While we do recommend HTTPS across the board, it is fine to run a cluster with mixed HTTPS and HTTP as long as you can manage and/or automate it on your side. Security for the HTTP layer by definition node specific, e.g. you can have different realms and users defined for different node. Similarly, you can have HTTP or HTTPS for different node.
Using a mix of http and https makes it difficult to use a sniffing client because you need the sniffer to know which protocol to use for each node. That's possible to determine, but it's not provided out of the box by any of the Elastic clients.
Actually I decided to put HTTPS on every nodes, and set "verification" to false when client connects. We were afraid of performance issue (as we use logstash a lot and APM).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.