[BUG] - Not connected

[EvgeniyMakhmudov]

Description
Do not connect to ES. Try to use extansion in FF and Chrome, result the same.

Steps To Reproduce
List the steps to reproduce your problem:

1. Open elasticvue
2. Click on Test connection
3. GET request sended, recieve response with status 200 with standard greeting message from ES in body.

Screenshots

Environment (please include the following information):

• Operating system: Linux Mint 19.2
• Browser + version: FireFox 72, Chrome 70
• Elasticvue version: 0.18.0
• How are you running elasticvue? (docker, chrome extension, web app): firefox and chrome extension

Additional context
using another tools like elasticsearch-head extension work properly.

[cars10]

Hey, i'm sorry that you have issues with elasticvue. Can you please answer some follow up questions?

1. Did elasticvue work for you in the past or did you just start to use it?
2. Are you sure that you have correctly configured the http.cors.allow-origin setting in elasticsearch.yml? Maybe you only allow acces to elasticsearch-head

Thanks

[EvgeniyMakhmudov]

Thanks for quick response.

1. I try use it first time
2. i do not set any CORS settings, ES used as docker container from official image, and only do is make ports public. Right now the config is

bash-4.4# cat config/elasticsearch.yml 
http.host: 0.0.0.0

# Uncomment the following lines for a production cluster deployment
#transport.host: 0.0.0.0
#discovery.zen.minimum_master_nodes: 1

It work with simple curl request

curl http://localhost:9200
{
  "name" : "MdOpyc7",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "dW43VmLsTQKXK7jrv7SjxQ",
  "version" : {
    "number" : "5.6.5",
    "build_hash" : "6a37571",
    "build_date" : "2017-12-04T07:50:10.466Z",
    "build_snapshot" : false,
    "lucene_version" : "6.6.1"
  },
  "tagline" : "You Know, for Search"

If any question about this, you are welcome

[cars10]

Thanks. Your problem is that you did not enable cors in your elasticsearch, this is needed to communicate with elasticvue in the browser. To do so you need to add the setting to your elasticsearch.yml as is described on the setup page on your screenshot (the first step, "1. Configure").

If you want to start your elasticsearch cluster via docker then you can also enable cors via environment variables, like so:

docker run -p 9200:9200 \
                  -e "http.cors.enabled=true" \
                  -e "http.cors.allow-origin=/.*/" \
                  -e "discovery.type=single-node" \
                  docker.elastic.co/elasticsearch/elasticsearch:5.6.5

[EvgeniyMakhmudov]

I try as you say to run docker container with cors. But the situation the same. In this case GET request receive response with Basic Auth. I see it elasticsearch-head, curl. elasticvue make analog request and response but it still says that cant connect.

[EvgeniyMakhmudov]

Anyway, i want try use elasticvue to understand is it support work with https protocol with ignore ssl verify (like curl with option -k) . elasticsearch-head cant do https request.
Is it possible with elasticvue?

[cars10]

If you want to skip certificate verification then you have to import your CA certificate into the browser. Elasticvue uses the browsers API's to query your cluster so it depends on the browser to trust the certificate.

You can use elasticvue with an elasticsearch cluster that uses ssl and authorization. An Example:

• Follow the official guidelines for a basic elasticsearch docker setup with certificates
• Add the following lines to the environment section in the docker-compose.yml:

      - http.cors.enabled=true
      - http.cors.allow-origin=/.*/
      - http.cors.allow-headers=X-Requested-With,Content-Type,Content-Length,Authorization

• Follow the steps to create your certificates and start your cluster
• In elasticvue, enter the following as your url: https://elastic:PleaseChangeMe@localhost:9200

If the browser does not trust your CA then you will now get a certificate error in your console. There are three ways to fix that:

1. Import the CA so that your browser trusts it
2. Use an already trusted CA (like letsencrypt)
3. Simply bypass the error temporarily by entering https://elastic:PleaseChangeM@localhost:9200 in your browser and clicking "Proceed to localhost (unsafe)". This way the browser will trust the certificate for your current session and you can also use elasticvue.

[cars10]

@EvgeniyMakhmudov i am closing this issue for now because of inactivity. Feel free to reopoen (or open a new issue) if you still have a problem with elasticvue.

[EvgeniyMakhmudov]

i already typed big message)

[cars10]

Sorry, i thought i had answered all your questions above. Did you try to setup your cluster as i mentioned in #14 (comment) ?

[EvgeniyMakhmudov]

So, i return for this question.
Ok, i try to be shorter. If i configure my local ES docker container with CORS support via config file, then elasticvue working. It is good.
But why elastichead extension work without CORS configuration? I found some answer in GH page of ElasticSearch Head add-on for Firefox.

It also has the advantage of bypassing CORS without configuring CORS on your Elastic server.

Maybe it can be possible to do the same with elasticvue?
To simulate avoid this i use nginx as proxy, and elasticvue working good without CORS configurating.

[cars10]

Thanks for clarifying your question :)

The elasticsearch-head extension for firefox (and chrome) works without configuring CORS because you give them permission to intercept every request you make to any website in your browser.

See these lines in the extension manifest and the explanation by google.
I am not happy with granting my extension permissions to request any remote server and completely bypass CORS because:

• CORS is a great security measure
• I wanted the users of elasticvue to have a unified experience when using it. There are many ways to run elasticvue (multiple browser extensions, docker container, hosted on the website, etc) and it would be weird if one of them can work out of the box (browser extension) and you have to configure CORS for the others.

I will think about adding an exception for local clusters by using permissions like this:

  "permissions": [
    "http://localhost/*",
    "https://localhost/*"
  ],

so you could at least use the extension without configuring CORS if you use a local cluster, but for anything not reachable via localhost you will most likely still have to configure CORS.

Thanks!

[honza-zidek]

I think it is a logical error in how the browsers treat the plugins. The browsers should consider requests originated in the browser as requests from localhost!!! When I request the same page directly from the browser, there is no CORS issue! Why should there be a CORS error when I run the very same request from within a browser plugin?