Elasticsearch security options - separate certs for node & client traffic


I'm looking to set up a cluster where the ES nodes communicate with each other over TLS using self-signed node certs to authenticate; but the ES endpoint (:9200) is http (as we'll then be terminating TLS ourselves with a reverse proxy)

I'd then like, eg kibana, logstash etc, to authenticate with basic auth (via the rev proxy & thus encrypted), but not require a self-signed node cert.

Is this configuration possible with xpack security in 7.3?

Is/was this related: https://www.elastic.co/guide/en/elasticsearch/reference/7.3/separating-node-client-traffic.html ?

(use case is that I want to have a central ES cluster in an environment where cert distribution will be challenging)

Yes this is possible, transport and http related SSL configuration is separate , see Configure TLS | Elasticsearch Guide [7.15] | Elastic

Yes this is also possible. Just don't configure SSL for the HTTP layer in Elasticsearch.

Nope, this was about having different configuration for TLS on the transport layer depending on whether it's node to node communication or client to node ( but still on the transport layer ) communication.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.