Allow AWS ELB HealthCheck by User-Agent Header


(Paulo Dias) #1

Hello guys,

We are trying to configure RoR to be used in Elasticsearch and we have AWS ALB in front of our client nodes, and at this moment the Health Check are “unhealthy” because we can’t allow the user-agent of ALB to reach elasticsearch without authentication. We have tried a lot of things to allow the User-Agent header, but without success.

Our configuration:

readonlyrest:
  enabled: true
  response_if_req_forbidden: <h1>Forbidden</h1>
  access_control_rules:
  - name: "ELB Check"
    headers: ["User-Agent:ELB*HealthChecker*"]
    type: allow
    verbosity: info
  - name: "Accept all requests from ES instances"
    type: allow
    hosts: ["127.0.0.1"]
    verbosity: error

Log Message:

[2019-01-24T11:57:35,156][INFO ][t.b.r.a.ACL              ] [elasticsearch-828b3bc109] FORBIDDEN by default req={ ID:172195768-715702389#1229, TYP:MainRequest, CGR:N/A, USR:[no basic auth header], BRS:true, KDX:null, ACT:cluster:monitor/main, OA:10.4.4.108, DA:0.0.0.0, IDX:<N/A>, MET:GET, PTH:/, CNT:<N/A>, HDR:{Connection=close, User-Agent=ELB-HealthChecker/2.0, content-length=0, Host=10.4.4.109:9200, Accept-Encoding=gzip, compressed}, HIS:[ELB Check->[headers_or->false]], [Accept all requests from ES instances->[hosts->false]], [Admin role->[groups->false]] }

Can someone help me?

Thanks


(Simone Scarduzio) #2

Maybe try this:

readonlyrest:
  enabled: true
  response_if_req_forbidden: <h1>Forbidden</h1>
  access_control_rules:
  - name: "ELB Check"
   # actions: ["cluster:monitor/main"] <--- optionally enable this, once the headers work.
    headers: ["User-Agent:ELB-HealthChecker/2.0"]
    verbosity: info

(Paulo Dias) #3

Doesn’t work with or without actions.

readonlyrest:
  enabled: true
  response_if_req_forbidden: <h1>Forbidden</h1>
  access_control_rules:
  - name: "ELB Check"
    actions: ["cluster:monitor/main"]
    headers: ["User-Agent:ELB-HealthChecker/2.0"]
    verbosity: info
[2019-01-24T14:02:41,162][INFO ][t.b.r.a.ACL              ] [elasticsearch-2e45206fea] FORBIDDEN by default req={ ID:215046618-1891695805#170, TYP:MainRequest, CGR:N/A, USR:[no basic auth header], BRS:true, KDX:null, ACT:cluster:monitor/main, OA:10.4.4.108, DA:0.0.0.0, IDX:<N/A>, MET:GET, PTH:/, CNT:<N/A>, HDR:{Connection=close, User-Agent=ELB-HealthChecker/2.0, content-length=0, Host=10.4.4.11:9200, Accept-Encoding=gzip, compressed}, HIS:[ELB Check->[headers->false]], [Accept all requests from ES instances->[hosts->false]], [Admin role->[groups->false]] }

:frowning:


(Paulo Dias) #4

Btw, versions we are using:

ES Version: 6.5.4
RoR Version: 1.16.33


(Simone Scarduzio) #5

Something is wrong with headers rule. Let me check.


(Paulo Dias) #6

Hi, i will wait your feedback.


(Simone Scarduzio) #7

I found the bug, and fixed. Nice catch :slight_smile:
You will have a pre build to be tested within the hour.


(Paulo Dias) #8

Many thanks simone! :slight_smile:

How can i download the plugin to install?


(Simone Scarduzio) #9

Please try this build:

https://readonlyrest-data.s3-eu-west-1.amazonaws.com/build/1.16.34-pre2/readonlyrest-1.16.34-pre2_es6.5.4.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJEKIPNTOTIVGQ4EQ/20190125/eu-west-1/s3/aws4_request&X-Amz-Date=20190125T154324Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=4b5e487386907a89f6c19eeeb9409d8694b8fe3e3d4678c43cf7f1ab6d5433f5


(Paulo Dias) #10

Awesome! This solves my problem!

ALLOWED by { name: 'ELB Check', policy: ALLOW, rules: [actions, headers]} req={ ID:1619012652-1308390624#100, TYP:MainRequest, CGR:N/A, USR:[no basic auth header], BRS:true, KDX:null, ACT:cluster:monitor/main, OA:10.4.4.35, DA:0.0.0.0, IDX:<N/A>, MET:GET, PTH:/, CNT:<N/A>, HDR:{Connection=close, User-Agent=ELB-HealthChecker/2.0, content-length=0, Host=10.4.4.11:9200, Accept-Encoding=gzip, compressed}, HIS:[ELB Check->[headers->true, actions->true]] }

(Simone Scarduzio) #11

OK That’s great :slight_smile:

For whom lands here from a google search, this fix is present since ROR ES 1.16.34 (yet to be released at the time of writing).


(Paulo Dias) #12

Many thanks for your help!