# Generate passwords: # # $ printf "user:$(openssl passwd -crypt user)\n" > users # $ printf "admin:$(openssl passwd -crypt admin)\n" > admins # # Run: # # $ nginx -p $PWD/nginx/ -c $PWD/nginx_http_auth_roles.conf # events { worker_connections 1024; } http { upstream elasticsearch { server 127.0.0.1:9200; } # Allow HEAD / for all # # curl -i -X HEAD 'http://localhost:8080' # HTTP/1.1 200 OK # # curl -i -X GET 'http://localhost:8080' # HTTP/1.1 403 Forbidden # server { listen 8080; server_name elasticsearch_all.local; location / { return 401; } location = / { if ($request_method !~ "HEAD") { return 403; break; } proxy_pass http://elasticsearch; proxy_redirect off; } } # Allow access to /_search and /_analyze for authenticated "users" # # curl -i 'http://localhost:8081/_search' # HTTP/1.1 401 Unauthorized # # curl -i 'http://user:user@localhost:8081/_search' # HTTP/1.1 200 OK # # curl -i 'http://user:user@localhost:8081/_analyze?text=Test' # HTTP/1.1 200 OK # # curl -i 'http://user:user@localhost:8081/_cluster/health' # HTTP/1.1 403 Forbidden # server { listen 8081; server_name elasticsearch_users.local; auth_basic "Elasticsearch Users"; auth_basic_user_file users; location / { return 403; } location ~* ^(/_search|/_analyze) { proxy_pass http://elasticsearch; proxy_redirect off; } } # Allow access to anything for authenticated "admins" # # curl -i 'http://admin:admin@localhost:8082/_search' # HTTP/1.1 200 OK # # curl -i 'http://admin:admin@localhost:8082/_cluster/health' # HTTP/1.1 200 OK # server { listen 8082; server_name elasticsearch_admins.local; auth_basic "Elasticsearch Admins"; auth_basic_user_file admins; location / { proxy_pass http://elasticsearch; proxy_redirect off; } } }