限制HTTP动词而不进行冗余配置

 btsk@163.com 发布于 2022-12-15 19:22
  • elasticsearch
  • logstash
  • int
  • stream
  • server
  • list

    • 我有一个Elasticsearch集群加上Logstash和Kibana,我只想在索引中公开一个只读窗口,但索引除外,kibana-int这样就可以保存仪表板.

    我找到了一个合适的ES代理配置,并且我已将其修改为用于limit_except禁止对其他索引进行写入/修改,但是大部分配置都是不必要的重复.有更清晰的方法来定义它吗?

    upstream elasticsearch {
    server es-01.iad.company.com:9200;
    server es-02.iad.company.com:9200;
}

server {
    listen 9200;
    server_name elasticsearch.proxy;
    client_max_body_size 50m;

    location / {
        limit_except GET POST HEAD OPTIONS {
            deny all;
        }
        proxy_pass http://elasticsearch;
        proxy_redirect off;
        proxy_set_header Connection "";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_pass_header Access-Control-Allow-Origin;
        proxy_pass_header Access-Control-Allow-Methods;
        proxy_hide_header Access-Control-Allow-Headers;
        add_header Access-Control-Allow-Headers 'X-Requested-With, Content-Type';
        add_header Access-Control-Allow-Credentials true;
    }
    location /kibana-int/ {
        proxy_pass http://elasticsearch;
        proxy_redirect off;
        proxy_set_header Connection "";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_pass_header Access-Control-Allow-Origin;
        proxy_pass_header Access-Control-Allow-Methods;
        proxy_hide_header Access-Control-Allow-Headers;
        add_header Access-Control-Allow-Headers 'X-Requested-With, Content-Type';
        add_header Access-Control-Allow-Credentials true;
    }
}

    Alexey Ten.. 6

    有几种方法:

    解决方案1

    您可以将重复配置放入文件中include.

    你的配置:

    upstream elasticsearch {
    server es-01.iad.company.com:9200;
    server es-02.iad.company.com:9200;
}

server {
    listen 9200;
    server_name elasticsearch.proxy;
    client_max_body_size 50m;

    location / {
        limit_except GET POST HEAD OPTIONS {
            deny all;
        }
        include proxy.inc;
    }

    location /kibana-int/ {
        include proxy.inc;
    }
}

    proxy.inc:

    proxy_pass http://elasticsearch;
proxy_redirect off;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_hide_header Access-Control-Allow-Headers;
add_header Access-Control-Allow-Headers 'X-Requested-With, Content-Type';
add_header Access-Control-Allow-Credentials true;

    解决方案2

    其他方法是使用nginx的指令继承.

    upstream elasticsearch {
    server es-01.iad.company.com:9200;
    server es-02.iad.company.com:9200;
}

server {
    listen 9200;
    server_name elasticsearch.proxy;
    client_max_body_size 50m;

    proxy_redirect off;
    proxy_set_header Connection "";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_hide_header Access-Control-Allow-Headers;
    add_header Access-Control-Allow-Headers 'X-Requested-With, Content-Type';
    add_header Access-Control-Allow-Credentials true;

    location / {
        limit_except GET POST HEAD OPTIONS {
            deny all;
        }
        proxy_pass http://elasticsearch;
    }

    location /kibana-int/ {
        proxy_pass http://elasticsearch;
    }
}

    顺便说一下,你的proxy_pass_header指令是不必要的.默认情况下,Nginx代理几乎所有标头.

    撰写答案
    今天,你开发时遇到什么问题呢?
    立即提问
    热门标签
    PHP1.CN | 中国最专业的PHP中文社区 | PNG素材下载 | DevBox开发工具箱 | json解析格式化 |PHP资讯 | PHP教程 | 数据库技术 | 服务器技术 | 前端开发技术 | PHP框架 | 开发工具 | 在线工具
    Copyright © 1998 - 2020 PHP1.CN. All Rights Reserved 京公网安备 11010802041100号 | 京ICP备19059560号-4 | PHP1.CN 第一PHP社区 版权所有