Simple howto stunnel for elastcisearch cluster

Elastic Stack Elasticsearch
1

Ok so I think I figured it out and seems to be working ok. Please feel free
to publish this or improve upon it etc... Note: client certs have not been
tested yet.

Software versions used (though I don't think it matters really)
Ubuntu 14.04
JDK 1.8_20
elasticsearch 1.3.2
stunnel4

This config is for 2 node config.

NODE 1

Required config changes to elasticsearch.yml

First bind elasticsearch to localhost (this makes es invisible to the

outside world)
network.bind_host: 127.0.0.1
transport.tcp.port: 9300

Since we are going to hide this node from the outside, we have to tell

the rest of the nodes how he looks on the outside
network.publish_host: <NODE 1 IP HERE>
transport.publish_port: 9700

http.port: 9200

Disable muslticast

discovery.zen.ping.multicast.enabled: false

Since we are hiding all the nodes behind stunnel we also need to proxy es

client requests through SSL.

For each additional node add 127.0.0.1:970x where x is incremented by 1

I.e: 9702, 9703 etc...

Connect to NODE 2

discovery.zen.ping.unicast.hosts: 127.0.0.1:9701

stunnel.conf on NODE 1

;Proxy ssl for tcp transport.
[es-trasnport]
accept = <NODE 1 IP HERE>:9300
connect = 127.0.0.1:9300
cert = stunnel.pem

;Proxy ssl for http
[es-http]
accept = <NODE 1 IP HERE>:9200
connect = 127.0.0.1:9200
cert = stunnel.pem

;ES clustering does some local discovery.
;Since stunnel binds it's own ports, we pick an arbitrary port that is not
used by other "systems/protocols"
; See the publish settings of elasticsearch.yml above.
[es-transport-local]
client = yes
accept = <NODE 1 IP HERE>:9700
connect = <NODE 1 IP HERE>:9300

; The ssl client tunnel for es to connect ssl to node 2.
[es-transport-node2]
client = yes
accept = 127.0.0.1:9701
connect = <NODE 2 IP HERE>:9301

;For each additional node increment x by 1, I.e: 9702, 9703 etc...
[es-transport-nodex]
client = yes
accept = 127.0.0.1:970x
connect = :930x

NODE 2

Required config changes to elasticsearch.yml

First bind elasticsearch to localhost (this makes es invisible to the

outside world)
network.bind_host: 127.0.0.1
transport.tcp.port: 9301

Since we are going to hide this node from the outside, we have to tell

the rest of the nodes how he looks on the outside
network.publish_host: <NODE 2 IP HERE>
transport.publish_port: 9701

http.port: 9200

Disable muslticast

discovery.zen.ping.multicast.enabled: false

Since we are hiding all the nodes behind stunnel we also need to proxy es

client requests through SSL.

For each additional node add 127.0.0.1:970x where x is incremented by 1

I.e: 9702, 9703 etc...

Connect to NODE 1

discovery.zen.ping.unicast.hosts: 127.0.0.1:9700

stunnel.conf on NODE 2

;Proxy ssl for tcp transport.
[es-trasnport]
accept = <NODE 2 IP HERE>:9301
connect = 127.0.0.1:9301
cert = stunnel.pem

;Proxy ssl for http
[es-http]
accept = <NODE 2 IP HERE>:9200
connect = 127.0.0.1:9200
cert = stunnel.pem

;ES clustering does some local discovery.
;Since stunnel binds it's own ports, we pick an arbitrary port that is not
used by other "systems/protocols"
; See the publish settings of elasticsearch.yml above.
[es-transport-local]
client = yes
accept = <NODE 2 IP HERE>:9701
connect = <NODE 2 IP HERE>:9301

; The ssl client tunnel for es to connect ssl to node 1.
[es-transport-node1]
client = yes
accept = 127.0.0.1:9700
connect = <NODE 1 IP HERE>:9300

;For each additional node increment x by 1, I.e: 9702, 9703 etc...
[es-transport-nodex]
client = yes
accept = 127.0.0.1:970x
connect = :930x

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/f7e8f653-3f09-4a12-92c5-d5e0a54e7f1d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

2

And yay native API clients are nodes also, which allows them to become
proxies. So then you need to stunnel protect them also. Rinse and repeat lol

So...

1- For port 9300 bind to localhost
2- Put stunnel infront of port 9300 and configure all nodes same way to
have cluster node coms in SSL.
3- Restrict any access to 9300. (clients can become proxy nodes, so if they
are somewhere external to the ES cluster, then you could connect to them
unauthenticated/non ssl)
3- a) For port 9200 bind to localhost and put Ngnx as reverse proxy (This
is straight passthrough)
b) Or use 3rd party plugin like jetty plugin (you have to rely that the
plugin is doing the right thing and has no bugs, plus plugins are not
necessarily up to speed with latest ES releases)

It's a bit cumbersome but this secures ES to the max. Also this forces the
use of HTTP client which you then lose some of the niceties you get with
native client. (Read more here: GitHub - searchbox-io/Jest: Elasticsearch Java Rest Client.)

On Friday, 22 August 2014 13:47:12 UTC-4, John Smith wrote:

Ok so I think I figured it out and seems to be working ok. Please feel
free to publish this or improve upon it etc... Note: client certs have not
been tested yet.

Software versions used (though I don't think it matters really)
Ubuntu 14.04
JDK 1.8_20
elasticsearch 1.3.2
stunnel4

This config is for 2 node config.

NODE 1

Required config changes to elasticsearch.yml

First bind elasticsearch to localhost (this makes es invisible to the

outside world)
network.bind_host: 127.0.0.1
transport.tcp.port: 9300

Since we are going to hide this node from the outside, we have to tell

the rest of the nodes how he looks on the outside
network.publish_host: <NODE 1 IP HERE>
transport.publish_port: 9700

http.port: 9200

Disable muslticast

discovery.zen.ping.multicast.enabled: false

Since we are hiding all the nodes behind stunnel we also need to proxy

es client requests through SSL.

For each additional node add 127.0.0.1:970x where x is incremented by 1

I.e: 9702, 9703 etc...

Connect to NODE 2

discovery.zen.ping.unicast.hosts: 127.0.0.1:9701

stunnel.conf on NODE 1

;Proxy ssl for tcp transport.
[es-trasnport]
accept = <NODE 1 IP HERE>:9300
connect = 127.0.0.1:9300
cert = stunnel.pem

;Proxy ssl for http
[es-http]
accept = <NODE 1 IP HERE>:9200
connect = 127.0.0.1:9200
cert = stunnel.pem

;ES clustering does some local discovery.
;Since stunnel binds it's own ports, we pick an arbitrary port that is not
used by other "systems/protocols"
; See the publish settings of elasticsearch.yml above.
[es-transport-local]
client = yes
accept = <NODE 1 IP HERE>:9700
connect = <NODE 1 IP HERE>:9300

; The ssl client tunnel for es to connect ssl to node 2.
[es-transport-node2]
client = yes
accept = 127.0.0.1:9701
connect = <NODE 2 IP HERE>:9301

;For each additional node increment x by 1, I.e: 9702, 9703 etc...
[es-transport-nodex]
client = yes
accept = 127.0.0.1:970x
connect = :930x

NODE 2

Required config changes to elasticsearch.yml

First bind elasticsearch to localhost (this makes es invisible to the

outside world)
network.bind_host: 127.0.0.1
transport.tcp.port: 9301

Since we are going to hide this node from the outside, we have to tell

the rest of the nodes how he looks on the outside
network.publish_host: <NODE 2 IP HERE>
transport.publish_port: 9701

http.port: 9200

Disable muslticast

discovery.zen.ping.multicast.enabled: false

Since we are hiding all the nodes behind stunnel we also need to proxy

es client requests through SSL.

For each additional node add 127.0.0.1:970x where x is incremented by 1

I.e: 9702, 9703 etc...

Connect to NODE 1

discovery.zen.ping.unicast.hosts: 127.0.0.1:9700

stunnel.conf on NODE 2

;Proxy ssl for tcp transport.
[es-trasnport]
accept = <NODE 2 IP HERE>:9301
connect = 127.0.0.1:9301
cert = stunnel.pem

;Proxy ssl for http
[es-http]
accept = <NODE 2 IP HERE>:9200
connect = 127.0.0.1:9200
cert = stunnel.pem

;ES clustering does some local discovery.
;Since stunnel binds it's own ports, we pick an arbitrary port that is not
used by other "systems/protocols"
; See the publish settings of elasticsearch.yml above.
[es-transport-local]
client = yes
accept = <NODE 2 IP HERE>:9701
connect = <NODE 2 IP HERE>:9301

; The ssl client tunnel for es to connect ssl to node 1.
[es-transport-node1]
client = yes
accept = 127.0.0.1:9700
connect = <NODE 1 IP HERE>:9300

;For each additional node increment x by 1, I.e: 9702, 9703 etc...
[es-transport-nodex]
client = yes
accept = 127.0.0.1:970x
connect = :930x

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/52396cd8-af8b-4ef6-83ea-f9fd5278403f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

3

there is no way this can work. stunnel never points to an external address - you should delete this posting.

4

I actually had it working... it takes a bit of time to wrap your brain around ot but it works... but now the latest version of es jave built in ssl woth shield