Allow AWS ELB HealthCheck by User-Agent Header

Hello guys,

We are trying to configure RoR to be used in Elasticsearch and we have AWS ALB in front of our client nodes, and at this moment the Health Check are “unhealthy” because we can’t allow the user-agent of ALB to reach elasticsearch without authentication. We have tried a lot of things to allow the User-Agent header, but without success.

Our configuration:

readonlyrest:
  enabled: true
  response_if_req_forbidden: <h1>Forbidden</h1>
  access_control_rules:
  - name: "ELB Check"
    headers: ["User-Agent:ELB*HealthChecker*"]
    type: allow
    verbosity: info
  - name: "Accept all requests from ES instances"
    type: allow
    hosts: ["127.0.0.1"]
    verbosity: error

Log Message:

[2019-01-24T11:57:35,156][INFO ][t.b.r.a.ACL              ] [elasticsearch-828b3bc109] FORBIDDEN by default req={ ID:172195768-715702389#1229, TYP:MainRequest, CGR:N/A, USR:[no basic auth header], BRS:true, KDX:null, ACT:cluster:monitor/main, OA:10.4.4.108, DA:0.0.0.0, IDX:<N/A>, MET:GET, PTH:/, CNT:<N/A>, HDR:{Connection=close, User-Agent=ELB-HealthChecker/2.0, content-length=0, Host=10.4.4.109:9200, Accept-Encoding=gzip, compressed}, HIS:[ELB Check->[headers_or->false]], [Accept all requests from ES instances->[hosts->false]], [Admin role->[groups->false]] }

Can someone help me?

Thanks

Maybe try this:

readonlyrest:
  enabled: true
  response_if_req_forbidden: <h1>Forbidden</h1>
  access_control_rules:
  - name: "ELB Check"
   # actions: ["cluster:monitor/main"] <--- optionally enable this, once the headers work.
    headers: ["User-Agent:ELB-HealthChecker/2.0"]
    verbosity: info

Doesn’t work with or without actions.

readonlyrest:
  enabled: true
  response_if_req_forbidden: <h1>Forbidden</h1>
  access_control_rules:
  - name: "ELB Check"
    actions: ["cluster:monitor/main"]
    headers: ["User-Agent:ELB-HealthChecker/2.0"]
    verbosity: info

[2019-01-24T14:02:41,162][INFO ][t.b.r.a.ACL              ] [elasticsearch-2e45206fea] FORBIDDEN by default req={ ID:215046618-1891695805#170, TYP:MainRequest, CGR:N/A, USR:[no basic auth header], BRS:true, KDX:null, ACT:cluster:monitor/main, OA:10.4.4.108, DA:0.0.0.0, IDX:<N/A>, MET:GET, PTH:/, CNT:<N/A>, HDR:{Connection=close, User-Agent=ELB-HealthChecker/2.0, content-length=0, Host=10.4.4.11:9200, Accept-Encoding=gzip, compressed}, HIS:[ELB Check->[headers->false]], [Accept all requests from ES instances->[hosts->false]], [Admin role->[groups->false]] }

Btw, versions we are using:

ES Version: 6.5.4
RoR Version: 1.16.33

Something is wrong with headers rule. Let me check.

Hi, i will wait your feedback.

I found the bug, and fixed. Nice catch
You will have a pre build to be tested within the hour.

Many thanks simone!

How can i download the plugin to install?

Please try this build:

https://readonlyrest-data.s3-eu-west-1.amazonaws.com/build/1.16.34-pre2/readonlyrest-1.16.34-pre2_es6.5.4.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJEKIPNTOTIVGQ4EQ/20190125/eu-west-1/s3/aws4_request&X-Amz-Date=20190125T154324Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=4b5e487386907a89f6c19eeeb9409d8694b8fe3e3d4678c43cf7f1ab6d5433f5

Awesome! This solves my problem!

ALLOWED by { name: 'ELB Check', policy: ALLOW, rules: [actions, headers]} req={ ID:1619012652-1308390624#100, TYP:MainRequest, CGR:N/A, USR:[no basic auth header], BRS:true, KDX:null, ACT:cluster:monitor/main, OA:10.4.4.35, DA:0.0.0.0, IDX:<N/A>, MET:GET, PTH:/, CNT:<N/A>, HDR:{Connection=close, User-Agent=ELB-HealthChecker/2.0, content-length=0, Host=10.4.4.11:9200, Accept-Encoding=gzip, compressed}, HIS:[ELB Check->[headers->true, actions->true]] }

OK That’s great

For whom lands here from a google search, this fix is present since ROR ES 1.16.34 (yet to be released at the time of writing).

Many thanks for your help!