Secure elasticsearch cluster

Secure elasticsearch cluster with ssh port forwarding

Scenario

I have elasticsearch cluster setup on AWS. It does not setup with SSL encryption between client to server(with X-Pack). In this case if I open elasticsearch clients ports 9200, 9300 on AWS firewall it will expose all the APIs to everyone without authentication.

I can use SSH local port forwarding to secure the communication between client to elasticsearch cluster. Then I don’t need to open 9200, 9300 ports on AWS firewall. Instead I can use SSH local port forwarding to forward elasticsearch traffic from AWS to client service, Figure 1. Read more about SSH port forwarding from here.

Elasticsearch scala client

My elasticsearch client service written with scala. When client service starting up it starts SSH local port forwarding from AWS to local server. Then client can access the elasticsearch with local server IP address or with localhost.

SSH port forwarding with scala

I have used JSch java library to implement SSH related funcations with scala. Following is the build.sbt file with JSch dependency.

Following is the function that I have used to SSH port forwarding on scala. This function can be called from Main function when starting up the service. It will start port forwarding behind the scene with daemon thread.

Reference

1. https://medium.com/@itseranga/ssh-port-forwarding-357f02d75d
2. https://www.digitalocean.com/community/questions/ssh-tunnel-using-java-client
3. https://www.journaldev.com/235/java-mysql-ssh-jsch-jdbc
4. http://www.beanizer.org/site/index.php/en/Articles/Java-ssh-tunneling-with-jsch.html