vdubyna/.gitignore

## 6 changes: 6 additions & 0 deletions nginx_authorize_by_lua.conf
@@ -34,6 +34,7 @@ events {

    http {
http {

      upstream elasticsearch {
  upstream elasticsearch {

        server 127.0.0.1:9200;
    server 127.0.0.1:9200;

        keepalive 15;
    keepalive 15;

      }
  }


      server {
  server {
@@ -47,6 +48,11 @@ http {


          proxy_pass http://elasticsearch;
      proxy_pass http://elasticsearch;

          proxy_redirect off;
      proxy_redirect off;

          proxy_buffering off;
      proxy_buffering off;


          proxy_http_version 1.1;
      proxy_http_version 1.1;

          proxy_set_header Connection "Keep-Alive";
      proxy_set_header Connection "Keep-Alive";

          proxy_set_header Proxy-Connection "Keep-Alive";
      proxy_set_header Proxy-Connection "Keep-Alive";

        }
    }


      }
  }


## 9 changes: 4 additions & 5 deletions authorize.lua
@@ -80,10 +80,10 @@ local restrictions = {

    local role = ngx.var.remote_user
local role = ngx.var.remote_user

    ngx.log(ngx.DEBUG, role)
ngx.log(ngx.DEBUG, role)


    -- 1] Exit 403 when no matching role has been found
-- 1] Exit 403 when no matching role has been found

    -- exit 403 when no matching role has been found
-- exit 403 when no matching role has been found

    if restrictions[role] == nil then
if restrictions[role] == nil then

      ngx.header.content_type = 'text/plain'
  ngx.header.content_type = 'text/plain'

      ngx.log(ngx.WARN, "Unknown role "..role)
  ngx.log(ngx.WARN, "Unknown role "..role)

      ngx.log(ngx.WARN, "Unknown role ["..role.."]")
  ngx.log(ngx.WARN, "Unknown role ["..role.."]")

      ngx.status = 403
  ngx.status = 403

      ngx.say("403 Forbidden: You don\'t have access to this resource.")
  ngx.say("403 Forbidden: You don\'t have access to this resource.")

      return ngx.exit(403)
  return ngx.exit(403)
@@ -114,14 +114,13 @@ for path, methods in pairs(restrictions[role]) do

      if p and m then
  if p and m then

        allowed = true
    allowed = true

        ngx.log(ngx.NOTICE, method.." "..uri.." matched: "..tostring(m).." "..tostring(path).." for "..role)
    ngx.log(ngx.NOTICE, method.." "..uri.." matched: "..tostring(m).." "..tostring(path).." for "..role)

        break
    break

      end
  end

    end
end


    ngx.log(ngx.NOTICE, "Allowed? "..tostring(allowed))
ngx.log(ngx.NOTICE, "Allowed? "..tostring(allowed))


    if not allowed then
if not allowed then

      ngx.header.content_type = 'text/plain'
  ngx.header.content_type = 'text/plain'

      ngx.log(ngx.WARN, "Role "..role.." not allowed to access the resource")
  ngx.log(ngx.WARN, "Role "..role.." not allowed to access the resource")

      ngx.log(ngx.WARN, "Role ["..role.."] not allowed to access the resource ["..method.." "..uri.."]")
  ngx.log(ngx.WARN, "Role ["..role.."] not allowed to access the resource ["..method.." "..uri.."]")

      ngx.status = 403
  ngx.status = 403

      ngx.say("403 Forbidden: You don\'t have access to this resource.")
  ngx.say("403 Forbidden: You don\'t have access to this resource.")

      return ngx.exit(403)
  return ngx.exit(403)


## 14 changes: 7 additions & 7 deletions nginx_authorize_by_lua.conf
@@ -1,9 +1,9 @@

    # Generate passwords:
# Generate passwords:

    #
#

    #     $ printf "john:$(openssl passwd -crypt john)\n"   >> passwords
#     $ printf "john:$(openssl passwd -crypt john)\n"   >> passwords

    #     $ printf "all:$(openssl passwd -crypt all)\n"     >> passwords
#     $ printf "all:$(openssl passwd -crypt all)\n"     >> passwords

    #     $ printf "user:$(openssl passwd -crypt user)\n"   >> passwords
#     $ printf "user:$(openssl passwd -crypt user)\n"   >> passwords

    #     $ printf "admin:$(openssl passwd -crypt admin)\n" >> passwords
#     $ printf "admin:$(openssl passwd -crypt admin)\n" >> passwords

    #     $ printf "nobody:$(openssl passwd -crypt nobody)\n" >> passwords
#     $ printf "nobody:$(openssl passwd -crypt nobody)\n" >> passwords

    #     $ printf "all:$(openssl passwd -crypt all)\n"       >> passwords
#     $ printf "all:$(openssl passwd -crypt all)\n"       >> passwords

    #     $ printf "user:$(openssl passwd -crypt user)\n"     >> passwords
#     $ printf "user:$(openssl passwd -crypt user)\n"     >> passwords

    #     $ printf "admin:$(openssl passwd -crypt admin)\n"   >> passwords
#     $ printf "admin:$(openssl passwd -crypt admin)\n"   >> passwords

    #
#

    # Install the Nginx with Lua support ("openresty"):
# Install the Nginx with Lua support ("openresty"):

    #
#
@@ -25,15 +25,15 @@


    worker_processes  1;
worker_processes  1;


    error_log logs/lua_error.log notice;
error_log logs/lua_error.log notice;

    error_log logs/lua.log notice;
error_log logs/lua.log notice;


    events {
events {

        worker_connections 1024;
    worker_connections 1024;

      worker_connections 1024;
  worker_connections 1024;

    }
}


    http {
http {

      upstream elasticsearch {
  upstream elasticsearch {

        server 127.0.0.1:9250;
    server 127.0.0.1:9250;

        server 127.0.0.1:9200;
    server 127.0.0.1:9200;

      }
  }


      server {
  server {


## 18 changes: 18 additions & 0 deletions nginx_basic_proxy.conf
@@ -0,0 +1,18 @@

    # Run:
# Run:

    #
#

    #     $ nginx -p $PWD/nginx/ -c $PWD/nginx_basic_proxy.conf
#     $ nginx -p $PWD/nginx/ -c $PWD/nginx_basic_proxy.conf

    #     $ curl localhost:8000
#     $ curl localhost:8000

    #
#


    events {
events {

      worker_connections  1024;
  worker_connections  1024;

    }
}


    http {
http {

      server {
  server {

        listen 8080;
    listen 8080;

        location / {
    location / {

          proxy_pass http://localhost:9200;
      proxy_pass http://localhost:9200;

        }
    }

      }
  }

    }
}

## 37 changes: 37 additions & 0 deletions nginx_http_auth_allow_path.conf
@@ -0,0 +1,37 @@

    # Generate password with eg.
# Generate password with eg.

    #
#

    #     $ printf "john:$(openssl passwd -crypt s3cr3t)\n" > passwords
#     $ printf "john:$(openssl passwd -crypt s3cr3t)\n" > passwords

    #
#

    # Run:
# Run:

    #
#

    #     $ nginx -p $PWD/nginx/ -c $PWD/nginx_http_auth_allow_path.conf
#     $ nginx -p $PWD/nginx/ -c $PWD/nginx_http_auth_allow_path.conf

    #
#


    events {
events {

      worker_connections  1024;
  worker_connections  1024;

    }
}


    http {
http {


      upstream elasticsearch {
  upstream elasticsearch {

        server 127.0.0.1:9200;
    server 127.0.0.1:9200;

      }
  }


      server {
  server {

        listen 8080;
    listen 8080;


        auth_basic "Protected Elasticsearch";
    auth_basic "Protected Elasticsearch";

        auth_basic_user_file passwords;
    auth_basic_user_file passwords;


        location ~* ^(/_cluster|/_nodes) {
    location ~* ^(/_cluster|/_nodes) {

          proxy_pass http://elasticsearch;
      proxy_pass http://elasticsearch;

          proxy_redirect off;
      proxy_redirect off;

        }
    }


        location / {
    location / {

          return 403;
      return 403;

          break;
      break;

        }
    }

      }
  }


    }
}

## 62 changes: 29 additions & 33 deletions nginx_http_auth_allow_path_and_method.conf
@@ -1,62 +1,58 @@

    # Generate password with eg.
# Generate password with eg.

    #
#

    #     $ printf "john:$(openssl passwd -crypt s3cr3t)\n" >> passwords
#     $ printf "john:$(openssl passwd -crypt s3cr3t)\n" >> passwords

    #     $ printf "john:$(openssl passwd -crypt s3cr3t)\n" > passwords
#     $ printf "john:$(openssl passwd -crypt s3cr3t)\n" > passwords

    #
#

    # Run:
# Run:

    #
#

    #     $ nginx -p $PWD/nginx/ -c $PWD/nginx_http_auth_allow_path_and_method.conf
#     $ nginx -p $PWD/nginx/ -c $PWD/nginx_http_auth_allow_path_and_method.conf

    #
#


    events {
events {

        worker_connections  1024;
    worker_connections  1024;

      worker_connections  1024;
  worker_connections  1024;

    }
}


    http {
http {


      upstream elasticsearch {
  upstream elasticsearch {

          server 127.0.0.1:9250;
      server 127.0.0.1:9250;

        server 127.0.0.1:9200;
    server 127.0.0.1:9200;

      }
  }


      server {
  server {

          listen 8080;
      listen 8080;

          server_name elasticsearch_proxy;
      server_name elasticsearch_proxy;

        listen 8080;
    listen 8080;


          error_log   elasticsearch_proxy-errors.log;
      error_log   elasticsearch_proxy-errors.log;

          access_log  elasticsearch_proxy.log;
      access_log  elasticsearch_proxy.log;

        location / {
    location / {

          error_page 590 = @elasticsearch;
      error_page 590 = @elasticsearch;

          error_page 595 = @protected_elasticsearch;
      error_page 595 = @protected_elasticsearch;


          location / {
      location / {

            error_page 590 = @elasticsearch;
        error_page 590 = @elasticsearch;

            error_page 595 = @protected_elasticsearch;
        error_page 595 = @protected_elasticsearch;

          set $ok 0;
      set $ok 0;


            set $ok 0;
        set $ok 0;


            if ($request_uri ~ ^/$) {
        if ($request_uri ~ ^/$) {

              set $ok "${ok}1";
          set $ok "${ok}1";

            }
        }


            if ($request_method = HEAD) {
        if ($request_method = HEAD) {

              set $ok "${ok}2";
          set $ok "${ok}2";

            }
        }


            if ($ok = 012) {
        if ($ok = 012) {

              return 590;
          return 590;

            }
        }

          if ($request_uri ~ ^/$) {
      if ($request_uri ~ ^/$) {

            set $ok "${ok}1";
        set $ok "${ok}1";

          }
      }


            return 595;
        return 595;

          if ($request_method = HEAD) {
      if ($request_method = HEAD) {

            set $ok "${ok}2";
        set $ok "${ok}2";

          }
      }


          location @elasticsearch {
      location @elasticsearch {

            proxy_pass http://elasticsearch;
        proxy_pass http://elasticsearch;

            proxy_redirect off;
        proxy_redirect off;

          if ($ok = 012) {
      if ($ok = 012) {

            return 590;
        return 590;

          }
      }


          location @protected_elasticsearch {
      location @protected_elasticsearch {

            auth_basic           "Protected Elasticsearch";
        auth_basic           "Protected Elasticsearch";

            auth_basic_user_file passwords;
        auth_basic_user_file passwords;

          return 595;
      return 595;

        }
    }


            proxy_pass http://elasticsearch;
        proxy_pass http://elasticsearch;

            proxy_redirect off;
        proxy_redirect off;

          }
      }

        location @elasticsearch {
    location @elasticsearch {

          proxy_pass http://elasticsearch;
      proxy_pass http://elasticsearch;

          proxy_redirect off;
      proxy_redirect off;

        }
    }


        location @protected_elasticsearch {
    location @protected_elasticsearch {

          auth_basic           "Protected Elasticsearch";
      auth_basic           "Protected Elasticsearch";

          auth_basic_user_file passwords;
      auth_basic_user_file passwords;


          proxy_pass http://elasticsearch;
      proxy_pass http://elasticsearch;

          proxy_redirect off;
      proxy_redirect off;

        }
    }

      }
  }


    }
}

## 25 changes: 10 additions & 15 deletions nginx_http_auth_basic.conf
@@ -1,37 +1,32 @@

    # Generate password with eg.
# Generate password with eg.

    #
#

    #     $ printf "john:$(openssl passwd -crypt s3cr3t)\n" >> passwords
#     $ printf "john:$(openssl passwd -crypt s3cr3t)\n" >> passwords

    #     $ printf "john:$(openssl passwd -crypt s3cr3t)\n" > passwords
#     $ printf "john:$(openssl passwd -crypt s3cr3t)\n" > passwords

    #
#

    # Run:
# Run:

    #
#

    #     $ nginx -p $PWD/nginx/ -c $PWD/nginx_http_auth_basic.conf
#     $ nginx -p $PWD/nginx/ -c $PWD/nginx_http_auth_basic.conf

    #
#


    events {
events {

        worker_connections  1024;
    worker_connections  1024;

      worker_connections  1024;
  worker_connections  1024;

    }
}


    http {
http {


      upstream elasticsearch {
  upstream elasticsearch {

          server 127.0.0.1:9250;
      server 127.0.0.1:9250;

        server 127.0.0.1:9200;
    server 127.0.0.1:9200;

      }
  }


      server {
  server {

          listen 8080;
      listen 8080;

          server_name elasticsearch_proxy;
      server_name elasticsearch_proxy;

        listen 8080;
    listen 8080;


          error_log   elasticsearch_proxy-errors.log;
      error_log   elasticsearch_proxy-errors.log;

          access_log  elasticsearch_proxy.log;
      access_log  elasticsearch_proxy.log;


          auth_basic           "Protected Elasticsearch";
      auth_basic           "Protected Elasticsearch";

          auth_basic_user_file passwords;
      auth_basic_user_file passwords;


          location / {
      location / {

            proxy_pass http://elasticsearch;
        proxy_pass http://elasticsearch;

            proxy_redirect off;
        proxy_redirect off;

          }
      }

        auth_basic "Protected Elasticsearch";
    auth_basic "Protected Elasticsearch";

        auth_basic_user_file passwords;
    auth_basic_user_file passwords;


        location / {
    location / {

          proxy_pass http://elasticsearch;
      proxy_pass http://elasticsearch;

          proxy_redirect off;
      proxy_redirect off;

        }
    }

      }
  }


    }
}

## 29 changes: 14 additions & 15 deletions nginx_http_auth_deny_path.conf
@@ -1,38 +1,37 @@

    # Generate password with eg.
# Generate password with eg.

    #
#

    #     $ printf "john:$(openssl passwd -crypt s3cr3t)\n" >> passwords
#     $ printf "john:$(openssl passwd -crypt s3cr3t)\n" >> passwords

    #     $ printf "john:$(openssl passwd -crypt s3cr3t)\n" > passwords
#     $ printf "john:$(openssl passwd -crypt s3cr3t)\n" > passwords

    #
#

    # Run:
# Run:

    #
#

    #     $ nginx -p $PWD/nginx/ -c $PWD/nginx_http_auth_deny_path.conf
#     $ nginx -p $PWD/nginx/ -c $PWD/nginx_http_auth_deny_path.conf

    #
#


    events {
events {

        worker_connections  1024;
    worker_connections  1024;

      worker_connections  1024;
  worker_connections  1024;

    }
}


    http {
http {


      upstream elasticsearch {
  upstream elasticsearch {

          server 127.0.0.1:9250;
      server 127.0.0.1:9250;

        server 127.0.0.1:9200;
    server 127.0.0.1:9200;

      }
  }


      server {
  server {

          listen 8080;
      listen 8080;

          server_name elasticsearch_proxy;
      server_name elasticsearch_proxy;

        listen 8080;
    listen 8080;


          auth_basic           "Protected Elasticsearch";
      auth_basic           "Protected Elasticsearch";

          auth_basic_user_file passwords;
      auth_basic_user_file passwords;

        auth_basic "Protected Elasticsearch";
    auth_basic "Protected Elasticsearch";

        auth_basic_user_file passwords;
    auth_basic_user_file passwords;


          location / {
      location / {

            if ($request_uri ~ _shutdown) {
        if ($request_uri ~ _shutdown) {

              return 403;
          return 403;

              break;
          break;

            }
        }


            proxy_pass http://elasticsearch;
        proxy_pass http://elasticsearch;

            proxy_redirect off;
        proxy_redirect off;

        location / {
    location / {

          if ($request_filename ~ _shutdown) {
      if ($request_filename ~ _shutdown) {

            return 403;
        return 403;

            break;
        break;

          }
      }


          proxy_pass http://elasticsearch;
      proxy_pass http://elasticsearch;

          proxy_redirect off;
      proxy_redirect off;

        }
    }

      }
  }


    }
}

## 20 changes: 10 additions & 10 deletions nginx_http_auth_roles.conf
@@ -1,21 +1,21 @@

    # Generate passwords:
# Generate passwords:

    #
#

    #     $ printf "user:$(openssl passwd -crypt user)\n"   >> users
#     $ printf "user:$(openssl passwd -crypt user)\n"   >> users

    #     $ printf "admin:$(openssl passwd -crypt admin)\n" >> admins
#     $ printf "admin:$(openssl passwd -crypt admin)\n" >> admins

    #     $ printf "user:$(openssl passwd -crypt user)\n"   > users
#     $ printf "user:$(openssl passwd -crypt user)\n"   > users

    #     $ printf "admin:$(openssl passwd -crypt admin)\n" > admins
#     $ printf "admin:$(openssl passwd -crypt admin)\n" > admins

    #
#

    # Run:
# Run:

    #
#

    #     $ nginx -p $PWD/nginx/ -c $PWD/nginx_http_auth_roles.conf
#     $ nginx -p $PWD/nginx/ -c $PWD/nginx_http_auth_roles.conf

    #
#


    events {
events {

        worker_connections  1024;
    worker_connections  1024;

      worker_connections  1024;
  worker_connections  1024;

    }
}


    http {
http {


      upstream elasticsearch {
  upstream elasticsearch {

          server 127.0.0.1:9250;
      server 127.0.0.1:9250;

          server 127.0.0.1:9200;
      server 127.0.0.1:9200;

      }
  }


      # Allow HEAD / for all
  # Allow HEAD / for all
@@ -28,7 +28,7 @@ http {

      #
  #

      server {
  server {

          listen 8080;
      listen 8080;

          server_name elasticsearch_all;
      server_name elasticsearch_all;

          server_name elasticsearch_all.local;
      server_name elasticsearch_all.local;


          location / {
      location / {

            return 401;
        return 401;
@@ -45,7 +45,7 @@ http {

          }
      }

      }
  }


      # Allow accessing /_search for authenticated "users"
  # Allow accessing /_search for authenticated "users"

      # Allow access to /_search and /_analyze for authenticated "users"
  # Allow access to /_search and /_analyze for authenticated "users"

      #
  #

      #   curl -i  'http://localhost:8081/_search'
  #   curl -i  'http://localhost:8081/_search'

      #   HTTP/1.1 401 Unauthorized
  #   HTTP/1.1 401 Unauthorized
@@ -61,7 +61,7 @@ http {

      #
  #

      server {
  server {

          listen 8081;
      listen 8081;

          server_name elasticsearch_users;
      server_name elasticsearch_users;

          server_name elasticsearch_users.local;
      server_name elasticsearch_users.local;


          auth_basic           "Elasticsearch Users";
      auth_basic           "Elasticsearch Users";

          auth_basic_user_file users;
      auth_basic_user_file users;
@@ -70,13 +70,13 @@ http {

            return 403;
        return 403;

          }
      }


          location ~* /_search||_analyze {
      location ~* /_search||_analyze {

          location ~* ^(/_search|/_analyze) {
      location ~* ^(/_search|/_analyze) {

            proxy_pass http://elasticsearch;
        proxy_pass http://elasticsearch;

            proxy_redirect off;
        proxy_redirect off;

          }
      }

      }
  }


      # Allow accessing everything for authenticated "admins"
  # Allow accessing everything for authenticated "admins"

      # Allow access to anything for authenticated "admins"
  # Allow access to anything for authenticated "admins"

      #
  #

      #   curl -i  'http://admin:admin@localhost:8082/_search'
  #   curl -i  'http://admin:admin@localhost:8082/_search'

      #   HTTP/1.1 200 OK
  #   HTTP/1.1 200 OK
@@ -86,7 +86,7 @@ http {

      #
  #

      server {
  server {

          listen 8082;
      listen 8082;

          server_name elasticsearch_admins;
      server_name elasticsearch_admins;

          server_name elasticsearch_admins.local;
      server_name elasticsearch_admins.local;


          auth_basic           "Elasticsearch Admins";
      auth_basic           "Elasticsearch Admins";

          auth_basic_user_file admins;
      auth_basic_user_file admins;


## 21 changes: 10 additions & 11 deletions nginx_keep_alive.conf
@@ -10,21 +10,20 @@ events {

    http {
http {


      upstream elasticsearch {
  upstream elasticsearch {

          server 127.0.0.1:9250;
      server 127.0.0.1:9250;

        server 127.0.0.1:9200;
    server 127.0.0.1:9200;


          keepalive 15;
      keepalive 15;

        keepalive 15;
    keepalive 15;

      }
  }


      server {
  server {

          listen 8080;
      listen 8080;

          server_name elasticsearch_proxy;
      server_name elasticsearch_proxy;


          location / {
      location / {

            proxy_pass http://elasticsearch;
        proxy_pass http://elasticsearch;

            proxy_http_version 1.1;
        proxy_http_version 1.1;

            proxy_set_header Connection "Keep-Alive";
        proxy_set_header Connection "Keep-Alive";

            proxy_set_header Proxy-Connection "Keep-Alive";
        proxy_set_header Proxy-Connection "Keep-Alive";

          }
      }

        listen 8080;
    listen 8080;


        location / {
    location / {

          proxy_pass http://elasticsearch;
      proxy_pass http://elasticsearch;

          proxy_http_version 1.1;
      proxy_http_version 1.1;

          proxy_set_header Connection "Keep-Alive";
      proxy_set_header Connection "Keep-Alive";

          proxy_set_header Proxy-Connection "Keep-Alive";
      proxy_set_header Proxy-Connection "Keep-Alive";

        }
    }


      }
  }


## 7 changes: 4 additions & 3 deletions nginx_round_robin.conf → nginx_load_balancer.conf
@@ -1,6 +1,6 @@

    # Run:
# Run:

    #
#

    #     $ nginx -p $PWD/nginx/ -c $PWD/nginx_round_robin.conf
#     $ nginx -p $PWD/nginx/ -c $PWD/nginx_round_robin.conf

    #     $ nginx -p $PWD/nginx/ -c $PWD/nginx_load_balancer.conf
#     $ nginx -p $PWD/nginx/ -c $PWD/nginx_load_balancer.conf

    #
#


    events {
events {
@@ -10,8 +10,9 @@ events {

    http {
http {


      upstream elasticsearch {
  upstream elasticsearch {

          server 127.0.0.1:9250;
      server 127.0.0.1:9250;

          server 127.0.0.1:9251;
      server 127.0.0.1:9251;

          server 127.0.0.1:9200;
      server 127.0.0.1:9200;

          server 127.0.0.1:9201;
      server 127.0.0.1:9201;

          server 127.0.0.1:9202;
      server 127.0.0.1:9202;

      }
  }


      server {
  server {


## 79 changes: 79 additions & 0 deletions README.markdown
@@ -0,0 +1,79 @@

    Example Nginx Configurations for Elasticsearch
Example Nginx Configurations for Elasticsearch

    ==============================================
==============================================


    This repository contains couple of example configurations for using Nginx as a proxy for Elasticsearch.
This repository contains couple of example configurations for using Nginx as a proxy for Elasticsearch.


    These examples can be run standalone from this repository -- the general pattern is:
These examples can be run standalone from this repository -- the general pattern is:


        $ nginx -p $PWD/nginx/ -c $PWD/<CONFIG FILE>
    $ nginx -p $PWD/nginx/ -c $PWD/<CONFIG FILE>


    When you change the configuration, simply _reload_ the Nginx process to pick up the changes:
When you change the configuration, simply _reload_ the Nginx process to pick up the changes:


        $ nginx -p $PWD/nginx/ -c $PWD/<CONFIG FILE> -s reload
    $ nginx -p $PWD/nginx/ -c $PWD/<CONFIG FILE> -s reload


    Please refer to the Nginx [documentation](http://nginx.org/en/docs/) for  more information.
Please refer to the Nginx [documentation](http://nginx.org/en/docs/) for  more information.


    ## `nginx_round_robin.conf`
## `nginx_round_robin.conf`


    A simple proxy which distributes requests in a round-robin way across configured nodes.
A simple proxy which distributes requests in a round-robin way across configured nodes.


    More information: <http://nginx.org/en/docs/http/ngx_http_upstream_module.html>
More information: <http://nginx.org/en/docs/http/ngx_http_upstream_module.html>


    ## `nginx_keep_alive.conf`
## `nginx_keep_alive.conf`


    Configures the proxy to keep a pool of persistent connections, preventing opening
Configures the proxy to keep a pool of persistent connections, preventing opening

    sockets at Elasticsearch for each connection, e.g. with deficient HTTP clients.
sockets at Elasticsearch for each connection, e.g. with deficient HTTP clients.


    More information: <http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive>
More information: <http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive>


    ## `nginx_http_auth_basic.conf`
## `nginx_http_auth_basic.conf`


    The simplest possible authorization proxy for Elasticsearch: allow access only
The simplest possible authorization proxy for Elasticsearch: allow access only

    to users authenticated with HTTP Basic Auth, with credentials stored in a `passwords` file.
to users authenticated with HTTP Basic Auth, with credentials stored in a `passwords` file.


    ## `nginx_http_auth_deny_path.conf`
## `nginx_http_auth_deny_path.conf`


    A variation on the simple authorization proxy, which prevents access to certain URLs
A variation on the simple authorization proxy, which prevents access to certain URLs

    (`_shutdown`).
(`_shutdown`).


    ## `nginx_http_auth_allow_path_and_method.conf`
## `nginx_http_auth_allow_path_and_method.conf`


    A variation on the authorization proxy, which uses named `location`s to
A variation on the authorization proxy, which uses named `location`s to

    allow certain paths and methods without authorization.
allow certain paths and methods without authorization.


    Demonstrates how to use error codes in Nginx configuration to route requests
Demonstrates how to use error codes in Nginx configuration to route requests

    and how to work around the lack of multiple conditions in Nginx' `if` statement.
and how to work around the lack of multiple conditions in Nginx' `if` statement.


    More information: <http://wiki.nginx.org/RewriteMultiCondExample>
More information: <http://wiki.nginx.org/RewriteMultiCondExample>


    ## `nginx_http_auth_roles.conf`
## `nginx_http_auth_roles.conf`


    Demonstrates how to use multiple Nginx servers to separate access rights for
Demonstrates how to use multiple Nginx servers to separate access rights for

    multiple types of users: unauthenticated, _users_ and _admins_.
multiple types of users: unauthenticated, _users_ and _admins_.


    Unauthenticated users can access `HEAD /`, but nothing else.
Unauthenticated users can access `HEAD /`, but nothing else.


    Authenticated _user_ can access only the `_search` and `_analyze` endpoints
Authenticated _user_ can access only the `_search` and `_analyze` endpoints

    (with whatever HTTP method), other endpoints are denied.
(with whatever HTTP method), other endpoints are denied.


    More information: <http://nginx.org/en/docs/http/ngx_http_core_module.html#location>
More information: <http://nginx.org/en/docs/http/ngx_http_core_module.html#location>


    ## `nginx_authorize_by_lua.conf`
## `nginx_authorize_by_lua.conf`


    Demonstrates how to use custom logic for implementing authorization, via the
Demonstrates how to use custom logic for implementing authorization, via the

    [Lua](http://wiki.nginx.org/HttpLuaModule) support in Nginx.
[Lua](http://wiki.nginx.org/HttpLuaModule) support in Nginx.


    The request is authenticated against credentials in the `passwords` file and if
The request is authenticated against credentials in the `passwords` file and if

    allowed by the `access_by_lua_file` return value, proxied to Elasticsearch.
allowed by the `access_by_lua_file` return value, proxied to Elasticsearch.


    The authorization logic is stored in the `authorize.lua` file, which contains
The authorization logic is stored in the `authorize.lua` file, which contains

    a simple "dictionary" (in the form of Lua _table_) with rules for three
a simple "dictionary" (in the form of Lua _table_) with rules for three

    "roles": anybody, users and admins.
"roles": anybody, users and admins.


    Based on the `$remote_user` Nginx variable value, the request path and method
Based on the `$remote_user` Nginx variable value, the request path and method

    are evaluated against the dictionary, and the request is denied with "403 Forbidden"
are evaluated against the dictionary, and the request is denied with "403 Forbidden"

    if no matching rule is found.
if no matching rule is found.


    Lua and Nginx Overview: <http://www.londonlua.org/scripting_nginx_with_lua/slides.html>
Lua and Nginx Overview: <http://www.londonlua.org/scripting_nginx_with_lua/slides.html>


    More information: <http://openresty.org>
More information: <http://openresty.org>

## 1 change: 1 addition & 0 deletions admins
@@ -0,0 +1 @@

    admin:bHw.s5hN/IvE6
admin:bHw.s5hN/IvE6

## 128 changes: 128 additions & 0 deletions authorize.lua
@@ -0,0 +1,128 @@

    --[[
--[[


    Provides Elasticserach endpoint authorization based on rules in Lua and authenticated user
Provides Elasticserach endpoint authorization based on rules in Lua and authenticated user


    See the `nginx_authorize_by_lua.conf` for the Nginx config.
See the `nginx_authorize_by_lua.conf` for the Nginx config.


    Synopsis:
Synopsis:


    $ /usr/local/openresty/nginx/sbin/nginx -p $PWD/nginx/ -c $PWD/nginx_authorize_by_lua.conf
$ /usr/local/openresty/nginx/sbin/nginx -p $PWD/nginx/ -c $PWD/nginx_authorize_by_lua.conf


    $ curl -i -X HEAD 'http://localhost:8080'
$ curl -i -X HEAD 'http://localhost:8080'

    HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized


    curl -i -X HEAD 'http://all:all@localhost:8080'
curl -i -X HEAD 'http://all:all@localhost:8080'

    HTTP/1.1 200 OK
HTTP/1.1 200 OK


    curl -i -X GET 'http://all:all@localhost:8080'
curl -i -X GET 'http://all:all@localhost:8080'

    HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden


    curl -i -X GET 'http://user:user@localhost:8080'
curl -i -X GET 'http://user:user@localhost:8080'

    HTTP/1.1 200 OK
HTTP/1.1 200 OK


    curl -i -X GET 'http://user:user@localhost:8080/_search'
curl -i -X GET 'http://user:user@localhost:8080/_search'

    HTTP/1.1 200 OK
HTTP/1.1 200 OK


    curl -i -X POST 'http://user:user@localhost:8080/_search'
curl -i -X POST 'http://user:user@localhost:8080/_search'

    HTTP/1.1 200 OK
HTTP/1.1 200 OK


    curl -i -X GET 'http://user:user@localhost:8080/_aliases'
curl -i -X GET 'http://user:user@localhost:8080/_aliases'

    HTTP/1.1 200 OK
HTTP/1.1 200 OK


    curl -i -X POST 'http://user:user@localhost:8080/_aliases'
curl -i -X POST 'http://user:user@localhost:8080/_aliases'

    HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden


    curl -i -X POST 'http://user:user@localhost:8080/myindex/mytype/1' -d '{"title" : "Test"}'
curl -i -X POST 'http://user:user@localhost:8080/myindex/mytype/1' -d '{"title" : "Test"}'

    HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden


    curl -i -X DELETE 'http://user:user@localhost:8080/myindex/'
curl -i -X DELETE 'http://user:user@localhost:8080/myindex/'

    HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden


    curl -i -X POST 'http://admin:admin@localhost:8080/myindex/mytype/1' -d '{"title" : "Test"}'
curl -i -X POST 'http://admin:admin@localhost:8080/myindex/mytype/1' -d '{"title" : "Test"}'

    HTTP/1.1 200 OK
HTTP/1.1 200 OK


    curl -i -X DELETE 'http://admin:admin@localhost:8080/myindex/mytype/1'
curl -i -X DELETE 'http://admin:admin@localhost:8080/myindex/mytype/1'

    HTTP/1.1 200 OK
HTTP/1.1 200 OK


    curl -i -X DELETE 'http://admin:admin@localhost:8080/myindex/'
curl -i -X DELETE 'http://admin:admin@localhost:8080/myindex/'

    HTTP/1.1 200 OK
HTTP/1.1 200 OK


    ]]--
]]--


    -- authorization rules
-- authorization rules


    local restrictions = {
local restrictions = {

      all  = {
  all  = {

        ["^/$"]                             = { "HEAD" }
    ["^/$"]                             = { "HEAD" }

      },
  },


      user = {
  user = {

        ["^/$"]                             = { "GET" },
    ["^/$"]                             = { "GET" },

        ["^/?[^/]*/?[^/]*/_search"]         = { "GET", "POST" },
    ["^/?[^/]*/?[^/]*/_search"]         = { "GET", "POST" },

        ["^/?[^/]*/?[^/]*/_msearch"]        = { "GET", "POST" },
    ["^/?[^/]*/?[^/]*/_msearch"]        = { "GET", "POST" },

        ["^/?[^/]*/?[^/]*/_validate/query"] = { "GET", "POST" },
    ["^/?[^/]*/?[^/]*/_validate/query"] = { "GET", "POST" },

        ["/_aliases"]                       = { "GET" },
    ["/_aliases"]                       = { "GET" },

        ["/_cluster.*"]                     = { "GET" }
    ["/_cluster.*"]                     = { "GET" }

      },
  },


      admin = {
  admin = {

        ["^/?[^/]*/?[^/]*/_bulk"]          = { "GET", "POST" },
    ["^/?[^/]*/?[^/]*/_bulk"]          = { "GET", "POST" },

        ["^/?[^/]*/?[^/]*/_refresh"]       = { "GET", "POST" },
    ["^/?[^/]*/?[^/]*/_refresh"]       = { "GET", "POST" },

        ["^/?[^/]*/?[^/]*/?[^/]*/_create"] = { "GET", "POST" },
    ["^/?[^/]*/?[^/]*/?[^/]*/_create"] = { "GET", "POST" },

        ["^/?[^/]*/?[^/]*/?[^/]*/_update"] = { "GET", "POST" },
    ["^/?[^/]*/?[^/]*/?[^/]*/_update"] = { "GET", "POST" },

        ["^/?[^/]*/?[^/]*/?.*"]            = { "GET", "POST", "PUT", "DELETE" },
    ["^/?[^/]*/?[^/]*/?.*"]            = { "GET", "POST", "PUT", "DELETE" },

        ["^/?[^/]*/?[^/]*$"]               = { "GET", "POST", "PUT", "DELETE" },
    ["^/?[^/]*/?[^/]*$"]               = { "GET", "POST", "PUT", "DELETE" },

        ["/_aliases"]                      = { "GET", "POST" }
    ["/_aliases"]                      = { "GET", "POST" }

      }
  }

    }
}


    -- get authenticated user as role
-- get authenticated user as role

    local role = ngx.var.remote_user
local role = ngx.var.remote_user

    ngx.log(ngx.DEBUG, role)
ngx.log(ngx.DEBUG, role)


    -- 1] Exit 403 when no matching role has been found
-- 1] Exit 403 when no matching role has been found

    if restrictions[role] == nil then
if restrictions[role] == nil then

      ngx.header.content_type = 'text/plain'
  ngx.header.content_type = 'text/plain'

      ngx.log(ngx.WARN, "Unknown role "..role)
  ngx.log(ngx.WARN, "Unknown role "..role)

      ngx.status = 403
  ngx.status = 403

      ngx.say("403 Forbidden: You don\'t have access to this resource.")
  ngx.say("403 Forbidden: You don\'t have access to this resource.")

      return ngx.exit(403)
  return ngx.exit(403)

    end
end


    -- get URL
-- get URL

    local uri = ngx.var.uri
local uri = ngx.var.uri

    ngx.log(ngx.DEBUG, uri)
ngx.log(ngx.DEBUG, uri)


    -- get method
-- get method

    local method = ngx.req.get_method()
local method = ngx.req.get_method()

    ngx.log(ngx.DEBUG, method)
ngx.log(ngx.DEBUG, method)


    local allowed  = false
local allowed  = false


    for path, methods in pairs(restrictions[role]) do
for path, methods in pairs(restrictions[role]) do


      -- path matched rules?
  -- path matched rules?

      local p = string.match(uri, path)
  local p = string.match(uri, path)


      local m = nil
  local m = nil


      -- method matched rules?
  -- method matched rules?

      for _, _method in pairs(methods) do
  for _, _method in pairs(methods) do

        m = m and m or string.match(method, _method)
    m = m and m or string.match(method, _method)

      end
  end


      if p and m then
  if p and m then

        allowed = true
    allowed = true

        ngx.log(ngx.NOTICE, method.." "..uri.." matched: "..tostring(m).." "..tostring(path).." for "..role)
    ngx.log(ngx.NOTICE, method.." "..uri.." matched: "..tostring(m).." "..tostring(path).." for "..role)

      end
  end

    end
end


    ngx.log(ngx.NOTICE, "Allowed? "..tostring(allowed))
ngx.log(ngx.NOTICE, "Allowed? "..tostring(allowed))


    if not allowed then
if not allowed then

      ngx.header.content_type = 'text/plain'
  ngx.header.content_type = 'text/plain'

      ngx.log(ngx.WARN, "Role "..role.." not allowed to access the resource")
  ngx.log(ngx.WARN, "Role "..role.." not allowed to access the resource")

      ngx.status = 403
  ngx.status = 403

      ngx.say("403 Forbidden: You don\'t have access to this resource.")
  ngx.say("403 Forbidden: You don\'t have access to this resource.")

      return ngx.exit(403)
  return ngx.exit(403)

    end
end

## 53 changes: 53 additions & 0 deletions nginx_authorize_by_lua.conf
@@ -0,0 +1,53 @@

    # Generate passwords:
# Generate passwords:

    #
#

    #     $ printf "john:$(openssl passwd -crypt john)\n"   >> passwords
#     $ printf "john:$(openssl passwd -crypt john)\n"   >> passwords

    #     $ printf "all:$(openssl passwd -crypt all)\n"     >> passwords
#     $ printf "all:$(openssl passwd -crypt all)\n"     >> passwords

    #     $ printf "user:$(openssl passwd -crypt user)\n"   >> passwords
#     $ printf "user:$(openssl passwd -crypt user)\n"   >> passwords

    #     $ printf "admin:$(openssl passwd -crypt admin)\n" >> passwords
#     $ printf "admin:$(openssl passwd -crypt admin)\n" >> passwords

    #
#

    # Install the Nginx with Lua support ("openresty"):
# Install the Nginx with Lua support ("openresty"):

    #
#

    #     $ wget http://openresty.org/download/ngx_openresty-1.4.3.9.tar.gz
#     $ wget http://openresty.org/download/ngx_openresty-1.4.3.9.tar.gz

    #     $ tar xf ngx_openresty-*
#     $ tar xf ngx_openresty-*

    #     $ cd ngx_openresty-*
#     $ cd ngx_openresty-*

    #     $
#     $

    #     $ ./configure --with-luajit
#     $ ./configure --with-luajit

    #     $ # ./configure --with-luajit --with-cc-opt="-I/usr/local/include" --with-ld-opt="-L/usr/local/lib" # Mac OS X w/ Homebrew
#     $ # ./configure --with-luajit --with-cc-opt="-I/usr/local/include" --with-ld-opt="-L/usr/local/lib" # Mac OS X w/ Homebrew

    #     $ make && make install
#     $ make && make install

    #
#

    # More information: http://openresty.org/#Installation
# More information: http://openresty.org/#Installation

    #
#

    # See the Lua source code in `authorize.lua`
# See the Lua source code in `authorize.lua`

    #
#

    # Run:
# Run:

    #
#

    #     $ /usr/local/openresty/nginx/sbin/nginx -p $PWD/nginx/ -c $PWD/nginx_authorize_by_lua.conf
#     $ /usr/local/openresty/nginx/sbin/nginx -p $PWD/nginx/ -c $PWD/nginx_authorize_by_lua.conf


    worker_processes  1;
worker_processes  1;


    error_log logs/lua_error.log notice;
error_log logs/lua_error.log notice;


    events {
events {

        worker_connections 1024;
    worker_connections 1024;

    }
}


    http {
http {

      upstream elasticsearch {
  upstream elasticsearch {

        server 127.0.0.1:9250;
    server 127.0.0.1:9250;

      }
  }


      server {
  server {

        listen 8080;
    listen 8080;


        location / {
    location / {

          auth_basic           "Protected Elasticsearch";
      auth_basic           "Protected Elasticsearch";

          auth_basic_user_file passwords;
      auth_basic_user_file passwords;


          access_by_lua_file '../authorize.lua';
      access_by_lua_file '../authorize.lua';


          proxy_pass http://elasticsearch;
      proxy_pass http://elasticsearch;

          proxy_redirect off;
      proxy_redirect off;

        }
    }


      }
  }

    }
}

## 62 changes: 62 additions & 0 deletions nginx_http_auth_allow_path_and_method.conf
@@ -0,0 +1,62 @@

    # Generate password with eg.
# Generate password with eg.

    #
#

    #     $ printf "john:$(openssl passwd -crypt s3cr3t)\n" >> passwords
#     $ printf "john:$(openssl passwd -crypt s3cr3t)\n" >> passwords

    #
#

    # Run:
# Run:

    #
#

    #     $ nginx -p $PWD/nginx/ -c $PWD/nginx_http_auth_allow_path_and_method.conf
#     $ nginx -p $PWD/nginx/ -c $PWD/nginx_http_auth_allow_path_and_method.conf

    #
#


    events {
events {

        worker_connections  1024;
    worker_connections  1024;

    }
}


    http {
http {


      upstream elasticsearch {
  upstream elasticsearch {

          server 127.0.0.1:9250;
      server 127.0.0.1:9250;

      }
  }


      server {
  server {

          listen 8080;
      listen 8080;

          server_name elasticsearch_proxy;
      server_name elasticsearch_proxy;


          error_log   elasticsearch_proxy-errors.log;
      error_log   elasticsearch_proxy-errors.log;

          access_log  elasticsearch_proxy.log;
      access_log  elasticsearch_proxy.log;


          location / {
      location / {

            error_page 590 = @elasticsearch;
        error_page 590 = @elasticsearch;

            error_page 595 = @protected_elasticsearch;
        error_page 595 = @protected_elasticsearch;


            set $ok 0;
        set $ok 0;


            if ($request_uri ~ ^/$) {
        if ($request_uri ~ ^/$) {

              set $ok "${ok}1";
          set $ok "${ok}1";

            }
        }


            if ($request_method = HEAD) {
        if ($request_method = HEAD) {

              set $ok "${ok}2";
          set $ok "${ok}2";

            }
        }


            if ($ok = 012) {
        if ($ok = 012) {

              return 590;
          return 590;

            }
        }


            return 595;
        return 595;

          }
      }


          location @elasticsearch {
      location @elasticsearch {

            proxy_pass http://elasticsearch;
        proxy_pass http://elasticsearch;

            proxy_redirect off;
        proxy_redirect off;

          }
      }


          location @protected_elasticsearch {
      location @protected_elasticsearch {

            auth_basic           "Protected Elasticsearch";
        auth_basic           "Protected Elasticsearch";

            auth_basic_user_file passwords;
        auth_basic_user_file passwords;


            proxy_pass http://elasticsearch;
        proxy_pass http://elasticsearch;

            proxy_redirect off;
        proxy_redirect off;

          }
      }

      }
  }


    }
}

## 37 changes: 37 additions & 0 deletions nginx_http_auth_basic.conf
@@ -0,0 +1,37 @@

    # Generate password with eg.
# Generate password with eg.

    #
#

    #     $ printf "john:$(openssl passwd -crypt s3cr3t)\n" >> passwords
#     $ printf "john:$(openssl passwd -crypt s3cr3t)\n" >> passwords

    #
#

    # Run:
# Run:

    #
#

    #     $ nginx -p $PWD/nginx/ -c $PWD/nginx_http_auth_basic.conf
#     $ nginx -p $PWD/nginx/ -c $PWD/nginx_http_auth_basic.conf

    #
#


    events {
events {

        worker_connections  1024;
    worker_connections  1024;

    }
}


    http {
http {


      upstream elasticsearch {
  upstream elasticsearch {

          server 127.0.0.1:9250;
      server 127.0.0.1:9250;

      }
  }


      server {
  server {

          listen 8080;
      listen 8080;

          server_name elasticsearch_proxy;
      server_name elasticsearch_proxy;


          error_log   elasticsearch_proxy-errors.log;
      error_log   elasticsearch_proxy-errors.log;

          access_log  elasticsearch_proxy.log;
      access_log  elasticsearch_proxy.log;


          auth_basic           "Protected Elasticsearch";
      auth_basic           "Protected Elasticsearch";

          auth_basic_user_file passwords;
      auth_basic_user_file passwords;


          location / {
      location / {

            proxy_pass http://elasticsearch;
        proxy_pass http://elasticsearch;

            proxy_redirect off;
        proxy_redirect off;

          }
      }


      }
  }


    }
}

## 38 changes: 38 additions & 0 deletions nginx_http_auth_deny_path.conf
@@ -0,0 +1,38 @@

    # Generate password with eg.
# Generate password with eg.

    #
#

    #     $ printf "john:$(openssl passwd -crypt s3cr3t)\n" >> passwords
#     $ printf "john:$(openssl passwd -crypt s3cr3t)\n" >> passwords

    #
#

    # Run:
# Run:

    #
#

    #     $ nginx -p $PWD/nginx/ -c $PWD/nginx_http_auth_deny_path.conf
#     $ nginx -p $PWD/nginx/ -c $PWD/nginx_http_auth_deny_path.conf

    #
#


    events {
events {

        worker_connections  1024;
    worker_connections  1024;

    }
}


    http {
http {


      upstream elasticsearch {
  upstream elasticsearch {

          server 127.0.0.1:9250;
      server 127.0.0.1:9250;

      }
  }


      server {
  server {

          listen 8080;
      listen 8080;

          server_name elasticsearch_proxy;
      server_name elasticsearch_proxy;


          auth_basic           "Protected Elasticsearch";
      auth_basic           "Protected Elasticsearch";

          auth_basic_user_file passwords;
      auth_basic_user_file passwords;


          location / {
      location / {

            if ($request_uri ~ _shutdown) {
        if ($request_uri ~ _shutdown) {

              return 403;
          return 403;

              break;
          break;

            }
        }


            proxy_pass http://elasticsearch;
        proxy_pass http://elasticsearch;

            proxy_redirect off;
        proxy_redirect off;

          }
      }

      }
  }


    }
}

## 100 changes: 100 additions & 0 deletions nginx_http_auth_roles.conf
@@ -0,0 +1,100 @@

    # Generate passwords:
# Generate passwords:

    #
#

    #     $ printf "user:$(openssl passwd -crypt user)\n"   >> users
#     $ printf "user:$(openssl passwd -crypt user)\n"   >> users

    #     $ printf "admin:$(openssl passwd -crypt admin)\n" >> admins
#     $ printf "admin:$(openssl passwd -crypt admin)\n" >> admins

    #
#

    # Run:
# Run:

    #
#

    #     $ nginx -p $PWD/nginx/ -c $PWD/nginx_http_auth_roles.conf
#     $ nginx -p $PWD/nginx/ -c $PWD/nginx_http_auth_roles.conf

    #
#


    events {
events {

        worker_connections  1024;
    worker_connections  1024;

    }
}


    http {
http {


      upstream elasticsearch {
  upstream elasticsearch {

          server 127.0.0.1:9250;
      server 127.0.0.1:9250;

      }
  }


      # Allow HEAD / for all
  # Allow HEAD / for all

      #
  #

      #   curl -i -X HEAD 'http://localhost:8080'
  #   curl -i -X HEAD 'http://localhost:8080'

      #   HTTP/1.1 200 OK
  #   HTTP/1.1 200 OK

      #
  #

      #   curl -i -X GET 'http://localhost:8080'
  #   curl -i -X GET 'http://localhost:8080'

      #   HTTP/1.1 403 Forbidden
  #   HTTP/1.1 403 Forbidden

      #
  #

      server {
  server {

          listen 8080;
      listen 8080;

          server_name elasticsearch_all;
      server_name elasticsearch_all;


          location / {
      location / {

            return 401;
        return 401;

          }
      }


          location = / {
      location = / {

            if ($request_method !~ "HEAD") {
        if ($request_method !~ "HEAD") {

              return 403;
          return 403;

              break;
          break;

            }
        }


            proxy_pass http://elasticsearch;
        proxy_pass http://elasticsearch;

            proxy_redirect off;
        proxy_redirect off;

          }
      }

      }
  }


      # Allow accessing /_search for authenticated "users"
  # Allow accessing /_search for authenticated "users"

      #
  #

      #   curl -i  'http://localhost:8081/_search'
  #   curl -i  'http://localhost:8081/_search'

      #   HTTP/1.1 401 Unauthorized
  #   HTTP/1.1 401 Unauthorized

      #
  #

      #   curl -i  'http://user:user@localhost:8081/_search'
  #   curl -i  'http://user:user@localhost:8081/_search'

      #   HTTP/1.1 200 OK
  #   HTTP/1.1 200 OK

      #
  #

      #   curl -i  'http://user:user@localhost:8081/_analyze?text=Test'
  #   curl -i  'http://user:user@localhost:8081/_analyze?text=Test'

      #   HTTP/1.1 200 OK
  #   HTTP/1.1 200 OK

      #
  #

      #   curl -i  'http://user:user@localhost:8081/_cluster/health'
  #   curl -i  'http://user:user@localhost:8081/_cluster/health'

      #   HTTP/1.1 403 Forbidden
  #   HTTP/1.1 403 Forbidden

      #
  #

      server {
  server {

          listen 8081;
      listen 8081;

          server_name elasticsearch_users;
      server_name elasticsearch_users;


          auth_basic           "Elasticsearch Users";
      auth_basic           "Elasticsearch Users";

          auth_basic_user_file users;
      auth_basic_user_file users;


          location / {
      location / {

            return 403;
        return 403;

          }
      }


          location ~* /_search||_analyze {
      location ~* /_search||_analyze {

            proxy_pass http://elasticsearch;
        proxy_pass http://elasticsearch;

            proxy_redirect off;
        proxy_redirect off;

          }
      }

      }
  }


      # Allow accessing everything for authenticated "admins"
  # Allow accessing everything for authenticated "admins"

      #
  #

      #   curl -i  'http://admin:admin@localhost:8082/_search'
  #   curl -i  'http://admin:admin@localhost:8082/_search'

      #   HTTP/1.1 200 OK
  #   HTTP/1.1 200 OK

      #
  #

      #   curl -i  'http://admin:admin@localhost:8082/_cluster/health'
  #   curl -i  'http://admin:admin@localhost:8082/_cluster/health'

      #   HTTP/1.1 200 OK
  #   HTTP/1.1 200 OK

      #
  #

      server {
  server {

          listen 8082;
      listen 8082;

          server_name elasticsearch_admins;
      server_name elasticsearch_admins;


          auth_basic           "Elasticsearch Admins";
      auth_basic           "Elasticsearch Admins";

          auth_basic_user_file admins;
      auth_basic_user_file admins;


          location / {
      location / {

            proxy_pass http://elasticsearch;
        proxy_pass http://elasticsearch;

            proxy_redirect off;
        proxy_redirect off;

          }
      }

      }
  }


    }
}

## 31 changes: 31 additions & 0 deletions nginx_keep_alive.conf
@@ -0,0 +1,31 @@

    # Run:
# Run:

    #
#

    #     $ nginx -p $PWD/nginx/ -c $PWD/nginx_keep_alive.conf
#     $ nginx -p $PWD/nginx/ -c $PWD/nginx_keep_alive.conf

    #
#


    events {
events {

        worker_connections  1024;
    worker_connections  1024;

    }
}


    http {
http {


      upstream elasticsearch {
  upstream elasticsearch {

          server 127.0.0.1:9250;
      server 127.0.0.1:9250;


          keepalive 15;
      keepalive 15;

      }
  }


      server {
  server {

          listen 8080;
      listen 8080;

          server_name elasticsearch_proxy;
      server_name elasticsearch_proxy;


          location / {
      location / {

            proxy_pass http://elasticsearch;
        proxy_pass http://elasticsearch;

            proxy_http_version 1.1;
        proxy_http_version 1.1;

            proxy_set_header Connection "Keep-Alive";
        proxy_set_header Connection "Keep-Alive";

            proxy_set_header Proxy-Connection "Keep-Alive";
        proxy_set_header Proxy-Connection "Keep-Alive";

          }
      }


      }
  }


    }
}

## 27 changes: 27 additions & 0 deletions nginx_round_robin.conf
@@ -0,0 +1,27 @@

    # Run:
# Run:

    #
#

    #     $ nginx -p $PWD/nginx/ -c $PWD/nginx_round_robin.conf
#     $ nginx -p $PWD/nginx/ -c $PWD/nginx_round_robin.conf

    #
#


    events {
events {

        worker_connections  1024;
    worker_connections  1024;

    }
}


    http {
http {


      upstream elasticsearch {
  upstream elasticsearch {

          server 127.0.0.1:9250;
      server 127.0.0.1:9250;

          server 127.0.0.1:9251;
      server 127.0.0.1:9251;

      }
  }


      server {
  server {

          listen 8080;
      listen 8080;

          server_name elasticsearch_proxy;
      server_name elasticsearch_proxy;


          location / {
      location / {

            proxy_pass http://elasticsearch;
        proxy_pass http://elasticsearch;

          }
      }


      }
  }


    }
}

## 4 changes: 4 additions & 0 deletions passwords
@@ -0,0 +1,4 @@

    john:C8Qf0PmsRcK7s
john:C8Qf0PmsRcK7s

    all:gR9A3zOlFFRDs
all:gR9A3zOlFFRDs

    user:d.q1Wcp0KUqsk
user:d.q1Wcp0KUqsk

    admin:/XyxrPc65koRY
admin:/XyxrPc65koRY

## 1 change: 1 addition & 0 deletions users
@@ -0,0 +1 @@

    user:laYuBcroEif0c
user:laYuBcroEif0c

## 7 changes: 7 additions & 0 deletions .gitignore
@@ -0,0 +1,7 @@

    nginx/
nginx/

    !nginx/.gitkeep
!nginx/.gitkeep

    !nginx/logs/.gitkeep
!nginx/logs/.gitkeep


    src/
src/


    tmp/
tmp/