Install Elasticsearch on Ubuntu 22.04 | Secure Elasticsearch

By Posted on

Install Elasticsearch on Ubuntu 22.04 | Secure Elasticsearch

This tutorial, brought to you by Orcacore, will guide you through the process of installing Install Elasticsearch on Ubuntu 22.04. You will also learn how to configure SSL for your Elasticsearch installation using an Nginx reverse proxy on Ubuntu 22.04.

Elasticsearch is a distributed, open-source search and analytics engine built on Apache Lucene and developed in Java.

Elasticsearch allows you to store, search, and analyze vast quantities of data quickly, providing near real-time responses. It achieves these rapid search times by searching an index rather than directly searching the text. It utilizes a document-oriented structure instead of tables and schemas and offers extensive REST APIs for data storage and retrieval. Fundamentally, Elasticsearch can be viewed as a server that processes JSON requests and returns JSON data.

Steps To Install and Configure Elasticsearch on Ubuntu 22.04

Before starting, ensure you are logged into your Ubuntu 22.04 server as a non-root user with sudo privileges. You can refer to our guide on Initial Server Setup with Ubuntu 22.04 for assistance.

You will also need a domain name pointed to your server’s IP address.

1. Install Elasticsearch on Ubuntu 22.04

First, update your local package index:

sudo apt update

Java is included with the Elasticsearch package, so manual installation is not required.

Import Elasticsearch GPG Key

Import the Elasticsearch repository’s GPG key:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg

Add Elasticsearch Repository

Add the latest Elasticsearch repository for Ubuntu 22.04. Currently, the latest release is 8.x.

echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list

Install Elasticsearch

Update your local package index again:

sudo apt update

Install Elasticsearch on your Ubuntu server:

sudo apt install elasticsearch -y

Upon completion, you will receive output similar to the image in the original article.

Make sure to note the password generated for the elastic superuser.

Start and Enable Elasticsearch Service

Elasticsearch doesn’t start automatically, so enable it to start on boot:

sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl start elasticsearch.service

Verify Elasticsearch is running:

sudo systemctl status elasticsearch.service
**Output**
● elasticsearch.service - Elasticsearch
     Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor>
     Active: **active** (**running**) since Tue 2022-11-01 09:55:22 UTC; 10s ago
       Docs: https://www.elastic.co
   Main PID: 3046 (java)
      Tasks: 92 (limit: 4575)
     Memory: 2.3G
        CPU: 1min 16.643s
...

2. Configure Elasticsearch on Ubuntu 22.04

Restrict port 9200 from outside access by editing the elasticsearch.yml file. Open it with your preferred text editor (Vi or Nano):

sudo vi /etc/elasticsearch/elasticsearch.yml

Uncomment network.host and replace the value with your internal IP, any IP, or localhost:

network.host: INTERNAL_IP

Save and close the file, then restart Elasticsearch:

sudo systemctl restart elasticsearch

Test If Elasticsearch Works Correctly

Test your installation by sending an HTTPS request, attaching the certificate:

sudo su
curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://INTERNAL_IP:9200

Enter the elastic user’s password when prompted.

The output should be similar to the image in the original article, confirming that Elasticsearch is working correctly.

3. Configure Nginx For Elasticsearch on Ubuntu 22.04

Install Nginx:

sudo apt install nginx -y

Configure Nginx as a reverse proxy. Remove the default Nginx configurations:

sudo rm /etc/nginx/sites-available/default
sudo rm /etc/nginx/sites-enabled/default

Create a new Nginx configuration file:

sudo vi /etc/nginx/sites-available/search.conf

Add the following content, ensuring the INTERNAL_IP matches the Elasticsearch host configuration:

server {
     listen [::]:80;
     listen 80;

     server_name your-domain;

location / {
     proxy_pass http://INTERNAL_IP:9200;
     proxy_redirect off;
     proxy_read_timeout    90;
     proxy_connect_timeout 90;
     proxy_set_header  X-Real-IP  $remote_addr;
     proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header  Host $http_host;
}
}

Save and close the file. Enable the Nginx configuration:

sudo ln -s /etc/nginx/sites-available/search.conf /etc/nginx/sites-enabled/search.conf

4. Set up Certbot Nginx for Elasticsearch

Install Certbot for Let’s Encrypt SSL certificates:

sudo apt install python3-certbot-nginx -y

Obtain SSL certificates:

sudo certbot --nginx --agree-tos --no-eff-email --redirect -m youremail@email.com -d domainname.com

The output should be similar to the image in the original article.

Renew SSL Certificates

Let’s Encrypt certificates are valid for 90 days. Renew them regularly:

sudo certbot renew --dry-run

The output should be similar to the image in the original article.

Conclusion

You have now learned how to Install Elasticsearch on Ubuntu 22.04 and configure SSL for your Elasticsearch installation with an Nginx reverse proxy.

You may also like these articles:

How To Set up ElasticSearch on Centos 7

Install and Configure Elasticsearch on AlmaLinux 8

Elasticsearch Installation on AlmaLinux 9

Set up Elasticsearch on Debian 12 Bookworm

Alternative Solutions for Securing Elasticsearch on Ubuntu 22.04

While the Nginx reverse proxy approach is effective, here are two alternative methods for securing your Elasticsearch installation on Ubuntu 22.04:

1. Using Elasticsearch’s Built-in Security Features (Elasticsearch Security)

Elasticsearch offers built-in security features that can be configured directly within Elasticsearch itself. This eliminates the need for a separate reverse proxy like Nginx for authentication and authorization. While this approach requires more configuration within Elasticsearch, it provides a more integrated security solution. This is also the method suggested by Elastic themselves.

Explanation:

Elasticsearch Security provides features like:

  • Authentication: Verifying the identity of users. This can be done via native realm (username/password), LDAP, Active Directory, or other authentication providers.
  • Authorization: Controlling what users can access and do within Elasticsearch through role-based access control (RBAC).
  • TLS Encryption: Encrypting communication between Elasticsearch nodes and clients.
  • Audit Logging: Tracking security-related events for auditing purposes.

Steps:

  1. Enable Security Features: This typically involves editing the elasticsearch.yml file. You’ll need to set xpack.security.enabled: true. This is a fundamental step to activate the security features.
  2. Set Up User Authentication: Create users with specific roles. The elasticsearch-setup-passwords tool simplifies this process. You’ll use this tool to set passwords for built-in users like elastic, kibana_system, and apm_system.
  3. Configure TLS: Generate certificates for your Elasticsearch nodes and configure TLS in elasticsearch.yml. This ensures secure communication.
  4. Define Roles and Permissions: Create roles with specific privileges and assign them to users. This is crucial for implementing RBAC.
  5. Configure Kibana (Optional): If you’re using Kibana, configure it to authenticate with Elasticsearch.

Example elasticsearch.yml Snippet:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /path/to/your/keystore.jks
xpack.security.transport.ssl.truststore.path: /path/to/your/truststore.jks

Code Example (Setting up passwords):

sudo /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive

This command will guide you through setting passwords for the built-in users.

Advantages:

  • Integrated security solution.
  • Fine-grained control over access and permissions.
  • Eliminates the need for a separate reverse proxy for authentication.

Disadvantages:

  • More complex configuration compared to using a reverse proxy.
  • Requires understanding of Elasticsearch’s security concepts.

2. Using a Firewall (UFW)

Ubuntu’s built-in firewall, UFW (Uncomplicated Firewall), can provide a basic layer of security by restricting access to Elasticsearch’s port (9200) to only authorized IP addresses. While this doesn’t provide authentication, it can significantly reduce the attack surface by preventing unauthorized connections. This is a simple, but less secure, alternative.

Explanation:

UFW allows you to define rules that control network traffic based on IP addresses, ports, and protocols. By default, UFW blocks all incoming traffic. You can then create rules to allow specific traffic, such as SSH connections or access to Elasticsearch from trusted IP addresses.

Steps:

  1. Enable UFW: If UFW is not already enabled, enable it using sudo ufw enable.
  2. Allow SSH Connections: Ensure you allow SSH connections before blocking all other traffic, otherwise you’ll lock yourself out of the server. Use sudo ufw allow ssh.
  3. Allow Elasticsearch Access from Specific IP Addresses: Use sudo ufw allow from <IP_ADDRESS> to any port 9200. Replace <IP_ADDRESS> with the IP address of the client that needs to access Elasticsearch. You can add multiple rules for different IP addresses.
  4. Deny Access from All Other IP Addresses: (Optional, but recommended) Use sudo ufw default deny incoming to deny all incoming traffic by default. This ensures that only the explicitly allowed IP addresses can access Elasticsearch.
  5. Enable the Firewall: Use sudo ufw enable to enable the firewall.

Code Example:

sudo ufw enable
sudo ufw allow ssh
sudo ufw allow from 192.168.1.100 to any port 9200
sudo ufw default deny incoming
sudo ufw enable

Advantages:

  • Simple to configure.
  • Provides a basic layer of security.
  • Reduces the attack surface by blocking unauthorized connections.

Disadvantages:

  • Does not provide authentication or authorization.
  • Less secure than using Elasticsearch Security or a reverse proxy with authentication.
  • Difficult to manage if you need to allow access from many different IP addresses.

Both Elasticsearch Security and UFW offer alternative approaches to securing your Install Elasticsearch on Ubuntu 22.04 instance, each with its own advantages and disadvantages. Choose the method that best suits your security requirements and technical expertise. Remember that securing your Elasticsearch installation is crucial for protecting your data and preventing unauthorized access.

Related posts: