SSL termination for Elasticsearch cluster

Hi, I'm trying to add a HAProxy service within the docker-compose.yml outlined here: (Install Elasticsearch with Docker | Elasticsearch Guide [8.6] | Elastic). I was wondering if anyone had done the same and could share their set up?

Alternatively, could someone comment what I'm doing wrong as I get HAProxy working:

solacom-haproxy-1  | [NOTICE]   (1) : haproxy version is 2.7.2-7e295dd
solacom-haproxy-1  | [NOTICE]   (1) : path to executable is /usr/local/sbin/haproxy
solacom-haproxy-1  | [WARNING]  (1) : config : log format ignored for proxy 'stats' since it has no log address.
solacom-haproxy-1  | [WARNING]  (1) : config : log format ignored for frontend 'elasticsearch_frontend' since it has no log address.
solacom-haproxy-1  | [WARNING]  (1) : config : log format ignored for frontend 'kibana_frontend' since it has no log address.
solacom-haproxy-1  | [NOTICE]   (1) : New worker (8) forked
solacom-haproxy-1  | [NOTICE]   (1) : Loading success.

But, when I navigate to https://localhost:9200, I get an error:

docker-compose.yml snippet:

  haproxy:
    restart: unless-stopped
    depends_on:
      es01:
        condition: service_healthy
      es02:
        condition: service_healthy
      es03:
        condition: service_healthy
      kibana:
        condition: service_healthy
    image: haproxy:${HAPROXY_VERSION}
    volumes:
      - certs:/usr/share/haproxy/config/certs
      - ./haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg
    ports:
      -  ${HAPROXY_PORT}:${HAPROXY_PORT} 
      -  ${KIBANA_PORT}:${KIBANA_PORT}
      -  ${ES_PORT}:${ES_PORT}   
    healthcheck:
      test:
        [
          "CMD-SHELL",
          "curl -u admin:admin http://localhost:1936",
        ]
      interval: 30s
      timeout: 10s
      retries: 5

haproxy.cfg

global
  maxconn 4096
  # log /var/lib/haproxy/dev/log local0
  user haproxy
  group haproxy

defaults
  log     global
  mode    http
  option  httplog 
  retries 3
  option dontlognull
  maxconn 2000
  timeout connect 10s
  timeout client 30s
  timeout server 30s

listen stats
  bind *:1936
  mode http
  stats auth admin:admin  
  stats enable
  stats hide-version
  stats realm Haproxy\ Statistics
  stats uri /

frontend elasticsearch_frontend
  description "elasticsearch"
  bind *:443 ssl crt /usr/share/haproxy/config/certs/es01/es01.pem
  http-request redirect scheme https unless { ssl_fc }
  default_backend elasticsearch_backend

frontend kibana_frontend
  description "kibana"
  mode http
  bind 0.0.0.0:5601
  default_backend kibana_backend

backend elasticsearch_backend
  balance roundrobin
  server es01 es01:9200 check fall 3 rise 2 

backend kibana_backend
  option httpchk GET /
  balance roundrobin
  server kibana kibana:5601 check fall 3 rise 2

Why are you trying to access https://localhost:9200 ?

Your HAProxy configuration has a frontend for elasticsearch binding on the port 443, this frontend has one elasticsearch server on the backend.

Your HAProxy is not listening on port 9200 and if you are terminating the SSL on HAProxy, your elasticsearch server is listening on HTTP, not HTTPS.

Can you try to access https://localhost ?

Hello @leandrojmp ,

Thanks for point out that mistake, when I navigate to https://localhost, I get the same issue:

Mike

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.