SSL enabling the elasticsearch node library?

(Sean Pines) #1

Hi all,

New user to ElasticSearch and it's been absolutely amazing in a dev
environment so far. However one strong requirement that we have is to
ensure the cluster is secured s.t. it can only be accessed via client
certificates (SSL/TLS).

Our setup is essentially four machines, three of which are running Elastic
Search and the fourth is running an SSL enabled proxy (so I can close off
HTTP/TCP to the outside world on the ES nodes). This setup works
wonderfully; marvel works with no modifications and sense only requires
that I specify the full URL (GET
and I can send curl commands all day.

However, when using the ElasticsearchJS library (located
at, I cannot find a
clean way to connect to the SSL proxy.

Editing http.js as follows will do the trick:

HttpConnector.prototype.makeReqParams = function (params) {
var reqParams = {
method: params.method || 'GET',
protocol: host.protocol + ':',
auth: host.auth,
port: host.port,
path: (host.path || '') + (params.path || ''),
headers: host.getHeaders(params.headers),
agent: this.agent

// Inject https/ssl options into the agent (clean way to do this?)
if (host.pfx){
reqParams.agent.options.pfx = host.pfx;
reqParams.agent.options.rejectUnauthorized = host.rejectUnauthorized;

Which I'd then seed with the following:
var client = new elasticsearch.Client({
host: {
protocol: 'https',
host: '',
port: '1111',
pfx: fs.readFileSync('certs/dummyCert.p12'),
rejectUnauthorized: false

I would highly prefer to not have to edit the core library code though. Is
there a way to specify your agent / agent options from the Client
constructor (or a better way of going about this in general)?
makeAgentConfig seems to only let you customize your min/max sockets.


You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit
For more options, visit

(system) #2