We have configured F5 LB in front of Elasticsearch nodes cluster with re-encrypt of SSL traffic to the nodes. Nodes have SSL enabled on http. Direct communication to nodes i.e. API (curl) or sending data over https on port 9200 works, however communication from F5 LB gives SSL_ERROR_SYSCALL, errno 104.
The reason of implementing F5 LB in front of the elasticsearch nodes is for managing configuration over HA single endpoint and external monitoring of the elastic cluster over HA single endpoint. (HA Elastic Cluster with more then 6 nodes spread over two availability zones in two data centers)
We can't find any documentation if this configuration is supported by Elastic since all related questions have "it depends" as answer. i.e. F5 load balancer attributes/configuration with Elasticsearch cluster
From only place where Load Balancers are mentioned is the Elastic Cloud which lists that HTTP mode should be used as "unencrypted" communication between the LB and the nodes.
Load balancers | Elastic Cloud Enterprise Reference [3.6] | Elastic
- HTTP: Use HTTP mode for ports 9200/9243 (HTTP traffic to clusters) and also for ports 12400/12443 (adminconsole traffic). Make sure that all load balancers or proxies sending HTTP traffic to deployments hosted on Elastic Cloud Enterprise are sending HTTP/1.1 traffic.
I would really appreciate is someone can share functional solution if re-encrypt of traffic between LB backend and nodes can work as Elastic is encouraging to use the nodes as their ingest data endpoints for better load balancing designed by Elastic but when it comes to configuration management and monitoring from external we can't just loop over list of hosts.