Adding x-pack enabled Elasticsearch behind AWS application load balancer causing health check failure due to missing authentication

Question

I was using Application load balancer(ALB) on my elasticsearch node and configured the health check as shown in image and health check was working fine and I was able to reach to my ES using load balancer.

Now I added x-pack security which requires even for health check to pass a user(Elastic super user and its password) in my case and after that health check stopped working as ALB can't pass the basic authentication and due to this issue Health check is not working and as shown in image ALB is continuously de-registering the Elasticsearch which in turn causing my Elasticsearch docker to stop/start.

Note:- I am using ES 7.7 if its relevant to this question.

What would you like to do? Remove the health check? You can change the status code to whatever you get when you get rejected. — Marcin, Jun 02 '20 at 03:34
@Marcin thanks again for your comment, I dont want to remove the health check but I guess its safe to do change it to 401 as it means ES is sending 401 Unauthorized which implies its not down... in ideal case I want to get 200, I have a super user and OK to use in case of HC if there is some way to pass it. — , Jun 02 '20 at 04:58
I don't think you can have ALB perform a login action to your service to do the HC. Maybe you could setup proxy for the health checks, if you don't want to use 401. For example: ALB->nginx->health check, but I'm not sure how it could work. — Marcin, Jun 02 '20 at 05:02
hmm setting up proxy would be overkill, I am trying with 401 and if it works would go with that way, please write answer and I shall upvote and accept it — , Jun 02 '20 at 05:04

score 2 · Accepted Answer · answered Jun 02 '20 at 05:07

Based on the comments, the problem is caused by the fact that ALB health checks fail since failed authentication returns 401 HTTP code, not 200.

The solution is to use 401 code as the expected code for the health check. The failure of authentication still means that the ES is up and running, not that it ES failed.

score 0 · Answer 2 · answered Jan 23 '23 at 11:34

0

What I did :

I pointed the path to the favicon image, as it does not need any authentication and gives 200 on success.

Suppose If ES is down then this will also throw a non-healthy response code.

/favicon.ico 200

answered Jan 23 '23 at 11:34

Kratik Jain

1
2

Adding x-pack enabled Elasticsearch behind AWS application load balancer causing health check failure due to missing authentication

2 Answers2