.
The default plugin stores them in ~/.config/greenlock/.
DNS-01 and HTTP-01 challenge plugins
There are plugins for various DNS providers (Name.com, NameCheap, DNSimple, GoDaddy, etc), and there's a test suite that makes it easy to write the couple of callbacks you need to make your own:
Greenlock HTTP-01 docs
Greenlock DNS-01 docs
Management API
There's already an API, which I won't document here because I'm busy (right now) writing the official documentation for it, but essentially you'll do something like this:
greenlock.add({
subject: 'example.com',
altnames: ['example.com', '*.example.com']
})
There are some CLI tools in the works, and Greenlock Pro, forthcoming, will have a UI for it, as well as routing tools (i.e. serve domain X from this directory, proxy domain Y to port 2345 with websocket support enabled, etc)
I'll be back
Once I have more of the official docs ready, I'll come back and add some updates here.
Feel free to contact me on Keypairs. I'm #coolaj86 there.
1) Attach multiple SSL certificates with node server. 2) We need a way
to attach the certificates at any instance of time to the server eg.
whenever we got a domain from our customers.
Managing such dynamic configuration at an instance is really hard to update and maintain. As suggested in comment go for LB and place LB on the top of EC2 instance and handle certificate and New Domain integration with AWS SDK.
In high-level flow will be
Attach multiple SSL certificates with node server
Place LB on top of each instance and you will not need to manage SSL at instance level and AWS will take care of it. Also, you will be saving CPU cost by putting this SSL encrypt and decrypt load on LB.
whenever we got a domain from our customers.
using AWS SDK, create a request for new ACM
Once certificate approved, update AWS LB certificate list from SDK or manually but better to for automation.
I am using CouchDB 2.0 and receiving a 404 when trying to get the index definition on my production database.
Similarly, I receive a 400 Bad Request when using POST /db/_find and POST /db/_index against production.
These both work on my development server (Mac OSX)
CouchDB 2.0 does not work over SSL unless you use HAProxy. I was not using HAProxy and various CouchDB features would fail when accessing the admin API via SSL.
Suggestion is to use HAProxy to manage SSL.
https://community.bitnami.com/t/unable-to-connect-via-https/48657/27
used to Apache in Linux where each domain name using ssl requires its own ip address.
is this still true if using node.js and not using Apache at all?
The same limitations apply in node.js as in Apache -- they're nothing to do with the particular server software you're using, they're inherent in the http and TLS/SSL protocols.
Having said that, there are two ways to run SSL for multiple domains from a single IP address. I don't know the status of node.js support for either of these, but it shouldn't matter for the first alternative.
First, you can get a single SSL certificate that covers all of the domain names you want to use -- either a wildcard if they're all subdomains of the same domain or one that uses Subject Alternative Names (SAN) if they're not. Note that SAN is not supported by some older web browsers, especially on some smartphones.
Second, you can use Server Name Indication (SNI) to configure multiple SSL certificates, as it extends the SSL protocol to make the hostname available to the server before it's done the key exchange. Browser support for SNI is not as good as for SAN, and in particular it doesn't work with any Internet Explorer version on Windows XP.
This link shows how to do it with nginx using the SNI method.
https://www.digitalocean.com/community/articles/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-nginx-on-ubuntu-12-04
You might as well let nginx do the https and file serving and have it reverse proxy into node.js for the api work, as shown here:
https://stackoverflow.com/a/15008873/151312
I have a VPS where I have hosted a few sites. All based on LAMP stack, so it was no big deal. They provide WHM/cpanel for managing different sites. I decided to try node.js, bought a separate domain for it, and I need some clue how to point that domain to the node.js application.
So here are the questions:
1) What is the best way to host node.js application on a specific domain without hampering the other sites? How will I configure the domain? Yes, I'd like to use default http port (80) for node.
2) As Apache is already listening to the 80 port, is it a good idea to use Apache mod_proxy for the purpose? I mean if I want to use websocket, will apache still use separate threads for maintaining connection to node?
PS. I have already seen this question, but the answers don't seem to be convincing.
Edit:
I forgot to mention, I have an unused dedicated IP for that VPS which I can use for node.js.
Follow these steps
Goto "WHM >> Service Configuration >> Apache Configuration >> Reserved IPs Editor" and then 'Reserved' the IP that you want to use for node.js. This will release the IP from apache.
Create a new DNS entry with a A entry like - example.com A YOUR_IP_ADDRESS
Tell the node.js server to listen to your IP using server.listen(80, "YOUR_IP_ADDRESS");
If Apache is already listening to port 80, then the only thing you can do is proxy to your node instance. And yes, apache will create a new thread for each connection.
As others have mentioned, there's not a whole lot you can do here. Apache is currently driving your server and node.js won't like riding shotgun.
I'd recommend checking out things like nodester, no.de, heroku, and so on.