We are using ES 6.2.x and RoR with a fairly minimal allow these IPs give these IPs read access kind of configuration and I am hitting an issue I am stumped by.
We have a webpage to update the content of an important small index. It is trying to call out via jquery ajax to an ES node an make an update. No matter what I do I cannot get the ROR rule to recognize the IP is inside of the allowed list as I expect.
Here is the RoR config:
readonlyrest:
#optional
response_if_req_forbidden: This request has been refused because it originated from an unknown or untrusted source.access_control_rules: - name: known-es-server-list hosts: ["10.68.4.150", "10.68.119.136", "10.68.119.137", "10.68.4.134", "10.68.4.140", "10.68.4.145", "10.68.4.134"] verbosity: error **- name: tmat-gui**** hosts: [“10.68.4.150”, “10.68.119.137”]**
** x_forwarded_for: [“10.68.119.137”, “10.68.4.150”]**
** indices: [“top*”]**- name: unknown-hosts actions: ["indices:data/read/*"] indices: ["*"]
I’ve bolded the rule I want to trigger. The web page currently lives on the server 10.68.4.150. But when I do a update from the web I get a 403 and the following entry in the log:
FORBIDDEN by default req={ ID:1935681806-46942591#530, TYP:IndexRequest, CGR:N/A, USR:[no basic auth header], BRS:true, KDX:null, ACT:indices:data/write/index, OA:10.7.49.40, DA:10.68.119.137, IDX:topmatch_update, MET:POST, PTH:/topmatch_update/standard/AWJxu_1cQE2eEwIxRms-, CNT:<OMITTED, LENGTH=210>, HDR:{Accept=application/json, text/javascript, /; q=0.01, Accept-Encoding=gzip, deflate, Accept-Language=en-US,en;q=0.9, Connection=keep-alive, Content-Length=210, Content-Type=application/json, Host=10.68.119.137:9200, Origin=http://10.68.4.150, Referer=http://10.68.4.150/, User-Agent=Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36, X-Forwarded-For=10.68.119.137}, HIS:[known-es-server-list->[hosts->false]], [tmat-gui->[hosts->false]], [unknown-hosts->[indices->true, actions->false]] }
I’ve bolded the troublesome bit. Because when I add that IP to my RoR config for the relevant rule-set, the log of the POST works and the log message is now:
[t.b.r.a.ACL ] ALLOWED by { name: ‘tmat-gui’, policy: ALLOW} req={ ID:805491376-350324441#1362, TYP:IndexRequest, CGR:N/A, USR:[no basic auth header], BRS:true, KDX:null, ACT:indices:data/write/index, OA:10.7.49.40, DA:10.68.119.137, IDX:topmatch_update, MET:POST, PTH:/topmatch_update/standard/AWJxu_1cQE2eEwIxRms-, CNT:<OMITTED, LENGTH=205>, HDR:{Accept=application/json, text/javascript, /; q=0.01, Accept-Encoding=gzip, deflate, Accept-Language=en-US,en;q=0.9, Connection=keep-alive, Content-Length=205, Content-Type=application/json, Host=10.68.119.137:9200, Origin=http://10.68.4.150, Referer=http://10.68.4.150/, User-Agent=Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36, X-Forwarded-For=10.68.119.137}, HIS:[known-es-server-list->[hosts->false]], [tmat-gui->[indices->true, hosts->true, x_forwarded_for->true]] }
The problem here is that that 10.7.49.40 IP is the client and is not knowable ahead of time and also is likely to change. Ideally I want connection coming from a specific server to be allowed regardless of what IP the client has (there will be sign on before it is available in production) but I feel like I am missing something super obvious.How do I get RoR to accept the value from the X-Forwarded-For header and ignore the OA value?