Configure nginx and Elasticsearch
Contents
- Overview of secure web server communication
- Set up a proxy
- Configure Magento to use Elasticsearch
- Secure communication with nginx
- Verify communication is secure
Overview of secure web server communication
This topic discusses an example of securing communication between your web server and Elasticsearch using a combination of Transport Layer Security (TLS) encryption and HTTP Basic authentication. You can optionally configure other types of authentication as well; we provide references for that information.
(An older term, Secure Sockets Layer (SSL), is frequently used interchangeably with TLS. In this topic, we refer to TLS.)
Unless otherwise noted, all commands in this topic must be entered as a user with root
privileges.
Recommendations
We recommend the following:
-
Your web server uses TLS.
TLS is beyond the scope of this topic; however, we strongly recommend you use a real certificate in production and not a self-signed certificate.
-
Elasticsearch runs on the same host as a web server. Running Elasticsearch and the web server on different hosts is beyond the scope of this topic.
The advantage of putting Elasticsearch and the web server on the same host is that it makes intercepting encrypted communication impossible. The Elasticsearch web server doesn’t have to be the same as the Magento web server; for example, Magento can run Apache and Elasticsearch can run nginx.
More information about TLS
See one of the following resources:
-
Apache
-
nginx
Set up a proxy
This section discusses how to configure nginx as an unsecure proxy so that Magento can use Elasticsearch running on this server. This section does not discuss setting up HTTP Basic authentication; that is discussed in Secure communication with nginx.
The reason the proxy is not secured in this example is it's easier to set up and verify. You can use TLS with this proxy if you want; to do so, make sure you add the proxy information to your secure server block configuration.
See one of the following sections for more information:
- Step 1: Specify additional configuration files in your global
nginx.conf
- Step 2: Set up nginx as a proxy
Step 1: Specify additional configuration files in your global nginx.conf
Make sure your global /etc/nginx/nginx.conf
contains the following line so it loads the other configuration files discussed in the following sections:
include /etc/nginx/conf.d/*.conf;
Step 2: Set up nginx as a proxy
This section discusses how to specify who can access the nginx server.
-
Use a text editor to create a new file
/etc/nginx/conf.d/magento_es_auth.conf
with the following contents:server { listen 8080; location / { proxy_pass http://localhost:9200; } }
-
Restart nginx:
service nginx restart
-
Verify the proxy works by entering the following command:
curl -i http://localhost:<proxy port>/_cluster/health
For example, if your proxy uses port 8080:
curl -i http://localhost:8080/_cluster/health
Messages similar to the following display to indicate success:
HTTP/1.1 200 OK Date: Tue, 23 Feb 2016 20:38:03 GMT Content-Type: application/json; charset=UTF-8 Content-Length: 389 Connection: keep-alive {"cluster_name":"elasticsearch","status":"yellow","timed_out":false,"number_of_nodes":1,"number_of_data_nodes":1,"active_primary_shards":5,"active_shards":5,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":5,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":50.0}
-
Continue with the next section.
Configure Magento to use Elasticsearch
This section discusses the minimum settings you must choose to test Elasticsearch with Magento 2. For additional details about configuring Elasticsearch, see the Magento Commerce User Guide.
To configure Magento to use Elasticsearch:
- Log in to the Magento Admin as an administrator.
- Click Stores > Settings > Configuration > Catalog > Catalog > Catalog Search.
-
From the Search Engine list, click Elasticsearch or Elasticsearch 5.0+ as the following figure shows. (The Elasticsearch 5.0+ option is not available for Magento 2.1.)
-
The following table discusses only the configuration options required to test the connection with Magento.
Unless you changed Elasticsearch server settings, the defaults should work. Skip to the next step.
Option Description Elasticsearch Server Hostname Enter the fully qualified host name or IP address of the machine running Elasticsearch.
Magento Commerce (Cloud): Get this value from your integration system.
Elasticsearch Server Port Enter the Elasticsearch web server proxy port. In our example, the port is
8080
but if you're using a secure proxy, it's typically443
.Magento Commerce (Cloud): Get this value from your integration system.
Elasticsearch Index Prefix Enter the Elasticsearch index prefix. If you use a single Elasticsearch instance for more than one Magento installation (Staging and Production environments), you must specify a unique prefix for each installation. Otherwise, you can use the default prefix magento2
.Enable Elasticsearch HTTP Auth Click Yes only if you enabled authentication for your Elasticsearch server. If so, provide a user name and password in the provided fields. - Click Test Connection.
One of the following displays:
Result | Meaning |
---|---|
Magento successfully connected to the Elasticsearch server. Continue with Configure Apache and Elasticsearch or Configure nginx and Elasticsearch. | |
Try the following:
|
Reindexing catalog search and refreshing the full page cache
After you change Magento’s Elasticsearch configuration, you must reindex the catalog search index and refresh the full page using the Admin or command line.
To refresh the cache using the Admin:
- In the Admin, click System > Cache Management.
- Select the check box next to Page Cache.
- From the Actions list in the upper right, click Refresh.
The following figure shows an example.
To clean the cache using the command line, use the magento cache:clean
command.
To reindex using the command line:
- Log in to your Magento server as, or switch to, the Magento file system owner.
-
Enter any of the following commands:
Enter the following command to reindex the catalog search index only:
php <your Magento install dir>/bin magento indexer:reindex catalogsearch_fulltext
Enter the following command to reindex all indexers:
php <your Magento install dir>/bin magento indexer:reindex
- Wait while the reindexing completes.
Unlike the cache, indexers are updated by a cron job. Make sure cron is enabled before you start using Elasticsearch.
Secure communication with nginx
This section discusses how to set up HTTP Basic authentication with your secure proxy. Use of TLS and HTTP Basic authentication together prevents anyone from intercepting communication with Elasticsearch or with your Magento server.
Because nginx natively supports HTTP Basic authentication, we recommend it over, for example, Digest authentication, which isn’t recommended in production.
Additional resources:
- How To Set Up Password Authentication with Nginx on Ubuntu 14.04 (Digitalocean)
- Basic HTTP Authentication With Nginx (HowtoForge)
- Example Nginx Configurations for Elasticsearch
See the following sections for more information:
- Step 1: Create passwords
- Step 2: Set up access to nginx
- Step 3: Set up a restricted context for Elasticsearch
- Verify communication is secure
Step 1: Create a password
We recommend you use the Apache htpasswd
command to encode passwords for a user with access to Elasticsearch (named magento_elasticsearch
in this example).
To create a password:
-
Enter the following command to determine if
htpasswd
is already installed:which htpasswd
If a path displays, it is installed; if the command returns no output,
htpasswd
is not installed. -
If necessary, install
htpasswd
:- Ubuntu:
apt-get -y install apache2-utils
- CentOS:
yum -y install httpd-tools
- Ubuntu:
-
Create a
/etc/nginx/passwd
directory to store passwords:mkdir -p /etc/nginx/passwd htpasswd -c /etc/nginx/passwd/.<filename> <username>
For security reasons,
<filename>
should be hidden; that is, it must start with a period. An example follows.Example:
mkdir -p /etc/nginx/passwd htpasswd -c /etc/nginx/passwd/.magento_elasticsearch magento_elasticsearch
Follow the prompts on your screen to create the user’s password.
-
(Optional). To add another user to your password file, enter the same command without the
-c
(create) option:htpasswd /etc/nginx/passwd/.<filename> <username>
-
Verify that the contents of
/etc/nginx/passwd
is correct.
Step 3: Set up access to nginx
This section discusses how to specify who can access the nginx server.
The example shown is for an unsecure proxy. To use a secure proxy, add the following contents (except the listen port) to your secure server block.
Use a text editor to modify either /etc/nginx/conf.d/magento_es_auth.conf
(unsecure) or your secure server block with the following contents:
server {
listen 8080;
server_name 127.0.0.1;
location / {
limit_except HEAD {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/passwd/.htpasswd_magento_elasticsearch;
}
proxy_pass http://127.0.0.1:9200;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /_aliases {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/passwd/.htpasswd_magento_elasticsearch;
proxy_pass http://127.0.0.1:9200;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
include /etc/nginx/auth/*.conf;
}
The Elasticsearch listen port shown in the preceding example are examples only. For security reasons, we recommend you use a non-default listen port for Elasticsearch.
Step 4: Set up a restricted context for Elasticsearch
This section discusses how to specify who can access the Elasticsearch server.
-
Enter the following command to create a new directory to store the authentication configuration:
mkdir /etc/nginx/auth/
-
Use a text editor to create a new file
/etc/nginx/auth/magento_elasticsearch.conf
with the following contents:location /elasticsearch { auth_basic "Restricted - elasticsearch"; auth_basic_user_file /etc/nginx/passwd/.htpasswd_magento_elasticsearch; proxy_pass http://127.0.0.1:9200; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }
- If you set up a secure proxy, delete
/etc/nginx/conf.d/magento_es_auth.conf
. -
Restart nginx and continue with the next section:
service nginx restart
Verify communication is secure
This section discusses two ways to verify that HTTP Basic authentication is working:
- Using a
curl
command to verify you must enter a user name and password to get cluster status - Configuring HTTP Basic authentication in the Magento Admin
Use a curl
command to verify cluster status
Enter the following command:
curl -i http://<host name, ip, or localhost>:<proxy port>/_cluster/health
For example, if you enter the command on the Elasticsearch server and your proxy uses port 8080:
curl -i http://localhost:8080/_cluster/health
The following message displays to indicate authentication failed:
HTTP/1.1 401 Unauthorized
Date: Tue, 23 Feb 2016 20:35:29 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Restricted"
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
</body>
</html>
Now try the following command:
curl -i -u <user name>:<password> http://<host name, ip, or localhost>:<proxy port>/_cluster/health
For example:
curl -i -u magento_elasticsearch:mypassword http://localhost:8080/_cluster/health
This time the command succeeds with a message similar to the following:
HTTP/1.1 200 OK
Date: Tue, 23 Feb 2016 20:38:03 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 389
Connection: keep-alive
{"cluster_name":"elasticsearch","status":"yellow","timed_out":false,"number_of_nodes":1,"number_of_data_nodes":1,"active_primary_shards":5,"active_shards":5,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":5,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":50.0}
Configure HTTP Basic authentication in the Magento Admin
Perform the same tasks as discussed in Configure Magento to use Elasticsearch except click Yes from the Enable Elasticsearch HTTP Auth list and enter your user name and password in the provided fields.
The following figure shows an example:
Click Test Connection to make sure it works and then click Save Config.
You must flush the Magento cache and reindex before you continue.