How to secure an Internet-facing Elastic Search implementation in a shared hosting environment? [closed]

A plugin for elasticsearch that allows you to replace the HTTP transport with an embedded instance of Jetty is now available.

Because it uses Jetty to handle the HTTP transport, it can handle SSL connections as well as be configured for authentication.

(Note, the following is still sound advice, in that it's generally good practice to abstract your operations out in this manner)

After a number of discussions on the ElasticSearch mailing list, I've discovered that the current solution is to host ElasticSearch behind another application layer and then to secure that layer.

The reasoning is solid; ElasticSearch is akin to a database, and you wouldn't make your database public-facing to all.

Something that I (and others) trip up on is that because ElasticSearch uses HTTP as a transport and uses JSON as the syntax for operations, that ElasticSearch is meant to be public-facing.

However, there is currently a request to add HTTPS transport support (assuming a certificate is provided) along with basic (digest) authentication.

You'll have to firewall the machine in some way, permitting only the traffic from the appserver, e.g. using iptables on linux, or some kind of personal firewall on windows.

This takes you into serverfault.com territory, though - there isn't a programming solution to this one.