Elassticsearch实现IP白名单有两种方式,一种是使用xpack提供的Http Filter功能来实现,另外一种是使用Nginx实现IP的过滤,其中第一种为Elasticsearch的收费功能。下面对两种实现方式进行详细介绍。
本次使用的Elasticsearch版本为6.8.3。
使用xpack提供的HTTP Filter功能实现IP白名单
注意:但此功能是白金和黄金许可的一部分,是收费功能。
elasticsearch.yml 配置示例:
xpack.security.http.filter.enabled: true xpack.security.http.filter.allow: "172.31.6.21" xpack.security.http.filter.deny: "172.31.6.0/24" xpack.security.http.filter.allow: [ "172.31.6.20", "172.31.6.21", "172.31.6.22"] xpack.security.http.filter.deny: _all xpack.security.transport.filter.enabled: true xpack.security.transport.filter.allow: [ "172.31.6.20", "172.31.6.21", "172.31.6.22"] xpack.security.transport.filter.deny: _all
使用Nginx反向代理实现IP过滤
有三种方式可以实现IP过滤,具体内容如下。
利用$remote_addr参数进行访问的分发限制
配置示例:
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 19200;
server_name localhost;
# 白名单及代理转发
if ($remote_addr !~ ^(100.110.15.16|100.110.15.17|100.110.15.18|127.0.0.1)) {
rewrite ^.*$ /maintence.php last;
}
location / {
# Elasticsearch服务代理
proxy_pass http://172.31.6.21:9200;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 15601;
server_name localhost;
# 白名单及代理转发
if ($remote_addr !~ ^(100.110.15.16|100.110.15.17|100.110.15.18|127.0.0.1)) {
rewrite ^.*$ /maintence.php last;
}
location / {
# Kibana服务代理
proxy_pass http://172.31.6.21:5601;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
使用$http_x_forwarded_for参数进行访问的分发限制
配置示例:
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 19200;
server_name localhost;
# 白名单及代理转发
if ($http_x_forwarded_for !~ ^(100.110.15.16|100.110.15.17|100.110.15.18|127.0.0.1)) {
rewrite ^.*$ /maintence.php last;
}
location / {
# Elasticsearch服务代理
proxy_pass http://172.31.6.21:9200;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 15601;
server_name localhost;
# 白名单及代理转发
if ($http_x_forwarded_for !~ ^(100.110.15.16|100.110.15.17|100.110.15.18|127.0.0.1)) {
rewrite ^.*$ /maintence.php last;
}
location / {
# Kibana服务代理
proxy_pass http://172.31.6.21:5601;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
利用nginx的allow、deny参数进行访问限制
配置示例:
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 19200;
server_name localhost;
# 白名单及代理转发
allow 172.31.6.22; #白名单
allow 192.168.0.0/24; #白名单
allow 127.0.0.1; #白名单
deny all; #拒绝其他访问
location / {
# Elasticsearch服务代理
proxy_pass http://172.31.6.21:9200;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 15601;
server_name localhost;
# 白名单及代理转发
allow 172.31.6.22; #白名单
allow 192.168.0.0/24; #白名单
allow 127.0.0.1; #白名单
deny all; #拒绝其他访问
location / {
# Kibana服务代理
proxy_pass http://172.31.6.21:5601;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
另外,Nginx也可以式实现对ip的访问频率等内容的限制,详细的使用方式可以参考Nginx官网或如下博客:
https://blog.51cto.com/qiangsh/1768124
参考文档:
https://www.elastic.co/guide/en/elasticsearch/reference/6.8/ip-filtering.html#_enabling_ip_filtering
https://www.cnblogs.com/sanduzxcvbnm/p/13723811.html
https://cloud.tencent.com/developer/article/1026848