VPC 中 Amazon Elasticsearch 的反向代理
Reverse Proxy for Amazon Elasticsearch in VPC
将 Amazon 的 Elasticsearch 与 VPC 和安全组一起使用不允许您从 VPC 外部的端点访问端点,即使您在安全组中添加了例外。
因此,必须设置反向代理才能从 VPC 外部访问集群。
我正在尝试使用 tinyproxy 配置它,但失败了。所有对 localhost:443 的 curl 请求都给我 curl: (52) 来自服务器
的空回复
我正在使用此配置,因为我以前从未设置过代理。
当我执行 curl -XGET http://localhost:8888
它挂了...
这是我的日志(循环输出)
NOTICE Jan 29 01:27:46 [10561]: Waiting servers (0) is less than MinSpareServers (5). Creating new child.
CONNECT Jan 29 01:27:46 [10574]: Connect (file descriptor 6): localhost [127.0.0.1]
CONNECT Jan 29 01:27:46 [10574]: Request (file descriptor 6): GET / HTTP/1.0
INFO Jan 29 01:27:46 [10574]: process_request: trans Host GET http://127.0.0.1:8888/ for 6
INFO Jan 29 01:27:46 [10574]: No upstream proxy for 127.0.0.1
CONNECT Jan 29 01:27:46 [10574]: Established connection to host "127.0.0.1" using file descriptor 7.
NOTICE Jan 29 01:27:51 [10561]: Waiting servers (0) is less than MinSpareServers (5). Creating new child.
CONNECT Jan 29 01:27:51 [10575]: Connect (file descriptor 6): localhost [127.0.0.1]
CONNECT Jan 29 01:27:51 [10575]: Request (file descriptor 6): GET / HTTP/1.0
INFO Jan 29 01:27:51 [10575]: process_request: trans Host GET http://127.0.0.1:8888/ for 6
INFO Jan 29 01:27:51 [10575]: No upstream proxy for 127.0.0.1
CONNECT Jan 29 01:27:51 [10575]: Established connection to host "127.0.0.1" using file descriptor 7.
这是我的配置文件:
User nobody
Group nogroup
Port 8888
Timeout 600
DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
Logfile "/var/log/tinyproxy/tinyproxy.log"
LogLevel Info
PidFile "/var/run/tinyproxy/tinyproxy.pid"
upstream localhost:8888 "https://vpc-test-urlinfo.es.amazonaws.com"
MaxClients 100
MinSpareServers 5
MaxSpareServers 20
StartServers 10
MaxRequestsPerChild 0
Allow 127.0.0.1
#Allow 192.168.0.0/16
#Allow 172.16.0.0/12
#Allow 10.0.0.0/8
ConnectPort 443
ConnectPort 563
ConnectPort 8888
ReverseOnly Yes
ReverseBaseURL "http://localhost:8888/"
尝试使用 Nginx,而不是使用 tinyproxy。它很容易配置。参考以下步骤。
正在安装 Nginx:
在本例中,我使用的是 Ubuntu 16.04,因此我们需要安装 nginx 和 apache2-utils 来创建基本 HTTP 身份验证帐户。
$ apt update && apt upgrade -y
$ apt install nginx apache2-utils -y
配置 Nginx:
我们的主要配置:/etc/nginx/nginx.conf:
/etc/nginx/nginx.conf
> user www-data; worker_processes auto; pid /run/nginx.pid; error_log
> /var/log/nginx/error.log;
>
> events { worker_connections 1024; }
>
> http {
>
> # Basic Settings sendfile on; tcp_nopush on; tcp_nodelay on;
> keepalive_timeout 65; types_hash_max_size 2048;
> server_names_hash_bucket_size 128;
>
> include /etc/nginx/mime.types; default_type
> application/octet-stream;
>
> # Logging Settings
> log_format main '$remote_addr - $remote_user [$time_local] "$request" '
> '$status $body_bytes_sent "$http_referer" '
> '"$http_user_agent" "$http_x_forwarded_for"';
>
> access_log /var/log/nginx/access.log main;
>
> # Gzip Settings gzip on; gzip_disable "msie6";
>
> # Elasticsearch and Kibana Configs include
> /etc/nginx/conf.d/elasticsearch.conf; include
> /etc/nginx/conf.d/kibana.conf; }
我们的/etc/nginx/conf.d/elasticsearch.conf配置:
/etc/nginx/conf.d/elasticsearch.conf
server {
listen 80;
server_name elasticsearch.domain.com;
# error logging
error_log /var/log/nginx/elasticsearch_error.log;
# authentication: elasticsearch
auth_basic "Elasticsearch Auth";
auth_basic_user_file /etc/nginx/.secrets_elasticsearch;
location / {
proxy_http_version 1.1;
proxy_set_header Host https://search-elasticsearch-name.eu-west-1.es.amazonaws.com;
proxy_set_header X-Real-IP <ELASTIC-IP>;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Proxy-Connection "Keep-Alive";
proxy_set_header Authorization "";
proxy_pass https://search-elasticsearch-name.eu-west-1.es.amazonaws.com/;
proxy_redirect https://search-elasticsearch-name.eu-west-1.es.amazonaws.com/ http://<ELASTIC-IP>/;
}
# ELB Health Checks
location /status {
root /usr/share/nginx/html/;
}
}
为 HTTP 基本身份验证创建用户帐户
创建用于在 kibana 和 elasticsearch 上进行身份验证的 2 个帐户:
$ htpasswd -c /etc/nginx/.secrets_elasticsearch elasticsearch-admin
$ htpasswd -c /etc/nginx/.secrets_kibana kibana-admin
重启 Nginx:
重新启动并在启动时启用 Nginx:
$ systemctl enable nginx
$ systemctl restart nginx
将 Amazon 的 Elasticsearch 与 VPC 和安全组一起使用不允许您从 VPC 外部的端点访问端点,即使您在安全组中添加了例外。
因此,必须设置反向代理才能从 VPC 外部访问集群。
我正在尝试使用 tinyproxy 配置它,但失败了。所有对 localhost:443 的 curl 请求都给我 curl: (52) 来自服务器
的空回复我正在使用此配置,因为我以前从未设置过代理。
当我执行 curl -XGET http://localhost:8888
它挂了...
这是我的日志(循环输出)
NOTICE Jan 29 01:27:46 [10561]: Waiting servers (0) is less than MinSpareServers (5). Creating new child.
CONNECT Jan 29 01:27:46 [10574]: Connect (file descriptor 6): localhost [127.0.0.1]
CONNECT Jan 29 01:27:46 [10574]: Request (file descriptor 6): GET / HTTP/1.0
INFO Jan 29 01:27:46 [10574]: process_request: trans Host GET http://127.0.0.1:8888/ for 6
INFO Jan 29 01:27:46 [10574]: No upstream proxy for 127.0.0.1
CONNECT Jan 29 01:27:46 [10574]: Established connection to host "127.0.0.1" using file descriptor 7.
NOTICE Jan 29 01:27:51 [10561]: Waiting servers (0) is less than MinSpareServers (5). Creating new child.
CONNECT Jan 29 01:27:51 [10575]: Connect (file descriptor 6): localhost [127.0.0.1]
CONNECT Jan 29 01:27:51 [10575]: Request (file descriptor 6): GET / HTTP/1.0
INFO Jan 29 01:27:51 [10575]: process_request: trans Host GET http://127.0.0.1:8888/ for 6
INFO Jan 29 01:27:51 [10575]: No upstream proxy for 127.0.0.1
CONNECT Jan 29 01:27:51 [10575]: Established connection to host "127.0.0.1" using file descriptor 7.
这是我的配置文件:
User nobody
Group nogroup
Port 8888
Timeout 600
DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
Logfile "/var/log/tinyproxy/tinyproxy.log"
LogLevel Info
PidFile "/var/run/tinyproxy/tinyproxy.pid"
upstream localhost:8888 "https://vpc-test-urlinfo.es.amazonaws.com"
MaxClients 100
MinSpareServers 5
MaxSpareServers 20
StartServers 10
MaxRequestsPerChild 0
Allow 127.0.0.1
#Allow 192.168.0.0/16
#Allow 172.16.0.0/12
#Allow 10.0.0.0/8
ConnectPort 443
ConnectPort 563
ConnectPort 8888
ReverseOnly Yes
ReverseBaseURL "http://localhost:8888/"
尝试使用 Nginx,而不是使用 tinyproxy。它很容易配置。参考以下步骤。
正在安装 Nginx:
在本例中,我使用的是 Ubuntu 16.04,因此我们需要安装 nginx 和 apache2-utils 来创建基本 HTTP 身份验证帐户。
$ apt update && apt upgrade -y
$ apt install nginx apache2-utils -y
配置 Nginx: 我们的主要配置:/etc/nginx/nginx.conf:
/etc/nginx/nginx.conf
> user www-data; worker_processes auto; pid /run/nginx.pid; error_log
> /var/log/nginx/error.log;
>
> events { worker_connections 1024; }
>
> http {
>
> # Basic Settings sendfile on; tcp_nopush on; tcp_nodelay on;
> keepalive_timeout 65; types_hash_max_size 2048;
> server_names_hash_bucket_size 128;
>
> include /etc/nginx/mime.types; default_type
> application/octet-stream;
>
> # Logging Settings
> log_format main '$remote_addr - $remote_user [$time_local] "$request" '
> '$status $body_bytes_sent "$http_referer" '
> '"$http_user_agent" "$http_x_forwarded_for"';
>
> access_log /var/log/nginx/access.log main;
>
> # Gzip Settings gzip on; gzip_disable "msie6";
>
> # Elasticsearch and Kibana Configs include
> /etc/nginx/conf.d/elasticsearch.conf; include
> /etc/nginx/conf.d/kibana.conf; }
我们的/etc/nginx/conf.d/elasticsearch.conf配置:
/etc/nginx/conf.d/elasticsearch.conf
server {
listen 80;
server_name elasticsearch.domain.com;
# error logging
error_log /var/log/nginx/elasticsearch_error.log;
# authentication: elasticsearch
auth_basic "Elasticsearch Auth";
auth_basic_user_file /etc/nginx/.secrets_elasticsearch;
location / {
proxy_http_version 1.1;
proxy_set_header Host https://search-elasticsearch-name.eu-west-1.es.amazonaws.com;
proxy_set_header X-Real-IP <ELASTIC-IP>;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Proxy-Connection "Keep-Alive";
proxy_set_header Authorization "";
proxy_pass https://search-elasticsearch-name.eu-west-1.es.amazonaws.com/;
proxy_redirect https://search-elasticsearch-name.eu-west-1.es.amazonaws.com/ http://<ELASTIC-IP>/;
}
# ELB Health Checks
location /status {
root /usr/share/nginx/html/;
}
}
为 HTTP 基本身份验证创建用户帐户
创建用于在 kibana 和 elasticsearch 上进行身份验证的 2 个帐户:
$ htpasswd -c /etc/nginx/.secrets_elasticsearch elasticsearch-admin
$ htpasswd -c /etc/nginx/.secrets_kibana kibana-admin
重启 Nginx:
重新启动并在启动时启用 Nginx:
$ systemctl enable nginx
$ systemctl restart nginx