This guide is based on a Debian 12 image, with flavor a1-c1-m4 (1 core, 4GB ram) and a 10GB boot disk.
We have chosen Caddy as a reverse proxy with automatic TLS support and basic auth, but there are other options such as traefik, nginx or configuring the OpenSearch security plugin with certificates or using certbot.
What is OpenSearch and why do I want to install it?
OpenSearch is a distributed search and analysis engine based on Apache Lucene.
It is used as a tool to assist in searches, analysis and monitoring.
Some systems such as Magento, WordPress, etc. can use this to speed up and make search more relevant.
ElasticSearch or OpenSearch?
The choice is yours. OpenSearch is a fork of ElasticSearch 7.10.2, the last version before ElasticSearch changed its license form.
Where can I find more documentation on OpenSearch?
Please note
This guide describes how you can set up OpenSearch with a reverse proxy in front that handles automatic certificates and password login.
However, it does not address how to set up a cluster for OpenSearch, which is recommended if you are going to run it in production.
It also doesn’t address how to setup firewall / security groups inOderland Cloud if you need to lock down access from an IP address e.g. if you want to restrict access from another Cloud server or from our other services such as Managed Server, Agency or Web Hosting.
Execution
We create a server in Oderland Cloud with Docker Engine and point a hostname (e.g. domain or subdomain) to the new IP address of the server.
We then ssh into the server. Then we create a docker network that we name caddy. It is used for the containers you want to get automatic TLS (https://).
We create a folder structure as well as a docker-compose.yml file that tells us which services to run and how to configure them, specifying the same hostname we pointed to the server.
We create a password using Caddy hash-password to use for basic auth in the docker-compose.yml file.
Then we start up our new docker compose stack and test that we get certificates and a response from OpenSearch.
Preparations
First create a server in Oderland Cloud with Docker, check out one of the guides below if you need help.
https://www.oderland.se/support/artikel/sa-installerar-du-docker-engine-i-oderland-cloud/
Point hostname (domain or subdomain)
Point an appropriate hostname to the server’s ipv4 address. You need to do this step for us to get a TLS certificate from Letsencrypt automatically.
Expanding virtual memory and joining the docker group
SSH into the server.
We will run all commands as the debian user, but need to use sudo occasionally.
Start by joining the docker group and activating it for your session.
We also need to extend vm.max_map_count as OpenSearch can otherwise cause some out of memory exceptions.
sudo usermod -aG docker $USER newgrp docker echo 'vm.max_map_count=262144' | sudo tee -a /etc/sysctl.d/opensearch.conf sudo sysctl -p
Creating a Docker network
Create a docker network that we use for the containers we want to proxy via Caddy and automatically manage Let’s Encrypt/Zero SSL to get secure connectivity.
docker network create caddy
Create a hashed password for Basic Auth to Caddy
We use the hash-password command from Caddy to hash a password. Do not copy the text below, but replace the text PASSWORD with a good passwordthat you will need to use in your application to connect to OpenSearch.
We replace $ with $$ with sed so that the hash will work in docker-compose.yml, otherwise it will be interpreted as variables.
docker run --rm lucaslorentz/caddy-docker-proxy:ci-alpine hash-password --plaintext PASSWORD|sed 's/\$/\$\$/g'
Set up the docker-compose.yml file
Now we create the folder for the docker-compose.yml file and add the text below.
Replace HASHED_PASSWORD with the password hash you got above.
mkdir -p ~/compose/opensearch cat~/compose/opensearch/docker-compose.yml version: "3.7" services: caddy: image: lucaslorentz/caddy-docker-proxy:ci-alpine ports: - 80:80 - 443:443 environment: - CADDY_INGRESS_NETWORKS=caddy networks: - caddy volumes: - /var/run/docker.sock:/var/run/docker.sock - caddy_data:/data restart: unless-stopped opensearch: image: opensearchproject/opensearch:2.11.1 volumes: - osdata01:/usr/share/opensearch/data environment: - "cluster.name=opensearch-cluster" - "node.name=os-node01" - "discovery.type=single-node" - "bootstrap.memory_lock=true" - "plugins.security.disabled=true" - "OPENSEARCH_JAVA_OPTS=-Xms2G -Xmx2G" labels: caddy: HOSTNAME caddy.reverse_proxy: "{{upstreams 9200}}" caddy.basicauth: /* caddy.basicauth.admin: HASHED_PASSWORD networks: - caddy ulimits: memlock: soft: -1 hard: -1 nofile: soft: 65536 hard: 65536 restart: unless-stopped volumes: osdata01: driver: local caddy_data: driver: local networks: caddy: external: true EDF
We also set the maximum memory usage for the Java engine to 2GB above. You may need to increase this as well as the server’s memory if you have large indexes.
Enter your host name
If you have specified a hostname that you want to use for the server or for OpenSearch, you can now edit the code snippet above and change HOSTNAME to your chosen hostname. You can also do it afterwards with the sed command shown below.
For demo purposes, we created os.oderland.cloud so that we can then go to https:// os.oderland.cloud to reach OpenSearch. The example looks like this with the sed command.
sed -i 's/HOSTNAME/os.oderland.cloud/g' ~/compose/opensearch/docker-compose.yml
Starting up OpenSearch and Caddy
Then launch our new docker compose stack.
cd ~/compose/opensearch docker compose up -d
All images/layers are then downloaded and the services start up.
You can follow the log via:
docker compose logs -f
Frequently asked questions
Change host name
If you edit the docker-compose.yml file afterwards and change to another hostname, you need to restart the stack and force new configs via:
docker compose up --force-recreate -d
How to control the Caddy Proxy
Read more about the Caddy proxy and how you can control via e.g. paths or how to add more domains to the same service.