Secure your search server

Atlassian strongly recommends you secure access to your remote search server instance with a username and password, and a minimum of basic HTTP authentication. Bitbucket also supports Amazon’s request signing.

Secure Amazon OpenSearch Service with Amazon's request signing

AWS request signing allows you to use Amazon OpenSearch Service with Bitbucket. This will allow you to secure your Amazon OpenSearch Service cluster to only allow requests from the IAM user that the node Bitbucket is running on inside of AWS EC2 has. To use Amazon OpenSearch Service you must set the AWS region in the bitbucket.properties file to enable request signing.

<Bitbucket home directory>/shared/bitbucket.properties
plugin.search.config.aws.region= 

Secure OpenSearch with OpenSearch's security plugin

For instructions on how to configure the OpenSearch security plugin, see the page Install and configure a remote OpenSearch server - Step 3: Secure OpenSearch. The OpenSearch security plugin needs to be installed on every node in the cluster.

Secure Elasticsearch with Atlassian's Buckler plugin

For instructions on how to configure Buckler, see the page Install and configure a remote Elasticsearch server - Step 3: Secure Elasticsearch. Buckler needs to be installed on every node in the cluster.

Secure Elasticsearch with Elastic's Shield plugin

Bitbucket also supports authentication to Elasticsearch through other plugins that provide basic authentication, like Elastic's Shield plugin. This plugin isn't directly supported by Atlassian, but Bitbucket can still connect to Elasticsearch secured by the Shield plugin if basic authentication is configured.

Secure Elasticsearch with Elastic's IP filtering

You can also secure the connection between Elasticsearch and Bitbucket by configuring IP filtering

Last modified on May 31, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.