Use Nginx as proxy to prevent create/update/delete operations on ElasticSearch via JavaScript client-side

You should also take care about connections to the different elasticsearh locations like

• _cluster
• _nodes
• _shutdown

You can find more information about a working (and secure) setup of nginx and elasticsearch in the documentation => http://www.elasticsearch.org/blog/playing-http-tricks-nginx/

Thank you, I wasn't aware that you have to protect Elastic X_X

I found a few more _commands via Kibana that you don't normally need and can be blacklisted, in the sense that you can enter a password if you do need it.

# 2020-01-07# Whitelist: _count, _mget, _search# Greylist (blacklisted anyway): _analyze, _msearch, _validate# Blacklist:location ~* /_(aliases|all|analyze|bulk|cache|cluster|data_frame|delete_by_query|field_caps|flush|forcemerge|ilm|ingest|license|mapping|mappings|migration|ml|monitoring|msearch|mtermvectors|nodes|refresh|scripts|security|shutdown|snapshot|sql|tasks|template|upgrade|update_by_query|validate|watcher){    auth_basic "Elastic1";    auth_basic_user_file /etc/nginx/.htpasswd;  # create with Apache tool htpasswd    include proxy_params;    proxy_cookie_domain <HOSTNAME> $server_name;    proxy_pass http://10.0.0.1:9201;}location /{    # Blacklist: CONNECT, DELETE, PATCH, PUT, TRACE    # Whitelist:    limit_except GET HEAD OPTIONS POST    {        auth_basic "Elastic1";        auth_basic_user_file /etc/nginx/.htpasswd;  # create with Apache tool htpasswd    }    include proxy_params;    proxy_cookie_domain <HOSTNAME> $server_name;    proxy_pass http://10.0.0.1:9201;}