This topic discusses an example of securing communication between your web server and search engine (Elasticsearch or OpenSearch) using a combination of Transport Layer Security (TLS) encryption and HTTP basic authentication. You can optionally configure other types of authentication as well; we provide references for that information.
(An older term, Secure Sockets Layer (SSL), is frequently used interchangeably with TLS. In this topic, we refer to TLS.)
Unless otherwise noted, all commands in this topic must be entered as a user with root
privileges.
We recommend the following:
Your web server uses TLS.
TLS is beyond the scope of this topic; however, we strongly recommend you use a real certificate in production and not a self-signed certificate.
Your search engine runs on the same host as a web server. Running the search engine and the web server on different hosts is beyond the scope of this topic.
The advantage of putting search engine and the web server on the same host is that it makes intercepting encrypted communication impossible. The search engine web server does not have to be the same as the Adobe Commerce or Magento Open Source web server; for example, Adobe Commerce can run Apache and Elasticsearch/OpenSearch can run nginx.
If the search engine is exposed to the public web, you should configure authentication. If your search engine instance is protected within your network, this may not be necessary. Work with your hosting provider to determine which security measures you should implement to protect your instance.
See one of the following resources:
Apache
Nginx
OpenSearch support was added in 2.4.4. OpenSearch is a compatible fork of ElasticSearch. See Migrate ElasticSearch to OpenSearch for more information.
This section discusses how to configure Apache as an unsecure proxy so that Adobe Commerce can use a search engine running on this server. This section does not discuss setting up HTTP Basic authentication; that is discussed in Secure communication with Apache.
The reason the proxy is not secured in this example is that it is easier to set up and verify. You can use TLS with this proxy. If you wish to do so, make sure you add the proxy information to your secure virtual host configuration.
This section discusses how to configure a proxy using a virtual host.
Enable mod_proxy
as follows:
a2enmod proxy_http
Use a text editor to open /etc/apache2/sites-available/000-default.conf
Add the following directive at the top of the file:
Listen 8080
Add the following at the bottom of the file:
<VirtualHost *:8080>
ProxyPass "/" "http://localhost:9200/"
ProxyPassReverse "/" "http://localhost:9200/"
</VirtualHost>
Restart Apache:
service apache2 restart
Verify the proxy works by entering the following command:
curl -i http://localhost:<proxy port>/_cluster/health
For example, if you are using Elasticsearch and your proxy uses port 8080:
curl -i http://localhost:8080/_cluster/health
Messages similar to the following display to indicate success:
HTTP/1.1 200 OK
Date: Tue, 23 Feb 2019 20:38:03 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 389
Connection: keep-alive
{"cluster_name":"elasticsearch","status":"yellow","timed_out":false,"number_of_nodes":1,"number_of_data_nodes":1,"active_primary_shards":5,"active_shards":5,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":5,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":50.0}
This section discusses how to secure communication between Apache and the search engine using HTTP Basic authentication with Apache. For more options, consult one of the following resources:
See one of the following sections:
For security reasons, you can locate the password file anywhere except your web server docroot. In this example, we show how to store the password file in a new directory.
First, see if you have the Apache htpasswd
utility is installed as follows:
Enter the following command to determine if htpasswd
is already installed:
which htpasswd
If a path displays, it is installed; if the command returns no output, htpasswd
is not installed.
If necessary, install htpasswd
:
apt-get -y install apache2-utils
yum -y install httpd-tools
Enter the following commands as a user with root
privileges:
mkdir -p /usr/local/apache/password
htpasswd -c /usr/local/apache/password/.<password file name> <username>
Where
<username>
can be:
Setting up cron: the web server user or another user.
In this example, we use the web server user, but the choice of user is up to you.
Setting up Elasticsearch: the user is named magento_elasticsearch
in this example
<password file name>
must be a hidden file (starts with .
) and should reflect the name of the user. See the examples later in this section for details.
Follow the prompts on your screen to create a password for the user.
Example 1: cron
You must set up authentication for only one user for cron; in this example, we use the web server user. To create a password file for the web server user, enter the following commands:
mkdir -p /usr/local/apache/password
htpasswd -c /usr/local/apache/password/.htpasswd apache
Example 2: Elasticsearch
You must set up authentication for two users: one with access to nginx and one with access to Elasticsearch. To create password files for these users, enter the following commands:
mkdir -p /usr/local/apache/password
htpasswd -c /usr/local/apache/password/.htpasswd_elasticsearch magento_elasticsearch
To add another user to your password file, enter the following command as a user with root
privileges:
htpasswd /usr/local/apache/password/.htpasswd <username>
This section discusses how to set up HTTP Basic authentication. Use of TLS and HTTP Basic authentication together prevents anyone from intercepting communication with Elasticsearch or OpenSearch or with your application server.
This section discusses how to specify who can access the Apache server.
Use a text editor to add the following contents to your secure virtual host.
/etc/apache2/sites-available/default-ssl.conf
<Proxy *>
Order deny,allow
Allow from all
AuthType Basic
AuthName "Elasticsearch Server" # or OpenSearch Server
AuthBasicProvider file
AuthUserFile /usr/local/apache/password/.htpasswd_elasticsearch
Require valid-user
# This allows OPTIONS-requests without authorization
<LimitExcept OPTIONS>
Require valid-user
</LimitExcept>
</Proxy>
If you added the preceding to your secure virtual host, remove Listen 8080
and the <VirtualHost *:8080>
directives you added earlier to your unsecure virtual host.
Save your changes, exit the text editor, and restart Apache:
service httpd restart
service apache2 restart
This section discusses two ways to verify that HTTP Basic authentication is working:
curl
command to verify you must enter a username and password to get cluster statuscurl
command to verify cluster statusEnter the following command:
curl -i http://<hostname, ip, or localhost>:<proxy port>/_cluster/health
For example, if you enter the command on the search engine server and your proxy uses port 8080:
curl -i http://localhost:8080/_cluster/health
The following message displays to indicate authentication failed:
HTTP/1.1 401 Unauthorized
Date: Tue, 23 Feb 2016 20:35:29 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Restricted"
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
</body>
</html>
Now try the following command:
curl -i -u <username>:<password> http://<hostname, ip, or localhost>:<proxy port>/_cluster/health
For example:
curl -i -u magento_elasticsearch:mypassword http://localhost:8080/_cluster/health
This time the command succeeds with a message similar to the following:
HTTP/1.1 200 OK
Date: Tue, 23 Feb 2016 20:38:03 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 389
Connection: keep-alive
{"cluster_name":"elasticsearch","status":"yellow","timed_out":false,"number_of_nodes":1,"number_of_data_nodes":1,"active_primary_shards":5,"active_shards":5,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":5,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":50.0}
Perform the same tasks as discussed in Search engine configuration except click Yes from the Enable HTTP Auth list and enter your username and password in the provided fields.
Click Test Connection to make sure it works and then click Save Config.
You must flush the cache and reindex before you continue.