Elasticsearch security options - separate certs for node & client traffic

robertgates55 · September 23, 2019, 11:25am

Hi,

I'm looking to set up a cluster where the ES nodes communicate with each other over TLS using self-signed node certs to authenticate; but the ES endpoint (:9200) is http (as we'll then be terminating TLS ourselves with a reverse proxy)

I'd then like, eg kibana, logstash etc, to authenticate with basic auth (via the rev proxy & thus encrypted), but not require a self-signed node cert.

Is this configuration possible with xpack security in 7.3?

Is/was this related: https://www.elastic.co/guide/en/elasticsearch/reference/7.3/separating-node-client-traffic.html ?

(use case is that I want to have a central ES cluster in an environment where cert distribution will be challenging)

ikakavas · September 24, 2019, 8:20am

Yes this is possible, transport and http related SSL configuration is separate , see Configure TLS | Elasticsearch Guide [8.11] | Elastic

Yes this is also possible. Just don't configure SSL for the HTTP layer in Elasticsearch.

Nope, this was about having different configuration for TLS on the transport layer depending on whether it's node to node communication or client to node ( but still on the transport layer ) communication.

Topic		Replies	Views
How to create node certificate for Elasticsearch Elasticsearch elastic-stack-security	5	1133	April 22, 2019
Enabling TLS communication betweeb Kibana & Elasticsearch Elasticsearch elastic-stack-security	2	302	October 8, 2021
Does X-Pack Security authenticates clients via client certificates Elasticsearch	3	1338	October 5, 2017
Is it possible to setup kibana and multiple elastic nodes in a secure network without TLS, and use token authentication? Elasticsearch elastic-stack-security , docker	5	433	July 13, 2023
Explanation for potential security issue? Elasticsearch	3	276	April 25, 2023

Elasticsearch security options - separate certs for node & client traffic

Related topics