Compute Engine Google Cloud

Install and Secure Elasticsearch with Let’s Encrypt on Ubuntu

Secure Elasticsearch using Let’s Encrypt SSL with Nginx. Learn how to configure SSL to your Elasticsearch installation with Nginx reverse proxy on Ubuntu system or server.

In this guide you will create a subdomain for your Elasticsearch service and install free Let’s Encrypt SSL certificate using Certbot.

This setup is tested on Google Cloud Platform running Ubuntu 18.04 LTS. So this guide will work perfect on other cloud service providers like AWS, Azure or any VPS or dedicated servers.

Choose Best Hosting for your Business

PlatformReviewsPricing
Siteground★★★★★$3.95
Kinsta – Google Cloud★★★★★$30

Prerequisites

Initial Server Setup

Start by updating the server software packages to the latest version available.

sudo apt update sudo apt upgrade

Configure Sub-Domain

Make sure you use a sub-domain to access your Elasticsearch installation.

Go to your DNS management section and create a new A record with the name of you wish for your subdomain (for example search) and value of your your server IP address.

So your sub-domain will look similar to the one below. If you wish to configure your main domain you can do that also.

search.yourdomain.com

Step 1: Install Java JDK

Java is necessary to install ElasticSearch. Install Java JDK using the following command.

sudo apt install openjdk-8-jdk

Step 2: Configure Java Envitonment variable

Use the update-alternatives command to get the installation path of your Java version.

sudo update-alternatives --config java

OpenJDK 8 is located at /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java

Copy the installation path of your default version and add it in the JAVA_HOME environment variable.

sudo nano /etc/environment

At the end of this file, add the following line with your installation path. To use the official Java 8 by Oracle the variable will be as follows.

JAVA_HOME="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java"

Hit Ctrl+X followed by Y and Enter to save and exit the nano editor.

Now JAVA_HOME environment variable is set and available for all users.

Reload to apply changes.

source /etc/environment

To verify the environment variable of Java

echo $JAVA_HOME

You will get the installation path you just set.

Now Java is successfully installed and you can install Elasticsearch.

Step 3: Install ElasticSearch

Import Elasticsearch repository’s GPG key.

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

Add the repository to the sources list of your Ubuntu server or system.

echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list

Update the package list and install ElasticSearch.

sudo apt update
sudo apt install elasticsearch

Once Elasticsearch is installed you can restrict port 9200 from outside access by editing the elasticsearch.yml file and uncomment the network.host and replace the value with localhost.

sudo nano /etc/elasticsearch/elasticsearch.yml 

So it looks looks like this..

network.host: localhost

Hit Ctrl+X followed by Y and Enter to save the file and exit.

Now start and enable Elasticsearch on server boot.

sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch

Now make sure your Elasticsearch service is running.

sudo systemctl status elasticsearch

Test your installation by sending a HTTP request.

curl -X GET "localhost:9200"

You will get a response with name, cluster_name, cluster_uuid, version.

Step 4: Install Nginx

Now it’s time to install Nginx.

sudo apt install nginx

Step 5: Configure Firewall (UFW)

The firewall provides an additional layer of security to your instance by blocking inbound network traffic. The ufw (Uncomplicated Firewall) package is usually installed by default in Ubuntu 18.04 LTS, so we need to just add the rules which deny all incoming traffics and allow all outgoing traffics. We now add the ports for SSH (22)HTTP (80)HTTPS (443).

sudo ufw allow OpenSSH
sudo ufw allow 'Nginx Full'
sudo ufw enable

Step 6: Install Fail2ban

This works alongside with ufw and monitors intrusion attempts to your instance and blocks the offending host for a set period of time, so let’s install it now.

sudo apt install fail2ban
sudo service fail2ban start

Step7: Configure Nginx

Now you can configure Nginx reverse proxy fro your Elasticsearch.

Remove default configurations

sudo rm /etc/nginx/sites-available/default
sudo rm /etc/nginx/sites-enabled/default

Create a new Nginx configuration file.

sudo nano /etc/nginx/sites-available/search.conf

Paste the following.

server {
     listen [::]:80;
     listen 80;

     server_name search.yourdomain.com;

location / {
     proxy_pass http://localhost:9200;
     proxy_redirect off;
     proxy_read_timeout    90;
     proxy_connect_timeout 90;
     proxy_set_header  X-Real-IP  $remote_addr;
     proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header  Host $http_host;
} 

Save and exit the file.

Enable your configuration by creating a symbolic link.

sudo ln -s /etc/nginx/sites-available/search.conf /etc/nginx/sites-enabled/search.conf

Step 8: Create SSL certificate and enable HTTP/2

Install Certbot.

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx

Now we have installed Certbot by Let’s Encrypt for Ubuntu 18.04, run this command to receive your certificates.

sudo certbot --nginx certonly

Enter your email and agree to the terms and conditions, then you will receive the list of domains you need to generate SSL certificate.

To select all domains simply hit Enter

The Certbot client will automatically generate the new certificate for your domain. Now we need to update the Nginx config.

Step 9: Redirect HTTPS in Nginx

Open your site’s Nginx configuration file add replace everything with the following. Replacing the file path with the one you received when obtaining the SSL certificate. The ssl_certificate directive should point to your fullchain.pem file, and the ssl_certificate_key directive should point to your privkey.pem file.

 
server {
     listen [::]:80;
     listen 80;
 
     server_name search.yourdomain.com;
 
     return 301 https://search.yourdomain.com$request_uri;
}
 
server {
     listen [::]:443 ssl http2;
     listen 443 ssl http2;
 
     server_name search.yourdomain.com;
    
     ssl_certificate /etc/letsencrypt/live/search.yourdomain.com/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/search.yourdomain.com/privkey.pem;
 
    location / {
         proxy_pass http://localhost:9200;
         proxy_redirect off;
         proxy_read_timeout    90;
         proxy_connect_timeout 90;
         proxy_set_header  X-Real-IP  $remote_addr;
         proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header  Host $http_host;
     }
} 

The http2 value is all that is needed to enable the HTTP/2 protocol.

Now you have enabled SSL Hardening, created a Content Security Policy, X-XSS-Protection, Clickjacking, MIME Sniffing, Referrer Policy, Access Control Allow Origin.

These are some Nginx security tweaks by closing all areas of attacks.

Hit CTRL+X followed by Y to save the changes.

Check your configuration and restart Nginx for the changes to take effect.

sudo nginx -t
sudo service nginx restart

Step 10: Renewing SSL Certificate

Certificates provided by Let’s Encrypt are valid for 90 days only, so you need to renew them often. Now you set up a cronjob to check for the certificate which is due to expire in next 30 days and renew it automatically.

sudo crontab -e

Add this line at the end of the file

0 0,12 * * * certbot renew >/dev/null 2>&1

Hit CTRL+X followed by Y to save the changes.

This cronjob will attempt to check for renewing the certificate twice daily.

Become a Linux System Administrator and maintain virtual servers in a multi-user environment.

Conclusion

Now you have learned how to install Elasticsearch and secure it with Let’s Encrypt free ssl on Ubuntu.

Thanks for your time. If you face any problem or any feedback, please leave a comment below.

Cloudbooklet builds a large collection of Linux based guides and tutorials on Cloud platforms like Google Cloud, AWS, Azure, DigitalOcean and more

Write A Comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.