{"id":19592860,"url":"https://github.com/cleafy/elasticsearch-http-basic","last_synced_at":"2025-08-10T21:11:49.166Z","repository":{"id":140014885,"uuid":"104369728","full_name":"Cleafy/elasticsearch-http-basic","owner":"Cleafy","description":"ElasticSearch v2.4.4 http-basic implementation","archived":false,"fork":false,"pushed_at":"2017-09-22T23:02:23.000Z","size":74,"stargazers_count":4,"open_issues_count":1,"forks_count":2,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-27T14:39:22.544Z","etag":null,"topics":["elasticsearch","elasticsearch-authentication","elasticsearch-http","elasticsearch-plugin","http-basic-auth","ip-authentication","whitelists-ip"],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Cleafy.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-09-21T16:03:48.000Z","updated_at":"2022-08-28T06:23:49.000Z","dependencies_parsed_at":null,"dependency_job_id":"d9d75e22-bcda-4bd8-8240-841ae9984667","html_url":"https://github.com/Cleafy/elasticsearch-http-basic","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/Cleafy/elasticsearch-http-basic","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cleafy%2Felasticsearch-http-basic","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cleafy%2Felasticsearch-http-basic/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cleafy%2Felasticsearch-http-basic/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cleafy%2Felasticsearch-http-basic/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Cleafy","download_url":"https://codeload.github.com/Cleafy/elasticsearch-http-basic/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cleafy%2Felasticsearch-http-basic/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":269788156,"owners_count":24475884,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-10T02:00:08.965Z","response_time":71,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["elasticsearch","elasticsearch-authentication","elasticsearch-http","elasticsearch-plugin","http-basic-auth","ip-authentication","whitelists-ip"],"created_at":"2024-11-11T08:37:14.233Z","updated_at":"2025-08-10T21:11:49.135Z","avatar_url":"https://github.com/Cleafy.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"**IMPORTANT NOTICE**: This project is based on Asquera/elasticsearch-http-basic. It adds support to elasticsearch 2.4.4 and gradle compilation.\n\n\n[![Build Status](https://travis-ci.org/Asquera/elasticsearch-http-basic.svg?branch=master)](https://travis-ci.org/Asquera/elasticsearch-http-basic)\n\n**IMPORTANT NOTICE**: versions 1.0.4 is *insecure and should not be used*.\nThey have a bug that allows an attacker to get ip authentication by setting\nits ip on the 'Host' header.\n\n# HTTP Basic / Ip auth for ElasticSearch\n\nThis plugin provides an extension of ElasticSearchs HTTP Transport module to enable **HTTP basic authentication** and/or\n**Ip based authentication**.\n\nRequesting `/` does not request authentication to simplify health check configuration.\n\nThere is no way to configure this on a per index basis.\n\n\n## Version Mapping\n\n| Http Basic Plugin | elasticsearch |\n|-----------------------------|------------------------------|\n| v2.4.4 | 2.4.4 |\n| v2.3.4 (master) | 2.3.4 |\n| v1.5.1 | 1.5.1, 1.5.2, 1.6.0, 1.7.0 |\n| v1.5.0 | 1.5.0 |\n| v1.4.0 | 1.4.0 |\n| v1.3.0 | 1.3.0 |\n| v1.2.0 | 1.2.0 |\n| 1.1.0 | 1.0.0 |\n| 1.0.4 | 0.90.7 |\n\n## Installation\n\nDownload the desired version from https://github.com/Asquera/elasticsearch-http-basic/releases and copy it to `plugins/http-basic`.\n\n## Configuration\n\nOnce the plugin is installed it can be configured in the [elasticsearch modules configuration file](http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/setup-configuration.html#settings). See the [elasticserach directory layout information](http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/setup-dir-layout.html) for more information about the default paths of an ES installation.\n\n| Setting key | Default value | Notes |\n|-----------------------------------|------------------------------|-------------------------------------------------------------------------|\n| `http.basic.enabled` | true | **true** disables the default ES HTTP Transport module |\n| `http.basic.user` | \"admin\" | |\n| `http.basic.password` | \"admin_pw\" | |\n| `http.basic.ipwhitelist` | [\"localhost\", \"127.0.0.1\"] | If set to `false` no ip will be whitelisted. Uses Host Name Resolution from [java.net.InetAddress](http://docs.oracle.com/javase/7/docs/api/java/net/InetAddress.html) |\n| `http.basic.trusted_proxy_chains` | [] | Set an array of trusted proxies ips chains |\n| `http.basic.log` | false | enables plugin logging to ES log. Unauthenticated requests are always logged. |\n| `http.basic.xforward` | \"\" | most common is [X-Forwarded-For](http://en.wikipedia.org/wiki/X-Forwarded-For) |\n\nBe aware that the password is stored in plain text.\n\n## Http basic authentication\n\nsee [this article](https://en.wikipedia.org/wiki/Basic_access_authentication)\n\n## Ip based authentication\n\nA client is **Ip authenticated iff** its **request** is **trusted** and its **ip is whitelisted**.\nA Request from a client connected *directly* (direct client) is by definition **trusted**. Its ip is the request ip.\nA Request form a client connected *via proxies* (remote client) is **trusted iff** there is a tail\nsubchain of the request chain that matches a tail subchain of the trusted proxy chains.\n\n**A tail subchain** of a chain \"*A,B,C*\" is a subchain that matches it by the end.\nExample: the 3 tail subchains of the ip chain *A,B,C* are:\n\n (pseudo code) tailSubchains(\"A,B,C\") --\u003e [\"A,B,C\", \"B,C\", \"C\"]\n\nThe request chain of a remote client is obtained following these steps:\n\n- read the request's xforward configured header field.\n- remove the xforwarded defined client's ip (first listed ip as defined by X-Forwarded-For) from it.\n- append the request ip to it.\n\nThe ip chain of a remote client is the ip previous to the longest trusted tail subchain .Is the ip used to check\n against the whitelist.\n\n\n### Request chain checks\n\nHaving the following configuration:\n\n http.basic.xforward = 'X-Forwarded-For'\n http.basic.trusted_proxy_chains = [\"B,C\", \"Z\"]\n\n#### Trusted cases:\n\n- A remote client with ip *A* connects to [server] via proxies with ips *B* and *C*. *X-Forwarded-For* header has \"*A,B*\", removing the client's ip \"*A*\" and adding the request ip *C*, the resulting chain *B,C* matches a trusted tail subchain. Client's ip is A.\n\n [A] --\u003e B --\u003e C --\u003e [server]\n\n- A remote client with ip *A* connects to [server] via proxies with ips *R*, *P*, *B* and *C*. *X-Forwarded-For* header has \"*A,R,P,B*\".\n Removing the client's ip \"*A*\" and adding the request ip *C* , the resulting chain ** matches a trusted tail subchain. **note**: in this case \"*P*\" is taken as the client's ip, and checked against the white list. Client's ip is P.\n\n [A] --\u003e R --\u003e P --\u003e B --\u003e C --\u003e [server]\n\n- A remote client with ip *A* connects to [server] via *C*. *X-Forwarded-For* header has\n *A*, removing the client's ip *A* and adding the request ip *C*, the resulting chain *C* matches a trusted tail subchain. Client's ip is A.\n\n [A] --\u003e C --\u003e [server]\n\n- client *A* connects directly to [server]. *X-Forwarded-For* header is not set. Client's ip is A.\n\n [A] --\u003e [server]\n\n#### Untrusted cases:\n\n- A remote client with ip *A* connects to [server] via *D*. *X-Forwarded-For* header has\n \"*A*\", removing the client's ip \"*A*\" and adding the request ip *D*, the resulting chain *D* doesn't match any trusted sub ip chain.\n\n [A] --\u003e D --\u003e [server]\n\n- A remote client with ip *X* connects to proxy with ip *C* passing a faked *X-Forwarded-For* header \"*R*\". *C* will check the IP of the request and add it to the *X-Forwarded-For* field. the server will receive and *X-Forwarded-For* header\n as: \"*R,X*\", remove the client's ip \"*R*\", add the request ip \"*C*\" and finally drop the request, as \"*X,C*\" doesn't match the trusted ip.\n\n [X] -- R --\u003e C --\u003e [server]\n\n\n### configuration example\n\nThe following code enables plugin logging, sets user and password, sets chain\n\"1.1.1.1,2.2.2.2\" as trusted , whitelists ip 3.3.3.3 and defines xforward\nheader as the common 'X-Forwarded-For':\n\n```\nhttp.basic.log: true\nhttp.basic.user: \"some_user\"\nhttp.basic.password: \"some_password\"\nhttp.basic.ipwhitelist: [\"3.3.3.3\"]\nhttp.basic.xforward: \"X-Forwarded-For\"\nhttp.basic.trusted_proxy_chains: [\"1.1.1.1,2.2.2.2\"]\n```\n\n## Testing\n\n**note:** localhost is a whitelisted ip as default.\nConsidering a default configuration with **my_username** and **my_password** configured.\n\nCorrect credentials\n```\n$ curl -v localhost:9200 # works (returns 200) (by default localhost is configured as whitelisted ip)\n$ curl -v --user my_username:my_password no_local_host:9200/foo # works (returns 200) (if credentials are set in configuration)\n```\n\nWrong credentials\n```\n$ curl -v --user my_username:wrong_password no_local_host:9200/ # health check, returns 200 with \"{\\\"OK\\\":{}}\" although Unauthorized\n$ curl -v --user my_username:password no_local_host:9200/foo # returns 401\n```\n\n## Development\n\n### Testing\n Maven is configured to run the unit and integration tests. This plugin makes\n use of [ES Integration Tests](http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/integration-tests.html)\n\n We can configure at the cli the version of ES we want to test against:\n\n `mvn -Delasticsearch.version=1.5.2 -Dtests.security.manager=false test` runs all tests\n `mvn -Delasticsearch.version=1.5.2 -Dtests.security.manager=false integration` runs integration tests only\n\n\n### Packaging\n `mvn -Delasticsearch.version=1.5.2 -Dtests.security.manager=false package` packages the plugin in a `jar` file\n\n## Issues\n\nPlease file your issue here: https://github.com/Asquera/elasticsearch-http-basic/issues\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcleafy%2Felasticsearch-http-basic","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcleafy%2Felasticsearch-http-basic","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcleafy%2Felasticsearch-http-basic/lists"}