Secure Elasticsearch using Let’s Encrypt SSL with Nginx. Learn how to configure SSL to your Elasticsearch installation with Nginx reverse proxy on Ubuntu system or server.
In this guide you will create a subdomain for your Elasticsearch service and install free Let’s Encrypt SSL certificate using Certbot.
This setup is tested on Google Cloud Platform running Ubuntu 18.04 LTS. So this guide will work perfect on other cloud service providers like AWS, Azure or any VPS or dedicated servers.
Prerequisites
- Standard Instance (3.75 GB RAM with Ubuntu 18.04 LTS).
- A running Compute Engine, see the Setting up Compute Engine Instance.
Initial Server Setup
Start by updating the server software packages to the latest version available.
sudo apt update sudo apt upgrade
Configure Sub-Domain
Make sure you use a sub-domain to access your Elasticsearch installation.
Go to your DNS management section and create a new A record with the name of you wish for your subdomain (for example search) and value of your your server IP address.
So your sub-domain will look similar to the one below. If you wish to configure your main domain you can do that also.
search.yourdomain.com
Step 1: Install Java JDK
Java is necessary to install ElasticSearch. Install Java JDK using the following command.
sudo apt install openjdk-8-jdk
Step 2: Configure Java Envitonment variable
Use the update-alternatives command to get the installation path of your Java version.
sudo update-alternatives --config java
OpenJDK 8 is located at /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
Copy the installation path of your default version and add it in the JAVA_HOME environment variable.
sudo nano /etc/environment
At the end of this file, add the following line with your installation path. To use the official Java 8 by Oracle the variable will be as follows.
JAVA_HOME="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java"
Hit Ctrl+X followed by Y and Enter to save and exit the nano editor.
Now JAVA_HOME environment variable is set and available for all users.
Reload to apply changes.
source /etc/environment
To verify the environment variable of Java
echo $JAVA_HOME
You will get the installation path you just set.
Now Java is successfully installed and you can install Elasticsearch.
Step 3: Install ElasticSearch
Import Elasticsearch repository’s GPG key.
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
Add the repository to the sources list of your Ubuntu server or system.
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
Update the package list and install ElasticSearch.
sudo apt update sudo apt install elasticsearch
Once Elasticsearch is installed you can restrict port 9200 from outside access by editing the elasticsearch.yml file and uncomment the network.host and replace the value with Internal IP or any IP or localhost.
sudo nano /etc/elasticsearch/elasticsearch.yml
So it looks looks like this..
network.host: INTERNAL_IP
You can also use localhost as host or any IP address you wish.
Hit Ctrl+X followed by Y and Enter to save the file and exit.
Now start and enable Elasticsearch on server boot.
sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch
Now make sure your Elasticsearch service is running.
sudo systemctl status elasticsearch
Test your installation by sending a HTTP request.
curl -X GET "INTERNAL_IP:9200"
You will get a response with name, cluster_name, cluster_uuid, version.
Step 4: Install Nginx
Now it’s time to install Nginx.
sudo apt install nginx
Step 5: Configure Firewall (UFW)
The firewall provides an additional layer of security to your instance by blocking inbound network traffic. The ufw (Uncomplicated Firewall) package is usually installed by default in Ubuntu 18.04 LTS, so we need to just add the rules which deny all incoming traffics and allow all outgoing traffics. We now add the ports for SSH (22), HTTP (80), HTTPS (443).
sudo ufw allow OpenSSH sudo ufw allow 'Nginx Full' sudo ufw enable
Step 6: Install Fail2ban
This works alongside with ufw and monitors intrusion attempts to your instance and blocks the offending host for a set period of time, so let’s install it now.
sudo apt install fail2ban
sudo service fail2ban start
Step7: Configure Nginx
Now you can configure Nginx reverse proxy fro your Elasticsearch.
Remove default configurations
sudo rm /etc/nginx/sites-available/default sudo rm /etc/nginx/sites-enabled/default
Create a new Nginx configuration file.
sudo nano /etc/nginx/sites-available/search.conf
Paste the following.
Note: You need to use exact same IP or localhost that you used in the host of Elasticsearch configuration.
server {
listen [::]:80;
listen 80;
server_name search.yourdomain.com;
location / {
proxy_pass http://INTERNAL_IP:9200;
proxy_redirect off;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}
Save and exit the file.
Enable your configuration by creating a symbolic link.
sudo ln -s /etc/nginx/sites-available/search.conf /etc/nginx/sites-enabled/search.conf
Step 8: Create SSL certificate and enable HTTP/2
Install Certbot.
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx
Now we have installed Certbot by Let’s Encrypt for Ubuntu 18.04, run this command to receive your certificates.
sudo certbot --nginx certonly
Enter your email and agree to the terms and conditions, then you will receive the list of domains you need to generate SSL certificate.
To select all domains simply hit Enter
The Certbot client will automatically generate the new certificate for your domain. Now we need to update the Nginx config.
Step 9: Redirect HTTPS in Nginx
Open your site’s Nginx configuration file add replace everything with the following. Replacing the file path with the one you received when obtaining the SSL certificate. The ssl_certificate directive should point to your fullchain.pem file, and the ssl_certificate_key directive should point to your privkey.pem file.
server {
listen [::]:80;
listen 80;
server_name search.yourdomain.com;
return 301 https://search.yourdomain.com$request_uri;
}
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name search.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/search.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/search.yourdomain.com/privkey.pem;
location / {
proxy_pass http://INTERNAL_IP:9200;
proxy_redirect off;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}
}
The http2 value is all that is needed to enable the HTTP/2 protocol.
Now you have enabled SSL Hardening, created a Content Security Policy, X-XSS-Protection, Clickjacking, MIME Sniffing, Referrer Policy, Access Control Allow Origin.
These are some Nginx security tweaks by closing all areas of attacks.
Hit CTRL+X followed by Y to save the changes.
Check your configuration and restart Nginx for the changes to take effect.
sudo nginx -t sudo service nginx restart
Step 10: Renewing SSL Certificate
Certificates provided by Let’s Encrypt are valid for 90 days only, so you need to renew them often. Now you set up a cronjob to check for the certificate which is due to expire in next 30 days and renew it automatically.
sudo crontab -e
Add this line at the end of the file
0 0,12 * * * certbot renew >/dev/null 2>&1
Hit CTRL+X followed by Y to save the changes.
This cronjob will attempt to check for renewing the certificate twice daily.
Prepare yourself for a role working as an Information Technology Professional with Linux operating system
Conclusion
Now you have learned how to install Elasticsearch and secure it with Let’s Encrypt free ssl on Ubuntu.
Thanks for your time. If you face any problem or any feedback, please leave a comment below.
