I'm looking to set up a cluster where the ES nodes communicate with each other over TLS using self-signed node certs to authenticate; but the ES endpoint (:9200) is http (as we'll then be terminating TLS ourselves with a reverse proxy)
I'd then like, eg kibana, logstash etc, to authenticate with basic auth (via the rev proxy & thus encrypted), but not require a self-signed node cert.
Is this configuration possible with xpack security in 7.3?
Yes this is also possible. Just don't configure SSL for the HTTP layer in Elasticsearch.
Nope, this was about having different configuration for TLS on the transport layer depending on whether it's node to node communication or client to node ( but still on the transport layer ) communication.