Project Overview
This project involved addressing a security vulnerability in an Elasticsearch instance hosted on DigitalOcean. The vulnerability stemmed from Elasticsearch being exposed on its default port (9200), allowing unrestricted access. To mitigate this, I implemented an Nginx reverse proxy with SSL encryption to securely route traffic and restrict unauthorized access.
Problem Statement
DigitalOcean flagged my Elasticsearch droplet as vulnerable due to unrestricted access on port 9200. The challenge was to secure the instance while ensuring uninterrupted service and maintaining access control for authorized users.
Solution Implemented:
Scanning for Vulnerabilities
Used Nmap to verify the exposure of Elasticsearch on port 9200.
Confirmed lack of security measures such as authentication and encryption.
Configuring Nginx as a Reverse Proxy
Installed Nginx and configured it to route traffic securely through HTTPS.
Set up an SSL certificate using Let’s Encrypt for encrypted communication.
Forwarded requests from https://elastics.jessiecloudops.com to an internally mapped Elasticsearch port.
Updating Docker Configuration
Modified docker-compose.yaml to expose Elasticsearch only on an internal port (9222).
Enabled xpack.security.enabled=true to enforce authentication.
Created a superuser password for Elasticsearch access.
Implemented a restart policy for persistence across reboots.
Firewall and Security Enhancements
Configured firewall rules to allow only HTTPS traffic (port 443) and block HTTP (port 80).
Ensured only the Nginx reverse proxy could communicate with Elasticsearch.
Testing and Validation
Verified secure access to Elasticsearch using curl -u elastic:<password> https://elastics.jessiecloudops.com.
Tested Nginx configuration and reloaded services to apply changes.
Monitored logs to confirm successful request handling through the reverse proxy.
Technologies & Tools Used:
Elasticsearch (v7.17.21) – Open-source search and analytics engine.
Nginx – Configured as a reverse proxy for secure access.
Docker & Docker Compose – Managed Elasticsearch deployment.
Let’s Encrypt & Certbot – Provided SSL certificates for encrypted traffic.
Linux (Ubuntu) – Server environment on DigitalOcean.
Nmap – Used for vulnerability scanning.
Firewall Rules (UFW) – Restricted unauthorized access.
Key Outcomes:
Eliminated unrestricted public access to Elasticsearch.
Enforced authentication using X-Pack security.
Successfully routed traffic through HTTPS, improving security.
Reduced attack surface by blocking direct access to port 9200.
Maintained operational uptime while implementing security enhancements.
Lessons Learned:
The importance of proactively securing services before they become flagged as vulnerabilities.
How to use Nginx as a reverse proxy to enhance security and access control.
Best practices for securing Elasticsearch deployments using X-Pack security and SSL.
Next Steps:
Implementing further logging and monitoring solutions such as the ELK stack.
Automating security updates and certificate renewals using scripts.
Enhancing role-based access control (RBAC) within Elasticsearch.