Elasticsearch reindex.remote.whitelist Setting

Pulse - Elasticsearch Operations Done Right

On this page

Example Common Issues and Misuses Do's and Don'ts Frequently Asked Questions

The reindex.remote.whitelist setting in Elasticsearch controls which remote hosts are allowed for remote reindexing operations. It acts as a security measure to prevent unauthorized access to external data sources during reindexing tasks.

  • Default value: Empty (no remote reindexing allowed)
  • Possible values: List of allowed remote hosts in the format host:port
  • Recommendations: Configure this setting with only trusted remote hosts to maintain security

This setting is crucial for securing remote reindexing operations. It specifies which remote Elasticsearch clusters are permitted as sources for reindexing. When left empty, remote reindexing is disabled entirely.

Example

To allow remote reindexing from two specific hosts:

PUT /_cluster/settings
{
  "persistent": {
    "reindex.remote.whitelist": ["otherhost:9200", "another:9200"]
  }
}

This change would enable remote reindexing from the specified hosts, allowing data to be pulled from these sources during reindex operations.

Common Issues and Misuses

  • Overly permissive configurations (e.g., using wildcards) can pose security risks
  • Forgetting to update the whitelist when new legitimate remote sources are added
  • Not removing outdated or no longer used remote hosts from the whitelist

Do's and Don'ts

  • Do regularly review and update the whitelist
  • Do use specific host:port combinations for precise control
  • Don't use overly broad patterns like *:* which can compromise security
  • Don't include untrusted or unverified hosts in the whitelist
  • Do consider network security measures in addition to this setting

Frequently Asked Questions

Q: Can I use IP addresses in the reindex.remote.whitelist?
A: Yes, you can use both hostnames and IP addresses in the format host:port or ip:port.

Q: Does this setting affect intra-cluster reindexing?
A: No, this setting only applies to reindexing from remote clusters. Intra-cluster reindexing is not affected.

Q: Can I use wildcards in the reindex.remote.whitelist?
A: While possible, it's not recommended for security reasons. It's better to explicitly list allowed hosts.

Q: How does this setting interact with other security measures?
A: This setting is a part of Elasticsearch's security layers. It should be used in conjunction with proper network security, firewalls, and authentication mechanisms.

Q: Can I dynamically update the reindex.remote.whitelist?
A: Yes, you can update this setting dynamically using the Cluster Update Settings API without restarting nodes.

Pulse - Elasticsearch Operations Done Right

Stop googling errors and staring at dashboards.

Free Trial

Subscribe to the Pulse Newsletter

Get early access to new Pulse features, insightful blogs & exclusive events , webinars, and workshops.

We use cookies to provide an optimized user experience and understand our traffic. To learn more, read our use of cookies; otherwise, please choose 'Accept Cookies' to continue using our website.