Elasticsearch security options - separate certs for node & client traffic

robertgates55 · September 23, 2019, 11:25am

Hi,

I'm looking to set up a cluster where the ES nodes communicate with each other over TLS using self-signed node certs to authenticate; but the ES endpoint (:9200) is http (as we'll then be terminating TLS ourselves with a reverse proxy)

I'd then like, eg kibana, logstash etc, to authenticate with basic auth (via the rev proxy & thus encrypted), but not require a self-signed node cert.

Is this configuration possible with xpack security in 7.3?

Is/was this related: https://www.elastic.co/guide/en/elasticsearch/reference/7.3/separating-node-client-traffic.html ?

(use case is that I want to have a central ES cluster in an environment where cert distribution will be challenging)

ikakavas · September 24, 2019, 8:20am

Yes this is possible, transport and http related SSL configuration is separate , see Configure TLS | Elasticsearch Guide [8.11] | Elastic

Yes this is also possible. Just don't configure SSL for the HTTP layer in Elasticsearch.

Nope, this was about having different configuration for TLS on the transport layer depending on whether it's node to node communication or client to node ( but still on the transport layer ) communication.

system · October 22, 2019, 8:20am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to create node certificate for Elasticsearch Elasticsearch elastic-stack-security	5	929	April 22, 2019
Enabling TLS communication betweeb Kibana & Elasticsearch Elasticsearch elastic-stack-security	2	268	October 8, 2021
Configuration of HTTPS / SSL on 6.8.5 without clustering Elasticsearch	2	777	March 10, 2020
Let's encrypt Elasticsearch elastic-stack-security	2	60	August 13, 2024
Explanation for potential security issue? Elasticsearch	3	236	April 25, 2023

Elasticsearch security options - separate certs for node & client traffic

Related Topics