Linux-UNIX: Elastic Search configuration

Encrypted Elastic Search is supported via SSL termination.

Configuration guidelines:
  • Elastic Search is configured to listen on the loopback device only, allowing the SSL termination to occur on the public interface.
  • Elastic search uses a PKCS12 file that needs to be converted to PEM; and private key files for NGINX to use.
  • In this example, the IE is configured to capture traffic on port 9201. The traffic enters the system encrypted on public port 9200, gets decrypted and routed to port 9201, then re-encrypted and passed to the loopback port 9200 where it is handled by Elastic Search.

An example configuration for Elastic Search for NGINX:

[root@<elasticsearch host> ~]# cat /etc/nginx/nginx.conf
user  elasticsearch;
worker_processes  1;
error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;
events {
    worker_connections  1024;
}
http {
    server {
        listen                 9201;
        server_name            <elasticsearch hostname>;
        location / {
           proxy_ssl_certificate      /usr/share/elasticsearch/config/<elasticsearch hostname>.crt;
           proxy_ssl_certificate_key  /usr/share/elasticsearch/config/<elasticsearch hostname>.key;
           proxy_pass                 https://localhost:9200;
           proxy_http_version 1.1;
      }     
    }
    server {
        listen                 <elasticsearch host>:9200 ssl;
        server_name            <elasticsearch host>;
        ssl_certificate         /usr/share/elasticsearch/config/<elasticsearch hostname>.crt;
        ssl_certificate_key     /usr/share/elasticsearch/config/<elasticsearch hostname>.key;
        location / {
           proxy_pass http://<elasticsearch hostname>:9201;
           proxy_http_version 1.1;
	}
    }
}
[root@<elasticsearch hostname> ~]# 
Typical inspection engine configuration:
[DB_0]
connect_to_ip=127.0.0.1,::1
db2_fix_pack_adjustment=20
db2_shmem_client_position=0
db2_shmem_size=131072
db2bp_path=NULL
db_exec_file=NULL
db_install_dir=NULL
db_type=EL_SEARCH
db_user=elastic
encryption=0
db_version=9
instance_running=1
intercept_types=NULL
load_balanced=1
port_range_end=9201
port_range_start=9201
priority_count=20
real_db_port=9201
tap_identifier=el_search_9.98.176.129(9300,9300,DB_0)
tee_listen_port=0
unix_domain_socket_marker=NULL
networks=0.0.0.0/0.0.0.0,::/0
exclude_networks=