通过openresty拦截掉危险的操作。
配置文件如下:
$ cat docker-compose.yaml
version: '3'
networks:
monitor:
driver: bridge
services:
cerebro:
image: lmenezes/cerebro
container_name: cerebro
hostname: cerebro
restart: always
ports:
- "1234:9000"
networks:
- monitor
openresty:
image: openresty/openresty
container_name: openresty
hostname: openresty
restart: always
ports:
- "1235:80"
volumes:
- ./ngx_conf/nginx.conf:/etc/nginx/nginx.conf
- ./ngx_conf/cerebro.conf:/etc/nginx/conf.d/cerebro.conf
networks:
- monitormkdir ngx_conf
cd ngx_conf
2个配置文件如下:
$ cat nginx.conf
user nginx;
worker_processes 4;
#error_log logs/error.log;
#error_log logs/error.log notice;
error_log logs/error.log info;
pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
sendfile on;
keepalive_timeout 120;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 32k;
gzip_http_version 1.1;
gzip_comp_level 5;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
gzip_vary on;
gzip_proxied any;
gzip_disable "MSIE [1-6]\.";
proxy_buffer_size 8k;
proxy_buffering on;
client_header_buffer_size 8k;
client_body_buffer_size 8k;
proxy_request_buffering on;
proxy_cache_lock on;
proxy_cache_use_stale updating;
include /etc/nginx/conf.d/*.conf;
}
$ cat cerebro.conf
server {
listen 80;
#error_log /var/log/nginx/cerebro_proxy_err.log;
root /usr/share/nginx/html;
location / {
default_type application/json;
proxy_pass http://cerebro:9000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# overview界面的危险操作全部拦截掉
location /cluster_settings {
return 403;
}
location ~ (/templates|/commons/indices|/disable_shard_allocation|/analysis) {
return 403;
}
location /overview/relocate_shard {
return 403;
}
location /overview/delete_indices {
return 403;
}
location /overview/close_indices {
return 403;
}
location /overview/force_merge {
return 403;
}
location /overview/flush_indices {
return 403;
}
location /overview/refresh_indices {
return 403;
}
location /overview/clear_indices_cache {
return 403;
}
# 对于rest界面的请求进行的拦截
location /rest/request {
default_type application/json;
lua_need_request_body on;
access_by_lua_block {
local data1 = ngx.req.get_body_data()
-- 拦截纯DELETE操作
result1 = string.match(data1, "DELETE")
if result1 == "DELETE" then
ngx.exit(403)
end
-- 拦截_delete_by_query并且是match_all的操作
result2 = string.match(data1, "_delete_by_query")
result3 = string.match(data1, "match_all")
result4 = string.match(data1, "POST")
if result2 == "_delete_by_query" and result3 == "match_all" and result4 == "POST" then
ngx.exit(403)
end
}
proxy_pass http://cerebro:9000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}