Authentication for elasticsearch HTTP API
22. May 2014


There are plenty of plugins for elasticsearch to enable authentication for HTTP API. All of them seem to be a bit beta. I decided to use httpd with mod_proxy to add authentication using PAM, htpasswd file or host-based rules. This satisfies my needs for different use-cases:

  • PAM – human interaction on API or Plugins
  • htpasswd – API-KEY stype basic auth for scripted interaction from remote hosts
  • host-based – scripted interaction from localhost

Elasticsearch Configuration

You only need to configure elasticsearch to bind http api on localhost, port 9100. Edit your /etc/elasticsearch/elasticsearch.yml to have the following in it:
http.port: 9100

Httpd Configuration

Just bind your elasticsearch to a different port (9100 f.e.) and only on loopback interface. Configure httpd as follows:


Listen 9200

# load httpd modules if not already done
<IfModule !proxy_module>
        LoadModule proxy_module modules/

<IfModule !mod_proxy_http.c>
        LoadModule proxy_http_module modules/

<VirtualHost *:9200>
        # reverse proxy to localhost:9100
        # please ensure that elasticsearch http is bind to on port 9100
        ProxyRequests           off
        ProxyPreserveHost       On
        ProxyPass        / http://localhost:9100/
        ProxyPassReverse / http://localhost:9100/

        # define acl's for http api access
        # if this file doesn't exist, there is no authentication at all
        Include /etc/httpd/conf.d/elasticsearch-api-authorization.con[f]

        # define custom log files
        ErrorLog /data/logs/www/elasticsearch-api-error.log
        CustomLog /data/logs/www/elasticsearch-api-access.log combined
  • IfModule loads modules only if they aren’t available
  • Include <Path> includes a separated authorization config file, shown below
  • <filename>.con[f] is a regex, loading the file only if it exists, otherwise there will be no error


# load relevant modules
<IfModule !auth_pam_module>
        LoadModule auth_pam_module modules/

<IfModule !auth_basic_module>
        LoadModule auth_basic_module modules/

<IfModule !authn_file_module>
        LoadModule authn_file_module modules/

<IfModule !authz_user_module>
        LoadModule authz_user_module modules/

<Location />
        # block everything by default
        Order deny,allow
        Deny from all

        # allow from localhost without authentication
        Allow from

        AuthType Basic
        AuthBasicProvider file
        AuthName "Datacenter Account needed for elasticsearch administration"

        # Allow pam auth but failover to userfile auth if the user doesn't exist as systemuser
        AuthPAM_Enabled on
        AuthPAM_FallThrough on

        # also use htpasswd file for api key auth
        AuthUserFile conf.d/elasticsearch_api_authorization.htpasswd

        Require valid-user

        # accept basic auth or "Allow from" directives
        Satisfy Any
  • “Deny from all” means whitelisting, everything is blocked if it is not explicitly allowed
  • “AuthType Basic” defines, that mod_auth_basic is used
  • “AuthPAM_Enabled on” defines, that mod_auth_pam is used
  • “AuthPAM_FallThrough on” defines, that httpd asks other auth modules if auth_pam failed (nice if you wan’t to mix up htpasswd file based auth with pam auth)
  • “AuthUserFile” defines the htpasswd file
  • “Satisfy Any” defines, that only one of the given providers needs to confirm the credentials, instead of all of them (Allows auth by host with “Allow from …” OR basic auth)

API-Key Authentication

Create htpasswd file for api-key user “token” by:

htpasswd -c /etc/httpd/conf.d/elasticsearch_api_authorization.htpasswd token

Authenticate via curl from remote host with:

curl -u token:mypassword http://my-elasticsearch-node:9200/_cluster/health

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.