Ajouter un commentaire

Sécuriser ElasticSearch/Kibana

Soumis par kacy le

J'ai mis en place LogStash + ElasticSearch + Kibana au boulot pour une console de centralisation des logs.

Ça marche plutôt pas mal, par contre une fois le POC en place, il est nécessaire de le sécuriser, en effet, par défaut ES est accessible via HTTP et du coup n'importe qui peut "tout péter"...

Donc la première chose à faire, c'est de "proxifier" l'accès à ES afin de contrôler les verbes accessibles, ce que fait la conf Apache ci-dessous.

<VirtualHost *:9201>
    ProxyPassMatch / http://127.0.0.1:9200
    ProxyPassReverse / http://127.0.0.1:9200
    <LocationMatch "^(/.*)$">
        <Limit DELETE PUT>
            Order deny,allow
            Deny from all
        </Limit>
    </LocationMatch>
    <LocationMatch "^(/_aliases|.*/_search|.*/_mapping)$">
        <Limit DELETE PUT>
            Order deny,allow
            Deny from all
        </Limit>
    </LocationMatch>
    <LocationMatch "^(/_cluster.*|/_plugin.*|/_status.*|/_nodes)$">
        <Limit GET POST PUT DELETE CONNECT OPTIONS PATCH PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
            Order deny,allow
            Deny from all
        </Limit>
    </LocationMatch>
    <LocationMatch "^(/kibana-int/dashboard/|/kibana-int/temp).*$">
        <Limit DELETE PUT>
            Order deny,allow
            Deny from all
        </Limit>
    </LocationMatch>
</VirtualHost>

En parallèle j'ai aussi bloqué les ports ES (9200/9300) via le firewall linux (iptables) afin que ces derniers ne soient accessibles qu'a partir des machines autorisées (appartenant au cluster ES).

Ca n'est pas parfait mais c'est un début !

Next step : activer l'authentification via LDAP en HTTPS et du coup autoriser certains verbes en fonction des groupes LDAP de l'utilisateur.

MAJ 26/10/2016 : modif pour ne pas autoriser l'accès aux URI de fonctionnement interne.

Plus d'information sur les formats de texte

Filtered HTML

  • Flickr Filter options. expand / collapse
    Insert a Flickr photo. A working example:
    • [flickr-photo:id=7357144724, size=m, mintitle=999, minmetadata=999] (accepts only the parameters id, class, style, size, mintitle and minmetadata)
    To float single photos use [flickr-photo:id=9247386562, class="floatright"], [flickr-photo:id=9247388074, style="float:left;"] or use the AutoFloat module (recommended).

    Insert a Flickr album. Working examples:
    • [flickr-photoset:id=72157634563269642, size=s, num=8, tags=kids/men, media=all, sort=random, count=false, mintitle=999, minmetadata=999, heading=none]
    • [flickr-gallery:id=72157648989290536, size=q, num=4, sort=views]
    • [flickr-group:id=91484156@N00, size=q, num=8, tags=flowers, media=all, sort=random, count=false, mintitle=999, minmetadata=999, heading=none]
    • [flickr-user:id=lolandese1, size=q, num=6, tags=kids/men, media=all, sort=random, count=false, mintitle=999, minmetadata=999, heading=none]
    • [flickr-user:id=public, size=q, num=10,tags=Augusto Canario, filter=interesting, sort=views, extend=true]
    • [flickr-user:id=public, size=q, num=8,location=48.867556/2.364088, date=2015-01-11, filter=interesting, sort=views]
    • [flickr-favorites:id=lolandese, size=q, num=4, tags=tomosborn/people, media=all, sort=random, count=false, mintitle=999, minmetadata=999, heading=none]

    Common sizes:
    s : small square 75
    t : thumbnail, 100 on longest side
    q : big square 150     		m : small, 240 on longest side
    n : small, 320 on longest side
    - : medium, 500 on longest side     		x: Responsive slideshow (for group, set and user IDs only)
    y: Basic responsive slideshow (for set and user IDs only)
    The 'c' size (800px) is missing on Flickr images uploaded before March 1, 2012. Photos with non existing sizes will be skipped in albums.

    TIP: Not only the node body but also blocks make use of a text format. Build your own custom Flickr album block using the Flickr Filter syntax.

    PARAMETER EXAMPLES. Omitting a parameter will result in the default value to be used.
    id=lolandese1 : A photo, set, user or group ID. id=public grabs CC licensed public photos (only for [flickr-user:...]). Default: id=k4cy (set in config).
      Find a Flickr group ID. Valid ID values: numeric ID (the one that contains a '@'), path alias, Flickr username or the user's email.
    class="floatleft foo bar" : Syntax as in HTML. Wrap the value in quotes (or not) and put spaces between multiple classes.
      Applies to the outer HTML element of a photo or album.
    style="float:left; border:solid 2px;" : Syntax as in HTML. Wrap the value in quotes (or not) and put semicolons between different style declarations.
      Applies to the outer HTML element of a photo or album.
    size=q : Big square (150px). The sizes x and y display a slideshow and ignore number, media, tags, location and sort settings.
      Default single photo: size=m, album photo: size=s (both set in config).
    num=4 : Display 4 photos. Default: num=30 (set in config). For albums only.
      If set to 1, the single image will behave as such. Heading and counter will be omitted, and float might apply.
      Used to display a single changing random or recent image.
    media=all : Display both photos and videos. Default: media=photos. For albums only.
    tags=kids/men : Separate multiple tags with a slash (/). Display all set, group or user photos that contain the indicated tags.
      Case insensitive, matches any tag, for photosets and galleries even partial. You can exclude results that match a term by prepending it with a - character.
      Public albums will only display photos that match all tags. Like on Flickr spaces are removed from tags (e.g. 'Victoria park' becomes 'victoriapark').
      For albums only.
    extend=true : Extend the tag filter to search for matching terms also in the Flickr photo title and description besides Flickr tags.
      Default: extend=true (set in config). For albums only.
    tag_mode=all : Matches 'all' defined tags (AND). The other possible value is 'any' (OR).
      If this parameter is omitted, 'all' is used if no Flickr user ID is known (public search), otherwise 'any' is used. For albums only.
    location=48.85837/2.294481/0.2 : Display photos within 200 mt from the Eiffel Tower. Lat/lon/radius (in km). Separate values with a slash (/).
      To get the coordinates for a location, right-click on a Google map and choose 'What's here?' or copy/paste it from the URL.
      Substitute the comma (,) with a slash (/). Optionally add a radius to force a major number of results to filter on (max. 32 km).
      If the radius is omitted it defaults to 14 meter and gradually expands to 32 km until a sufficient number of results are returned.
      Besides decimal coordinates also degrees are accepted, e.g. 2° 21' 50.72". For user and group albums only, also public.
    date=2015-01-11 : Display photos taken on 11 January 2015.
      Many accepted date formats (e.g. '11 Jan 2015'), also relative formats (e.g. 'first day of last month | last day of last month').
      Separate two date values with a vertical bar (|) to cover a timespan of multiple days. For user and group albums only, also public.
      Tip: Use a date in combination with a location to grab public photos of an event.
    heading=h3 : Wraps the album title in HTML tags. Use 'p' to apply no style or 'none' to suppress the title. Default heading=p (set in config). For albums only.
    sort=views : Display the most viewed Flickr photos first (popularity, slower response after cache clear).
      Other values: unsorted = recent as delivered by the Flickr API (fastest response),
      random (slower response after cache clear), taken (newest first), posted (newest first) , added (for groups only, newest first) and id (on photo ID, newest first).
      Default: sort=unsorted. For albums only.
    filter=interesting : Display the most interesting photos. Other possible value: relevant. For user and group albums only, also public.
    count=false : Suppress display of the counter under the album (e.g. 5 out of 124 on Flickr). Default: count=true (set in config). For albums only.
    mintitle=999 : Suppress display of the title in the photo captions for images below a width of 999 px. Default: mintitle=100 (set in config).
    minmetadata=999 : Suppress display of the metadata in the photo captions for images below a width of 999 px. Default: minmetadata=150 (set in config).
  • Tags HTML autorisés : <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <img> <p> <code> <bash> <java> <apache>
  • Les lignes et les paragraphes vont à la ligne automatiquement.
  • Vous pouvez activer la coloration syntaxique du code source à l'aide des balises suivantes: <code>, <blockcode>, <apache>, <bash>, <html>, <ini>, <java>, <php>, <properties>, <sql>. The supported tag styles are: <foo>, [foo].
  • Les adresses de pages web et de courriels sont transformées en liens automatiquement.

Plain text

  • Aucune balise HTML autorisée.
  • Les adresses de pages web et de courriels sont transformées en liens automatiquement.
  • Les lignes et les paragraphes vont à la ligne automatiquement.
CAPTCHA
Cette question permet de s'assurer que vous êtes un utilisateur humain et non un logiciel automatisé de relou.
4 + 0 =
Trouvez la solution de ce problème mathématique simple et saisissez le résultat. Par exemple, pour 1 + 3, saisissez 4.