Hello guys,
We are trying to configure RoR to be used in Elasticsearch and we have AWS ALB in front of our client nodes, and at this moment the Health Check are “unhealthy” because we can’t allow the user-agent of ALB to reach elasticsearch without authentication. We have tried a lot of things to allow the User-Agent header, but without success.
Our configuration:
readonlyrest:
enabled: true
response_if_req_forbidden: <h1>Forbidden</h1>
access_control_rules:
- name: "ELB Check"
headers: ["User-Agent:ELB*HealthChecker*"]
type: allow
verbosity: info
- name: "Accept all requests from ES instances"
type: allow
hosts: ["127.0.0.1"]
verbosity: error
Log Message:
[2019-01-24T11:57:35,156][INFO ][t.b.r.a.ACL ] [elasticsearch-828b3bc109] FORBIDDEN by default req={ ID:172195768-715702389#1229, TYP:MainRequest, CGR:N/A, USR:[no basic auth header], BRS:true, KDX:null, ACT:cluster:monitor/main, OA:10.4.4.108, DA:0.0.0.0, IDX:<N/A>, MET:GET, PTH:/, CNT:<N/A>, HDR:{Connection=close, User-Agent=ELB-HealthChecker/2.0, content-length=0, Host=10.4.4.109:9200, Accept-Encoding=gzip, compressed}, HIS:[ELB Check->[headers_or->false]], [Accept all requests from ES instances->[hosts->false]], [Admin role->[groups->false]] }
Can someone help me?
Thanks
sscarduzio
(Simone Scarduzio)
January 24, 2019, 1:46pm
2
Maybe try this:
readonlyrest:
enabled: true
response_if_req_forbidden: <h1>Forbidden</h1>
access_control_rules:
- name: "ELB Check"
# actions: ["cluster:monitor/main"] <--- optionally enable this, once the headers work.
headers: ["User-Agent:ELB-HealthChecker/2.0"]
verbosity: info
Doesn’t work with or without actions.
readonlyrest:
enabled: true
response_if_req_forbidden: <h1>Forbidden</h1>
access_control_rules:
- name: "ELB Check"
actions: ["cluster:monitor/main"]
headers: ["User-Agent:ELB-HealthChecker/2.0"]
verbosity: info
[2019-01-24T14:02:41,162][INFO ][t.b.r.a.ACL ] [elasticsearch-2e45206fea] FORBIDDEN by default req={ ID:215046618-1891695805#170, TYP:MainRequest, CGR:N/A, USR:[no basic auth header], BRS:true, KDX:null, ACT:cluster:monitor/main, OA:10.4.4.108, DA:0.0.0.0, IDX:<N/A>, MET:GET, PTH:/, CNT:<N/A>, HDR:{Connection=close, User-Agent=ELB-HealthChecker/2.0, content-length=0, Host=10.4.4.11:9200, Accept-Encoding=gzip, compressed}, HIS:[ELB Check->[headers->false]], [Accept all requests from ES instances->[hosts->false]], [Admin role->[groups->false]] }
Btw, versions we are using:
ES Version: 6.5.4
RoR Version: 1.16.33
sscarduzio
(Simone Scarduzio)
January 24, 2019, 6:10pm
5
Something is wrong with headers rule. Let me check.
Hi, i will wait your feedback.
sscarduzio
(Simone Scarduzio)
January 25, 2019, 12:50pm
7
I found the bug, and fixed. Nice catch
You will have a pre build to be tested within the hour.
Many thanks simone!
How can i download the plugin to install?
Awesome! This solves my problem!
ALLOWED by { name: 'ELB Check', policy: ALLOW, rules: [actions, headers]} req={ ID:1619012652-1308390624#100, TYP:MainRequest, CGR:N/A, USR:[no basic auth header], BRS:true, KDX:null, ACT:cluster:monitor/main, OA:10.4.4.35, DA:0.0.0.0, IDX:<N/A>, MET:GET, PTH:/, CNT:<N/A>, HDR:{Connection=close, User-Agent=ELB-HealthChecker/2.0, content-length=0, Host=10.4.4.11:9200, Accept-Encoding=gzip, compressed}, HIS:[ELB Check->[headers->true, actions->true]] }
1 Like
sscarduzio
(Simone Scarduzio)
January 25, 2019, 4:36pm
11
OK That’s great
For whom lands here from a google search, this fix is present since ROR ES 1.16.34 (yet to be released at the time of writing).
Many thanks for your help!
1 Like