Using ELK 7.13.0 - Plat. licence - xpack security - on k8s - elastic Helm charts.
We run a 2 clients nodes / X data nodes / 3 master nodes cluster, with security (transport TLS) without https. Everything is OK.
Since I want to use API keys and alerting, I have added a new client node with HTTPS enabled, Kibana is connected to. Eveything is OK.
Is it a good practice to mix in the same cluster HTTPS and HTTP like this? Or should I apply the same configuration for all nodes?
While we do recommend HTTPS across the board, it is fine to run a cluster with mixed HTTPS and HTTP as long as you can manage and/or automate it on your side. Security for the HTTP layer by definition node specific, e.g. you can have different realms and users defined for different node. Similarly, you can have HTTP or HTTPS for different node.
Using a mix of http and https makes it difficult to use a sniffing client because you need the sniffer to know which protocol to use for each node. That's possible to determine, but it's not provided out of the box by any of the Elastic clients.
Actually I decided to put HTTPS on every nodes, and set "verification" to false when client connects. We were afraid of performance issue (as we use logstash a lot and APM).
Yeah I saw that! That's why I added a new client node with HTTPS and let the another on pure HTTP.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.