Search code examples
amazon-web-serviceselasticsearchreverse-proxyhttp-proxytinyproxy

Reverse Proxy for Amazon Elasticsearch in VPC

Using Amazon's Elasticsearch with a VPC and security groups doesn't allow you to access the endpoint from an endpoint outside of the VPC, even if you add an exception in the security group.

As a result, a reverse proxy has to be setup to access the cluster from outside of the VPC.

I'm trying to configure this with tinyproxy and am failing. All curl requests to localhost:443 give me curl: (52) Empty reply from server

I'm winging this configuration, as I've never setup a proxy before.

when I execute curl -XGET http://localhost:8888

It hangs...

Here is my Log (it loops this output)

NOTICE    Jan 29 01:27:46 [10561]: Waiting servers (0) is less than    MinSpareServers (5). Creating new child.
CONNECT   Jan 29 01:27:46 [10574]: Connect (file descriptor 6):     localhost [127.0.0.1]
CONNECT   Jan 29 01:27:46 [10574]: Request (file descriptor 6): GET / HTTP/1.0
INFO      Jan 29 01:27:46 [10574]: process_request: trans Host GET http://127.0.0.1:8888/ for 6
INFO      Jan 29 01:27:46 [10574]: No upstream proxy for 127.0.0.1
CONNECT   Jan 29 01:27:46 [10574]: Established connection to host "127.0.0.1" using file descriptor 7.
NOTICE    Jan 29 01:27:51 [10561]: Waiting servers (0) is less than MinSpareServers (5). Creating new child.
CONNECT   Jan 29 01:27:51 [10575]: Connect (file descriptor 6): localhost [127.0.0.1]
CONNECT   Jan 29 01:27:51 [10575]: Request (file descriptor 6): GET / HTTP/1.0
INFO      Jan 29 01:27:51 [10575]: process_request: trans Host GET http://127.0.0.1:8888/ for 6
INFO      Jan 29 01:27:51 [10575]: No upstream proxy for 127.0.0.1
CONNECT   Jan 29 01:27:51 [10575]: Established connection to host "127.0.0.1" using file descriptor 7.

Here is my config file:

User nobody
Group nogroup

Port 8888

Timeout 600

DefaultErrorFile "/usr/share/tinyproxy/default.html"

StatFile "/usr/share/tinyproxy/stats.html"

Logfile "/var/log/tinyproxy/tinyproxy.log"

LogLevel Info

PidFile "/var/run/tinyproxy/tinyproxy.pid"

upstream localhost:8888 "https://vpc-test-urlinfo.es.amazonaws.com"

MaxClients 100

MinSpareServers 5
MaxSpareServers 20

StartServers 10

MaxRequestsPerChild 0

Allow 127.0.0.1
#Allow 192.168.0.0/16
#Allow 172.16.0.0/12
#Allow 10.0.0.0/8

ConnectPort 443
ConnectPort 563
ConnectPort 8888

ReverseOnly Yes
ReverseBaseURL "http://localhost:8888/"
Solution

  • Instead of using tinyproxy try using Nginx. It is very easy to configure. Refer to the following steps.

    Installing Nginx:

    In this case I am using Ubuntu 16.04, so we will need to install nginx and apache2-utils for creating the Basic HTTP Auth accounts.

    $ apt update && apt upgrade -y $ apt install nginx apache2-utils -y

    Configure Nginx: Our main config: /etc/nginx/nginx.conf:

    /etc/nginx/nginx.conf

    > user www-data; worker_processes auto; pid /run/nginx.pid; error_log
> /var/log/nginx/error.log;
> 
> events {   worker_connections 1024; }
> 
> http {
> 
>   # Basic Settings   sendfile on;   tcp_nopush on;   tcp_nodelay on;  
> keepalive_timeout 65;   types_hash_max_size 2048;  
> server_names_hash_bucket_size 128;
> 
>   include /etc/nginx/mime.types;   default_type
> application/octet-stream;
> 
>   # Logging Settings
>         log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
>                       '$status $body_bytes_sent "$http_referer" '
>                       '"$http_user_agent" "$http_x_forwarded_for"';
> 
>   access_log /var/log/nginx/access.log main;
> 
>   # Gzip Settings   gzip on;   gzip_disable "msie6";
> 
>   # Elasticsearch and Kibana Configs   include
> /etc/nginx/conf.d/elasticsearch.conf;   include
> /etc/nginx/conf.d/kibana.conf; }

    Our /etc/nginx/conf.d/elasticsearch.conf configuration:

    /etc/nginx/conf.d/elasticsearch.conf

    server {

  listen 80;
  server_name elasticsearch.domain.com;

  # error logging
  error_log /var/log/nginx/elasticsearch_error.log;

  # authentication: elasticsearch
  auth_basic "Elasticsearch Auth";
  auth_basic_user_file /etc/nginx/.secrets_elasticsearch;

  location / {

    proxy_http_version 1.1;
    proxy_set_header Host https://search-elasticsearch-name.eu-west-1.es.amazonaws.com;
    proxy_set_header X-Real-IP <ELASTIC-IP>;
    proxy_set_header Connection "Keep-Alive";
    proxy_set_header Proxy-Connection "Keep-Alive";
    proxy_set_header Authorization "";

    proxy_pass https://search-elasticsearch-name.eu-west-1.es.amazonaws.com/;
    proxy_redirect https://search-elasticsearch-name.eu-west-1.es.amazonaws.com/ http://<ELASTIC-IP>/;

  }

  # ELB Health Checks
  location /status {
    root /usr/share/nginx/html/;
  }

}

    Create User Accounts for HTTP Basic Auth

    Create the 2 accounts for authentication on kibana and elasticsearch:

    $ htpasswd -c /etc/nginx/.secrets_elasticsearch elasticsearch-admin
$ htpasswd -c /etc/nginx/.secrets_kibana kibana-admin

    Restart Nginx:

    Restart and enable Nginx on boot:

    $ systemctl enable nginx
$ systemctl restart nginx