通过openresty拦截掉危险的操作。


配置文件如下:

$ cat docker-compose.yaml 
version: '3'
networks:
    monitor:
        driver: bridge
services:
    cerebro:
        image: lmenezes/cerebro
        container_name: cerebro
        hostname: cerebro
        restart: always
        ports:
            - "1234:9000"
        networks:
            - monitor
    openresty:
        image: openresty/openresty
        container_name: openresty
        hostname: openresty
        restart: always
        ports:
            - "1235:80"
        volumes:
            - ./ngx_conf/nginx.conf:/etc/nginx/nginx.conf
            - ./ngx_conf/cerebro.conf:/etc/nginx/conf.d/cerebro.conf
        networks:
            - monitor


mkdir ngx_conf

cd ngx_conf

2个配置文件如下:

$ cat nginx.conf 
user nginx;
worker_processes  4;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
error_log  logs/error.log  info;

pid        logs/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    
    access_log  logs/access.log  main;

    sendfile        on;
    keepalive_timeout  120;


    gzip on;
    gzip_min_length 1k;
    gzip_buffers 4 32k;
    gzip_http_version 1.1;
    gzip_comp_level 5;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
    gzip_vary on;
    gzip_proxied any;
    gzip_disable "MSIE [1-6]\.";

    proxy_buffer_size 8k;
    proxy_buffering on;
    client_header_buffer_size 8k;
    client_body_buffer_size 8k;
    proxy_request_buffering on;
    proxy_cache_lock on;
    proxy_cache_use_stale updating;

    include /etc/nginx/conf.d/*.conf;
}



$ cat cerebro.conf 
server {
  listen 80;
  #error_log /var/log/nginx/cerebro_proxy_err.log;

  root /usr/share/nginx/html;

  location / {
  default_type application/json;
        proxy_pass http://cerebro:9000;
        proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
  }

  # overview界面的危险操作全部拦截掉
  location /cluster_settings {
    return 403;
  }
  location ~ (/templates|/commons/indices|/disable_shard_allocation|/analysis) {
    return 403;
  }
  location /overview/relocate_shard {
    return 403;
  }
  location /overview/delete_indices {
    return 403;
  }
  location /overview/close_indices {
    return 403;
  }
  location /overview/force_merge {
    return 403;
  }
  location /overview/flush_indices {
    return 403;
  }
  location /overview/refresh_indices {
    return 403;
  }
  location /overview/clear_indices_cache {
    return 403;
  }
  
  # 对于rest界面的请求进行的拦截
  location /rest/request {
  default_type application/json;

  lua_need_request_body on;
  access_by_lua_block {
    local data1 = ngx.req.get_body_data()

    -- 拦截纯DELETE操作
    result1 = string.match(data1, "DELETE")
    if result1 == "DELETE" then
      ngx.exit(403)
    end

    -- 拦截_delete_by_query并且是match_all的操作
    result2 = string.match(data1, "_delete_by_query")
    result3 = string.match(data1, "match_all")
    result4 = string.match(data1, "POST")
    if result2 == "_delete_by_query" and result3 == "match_all" and result4 == "POST" then
      ngx.exit(403)
    end
  }

  proxy_pass http://cerebro:9000;
  proxy_set_header   Host             $host;
  proxy_set_header   X-Real-IP        $remote_addr;
  proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
  }

}