Install OpenSearch Behind Nginx Reverse Proxy

I have successfully installed the minimum OpenSearch two-node cluster using the docker installation example in the docs. I generated my own self-signed certs and turned off the demo config and everything worked fine.

I then modified my opensearch.yml to continue to use the self-signed certs to secure the transport layer, but to disabled SSL for the REST layer using the true setting.

I plan to install an nginx server on the host machine that will act as a reverse proxy to OpenSearch. The nginx will be the ssl termination point and the default OpenSearch ports for both the nodes and OpenDashboards will not be accessible externally (using a firewall on the server). All http traffic will come through nginx. We have trusted CA wildcard certificates for our internal domain which nginx will use, which is easier than dealing with the self-signed certs.

I don’t see any mention in the docs or on the forums about reverse proxies. Is this a recommended configuration? Are there any pitfalls in doing this, especially if we decide to increase the number of nodes in the cluster in the future?

1 Like

Hi @rtmacphail
Considering that the rest of security features will be in place, TLS on transport later, RBAC etc, the only downside to terminating TLS at proxy, means that the traffic is then transferred unencrypted. Although many believe that thanks to firewalls and VPNs there is no way for malicious actor to gain access, IBM study did find that 60% of attacks come from insiders (link).