HIPAA Compliant Elasticsearch


(James Wu) #1

Will using nginx as a reverse proxy be enough to ensure that node to node communication is encrypted?

If so, then why would https://github.com/elasticsearch/elasticsearch/pull/2105 as mentioned by Paul Brown and https://github.com/sonian/elasticsearch-jetty be necessary?

If not, then what is the point of https://www.elastic.co/guide/en/elasticsearch/client/javascript-api/current/auth-reference.html

Thanks for any information that you can help out with.

Continuing the discussion from HIPAA compliant ElasticSearch application:


(Magnus Bäck) #2

Will using nginx as a reverse proxy be enough to ensure that node to node communication is encrypted?

No. Node to node communication doesn't go over HTTP(S) but over a custom protocol.

If not, then what is the point of https://www.elastic.co/guide/en/elasticsearch/client/javascript-api/current/auth-reference.html

Not sure what you mean. That's the JavaScript client library and its abilities to use HTTPS and authentication, which is useful regardless of whether you run nginx or not and has nothing to do with node to node communication.


(James Wu) #3

Thanks for replying.

Does this mean that even though the javascript client library has the ability to use HTTPS, elasticsearch does not support client-server HTTPS unless you use shield or nginx or https://github.com/sonian/elasticsearch-jetty? That is my current understanding of what is happening.

As for node to node encryption, is https://github.com/sonian/elasticsearch-jetty a solution? What are other options? I see vague references to stunnel and ipsec, but nothing concrete and definitive. There surely was a solution before shield was released. Are there any good explanations of the custom protocol used for node to node communication? All I can see is that it binds to a port in the range of 9300 to 9400.


(Jörg Prante) #4

elasticsearch-jetty does not provide security.

Node-to-node TLS is availabe in Shield, e.g. https://www.elastic.co/guide/en/shield/current/separating-node-client-traffic.html

Note, even with Shield, you must maintain host keys and/or truststore/keystore on each node for TLS, which is not secure if the node is not running in a secure environment controlled by yourself like a physical machine in your private network in your data center.


(James Wu) #5

Thanks, are there any vulnerabilities to running using nginx as a reverse proxy for client-server communication for a single node elasticsearch setup?


(system) #6