Skip to main content

Elasticsearch CORS with basic authentication setup

This is a short "recipe" article explaining how to configure remote ElasticSearch instance to support CORS requests and basic authentication using Apache HTTP Server 2.4.

Proxy
To start with, we need to configure Apache to proxy requests to the Elasticsearch instance. By default, Elasticsearch is running on the port 9200:
ProxyPass /elastic http://localhost:9200/
ProxyPassReverse /elastic http://localhost:9200/

Basic authentication
Enabling basic authentication is easy. By default, Apache checks the user credentials against the local file which you can create using the following command:
/path/to/htpasswd -c /usr/local/apache/password/.htpasswd_elasticsearch elasticsearchuser
Then you'll need to use the following directives to allow only authenticated users to access your content:
AuthType Basic
AuthName "Elastic Server"
AuthUserFile /usr/local/apache/password/.htpasswd_elasticsearch
Require valid-user
For more complex setups such as LDAP-based authentication and restricting access by user group or other criterias, see official howto.

CORS
When you want to add support of CORS requests to your server, you should configure it to set proper response headers starting with Access-Control-Allow-Origin. To make it work with basic authentication, you will need the following headers:
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Credentials: "*"
Header set Access-Control-Allow-Headers: "Authorization, Content-Type, X-Requested-With"
If you need to support HTTP PUT requests or want to see more detailed explanations with examples, check Using CORS tutorial.
The above configuration is still not enough to make basic authentication work as the HTTP OPTIONS pre-flight request is sent without Authorization header. So we need to allow such requests non password-protected:
<LimitExcept OPTIONS>
 Require valid-user
</LimitExcept>

Final configuration
Let's move the complete configuration inside a Location directive now:
<Location /elastic>
 ProxyPass http://localhost:9200/
 ProxyPassReverse http://localhost:9200/

 Header set Access-Control-Allow-Origin "*"
 Header set Access-Control-Allow-Credentials: "*"
 Header set Access-Control-Allow-Headers: "Authorization, Content-Type, X-Requested-With"

 AuthType Basic
 AuthName "Elastic Server PROD"
 AuthUserFile /usr/local/apache/password/.htpasswd_elasticsearch

 <LimitExcept OPTIONS>
  Require valid-user
 </LimitExcept>
</Location>

Comments