Forbidden Errors when starting up ElasticSearch

Users Feedback
1

This is my output log when Elastic and ROR is loaded succesfully. Its a non-stop error log that keeps generating!

  • It looks like ElasticSearch keeps pinging on the Path / and keeps getting the Forbidden error. I tried to pre-empt it by looking at some other posts and setup my config as below but it doesnt seem to help! Any suggestions?
  • Also it doesnt look like my custom Forbidden by ReadonlyREST ES plugin is being picked up as configured in the response_if_req_fobidden tag below. Any ideas why?

readonlyrest.yml

readonlyrest:
  enable: true
  response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin

  access_control_rules:
    - name: "just that action from localhost"
    type: allow
    actions: ["cluster:monitor/main"]
    hosts: ["127.0.0.1"]

    - name: "Global Access"
    auth_key: "elastic:changeme"
    verbosity: "error"

   - name: "My Index Access"
   auth_key: "elastic:writeme"
   type: allow
   actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
   indices: ["myindex-*", "<no_index>]

Error

[2018-03-15T17:39:40,759][INFO ][t.b.r.a.ACL              ] FORBIDDEN by default req={ ID:2034247693-1077991590#15, TYP:MainRequest, CGR:N/A, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:10.187.25.247, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:Connection,content-length,host,X-Forwarded-For,X-Forwarded-Port,X-Forwarded-Proto, HIS: }
[2018-03-15T17:39:40,759][INFO ][t.b.r.a.ACL              ] FORBIDDEN by default req={ ID:675900048-2000261686#17, TYP:MainRequest, CGR:N/A, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:10.187.25.247, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:Connection,content-length,host,X-Forwarded-For,X-Forwarded-Port,X-Forwarded-Proto, HIS: }
[2018-03-15T17:39:40,759][INFO ][t.b.r.a.ACL              ] FORBIDDEN by default req={ ID:1781429987-611602478#18, TYP:MainRequest, CGR:N/A, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:10.187.25.247, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:Connection,content-length,host,X-Forwarded-For,X-Forwarded-Port,X-Forwarded-Proto, HIS: }
2

Hi @titan1978,

Not sure what is polling on your ES, but:

  1. Your first rule block restricts to 127.0.0.1 when the origin address of the requests is 10.187.25.247, like you can see from the “OA” field in the log lines (it stands originating address).

  2. The <no_index> has been obsoleted last year or so, remove it

3

@sscarduzio

  1. I have setup the ROR on Client Nodes which are fronted by an ElasticLoadBalancer. NSLOOKUP on the LoadBalancer picked up these IPS. I suspect it the ELB health check thats firing these requests. Is there a way to exclude OA based on DNS Names?
  2. Wil ldo
4
  1. Yes you can use names, and btw of load balancers have a look at x-forwarded-for