Why is the default value of `xpack.security.http.ssl.enabled` in ElasticSearch's Docker Image set to `true`?

linghengqian · September 5, 2024, 9:48am

Security settings in Elasticsearch | Elasticsearch Guide [8.15] | Elastic mentions that the default value of xpack.security.http.ssl.enabled is false.

(Static) Used to enable or disable TLS/SSL on the HTTP networking layer, which Elasticsearch uses to communicate with other clients. The default is false .

This statement does not seem to be in line with Docker Image. Assume there is a docker-compose.yaml file like this. I use Docker Engine 27.2.0 and Docker Compose 2.29.2.

services:
  es01:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.15.0
    environment:
      - ELASTIC_PASSWORD=es01Test
      - discovery.type=single-node

I then booted up and entered the interactive prompt for the container.

docker compose up -d
docker compose exec es01 /bin/bash
curl -u elastic:es01Test \
  -X POST \
  http://es01:9200/_security/user/kibana_system/_password \
  -d '{"password":"'"kibanaTest"'"}' \
  -H 'Content-Type: application/json'

At this point, the Error Log is as follows.

elasticsearch@5d304b927c85:~$ curl -u elastic:es01Test \
>   -X POST \
>   http://es01:9200/_security/user/kibana_system/_password \
>   -d '{"password":"'"kibanaTest"'"}' \
>   -H 'Content-Type: application/json'
curl: (52) Empty reply from server

Just execute exit and docker compose down --volumes to remove all containers.
If I explicitly set xpack.security.http.ssl.enabled=false in docker-compose.yml,

services:
  es01:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.15.0
    environment:
      - ELASTIC_PASSWORD=es01Test
      - discovery.type=single-node
      - xpack.security.http.ssl.enabled=false

I then booted up and entered the interactive prompt for the container.

docker compose up -d
docker compose exec es01 /bin/bash
curl -u elastic:es01Test \
  -X POST \
  http://es01:9200/_security/user/kibana_system/_password \
  -d '{"password":"'"kibanaTest"'"}' \
  -H 'Content-Type: application/json'

At this time, the exception curl: (52) Empty reply from server is no longer thrown.

elasticsearch@78f52664fc29:~$ curl -u elastic:es01Test \
>   -X POST \
>   http://es01:9200/_security/user/kibana_system/_password \
>   -d '{"password":"'"kibanaTest"'"}' \
>   -H 'Content-Type: application/json'
{}elasticsearch@78f52664fc29:~$

Why is the default value of xpack.security.http.ssl.enabled in Elasticsearch's Docker Image set to true?

TimV · September 5, 2024, 11:26am

It's not (or at least, not exactly in those terms).

On startup, if you have not performed any security configuration, elasticsearch will auto configure security and write an updated elasticsearch.yml that turns on SSL for transport and http.

You can disable this by either:

setting xpack.security.autoconfiguration.enabled to false
configuring some part of security yourself (which can be as simple as setting xpack.security.enabled to true).

Topic		Replies	Views
How to config kibana if xpack.security.http.ssl.enabled is false Kibana elastic-stack-security , docker	8	4351	July 19, 2022
Authentication for kibana, unknown setting xpack.security.enabled Elasticsearch elastic-stack-security , docker	6	2893	December 4, 2020
Enable xpack.security but not password authentication Elasticsearch elastic-stack-security	3	1133	August 22, 2023
Enabling security in Basic subscription Elasticsearch elastic-stack-security	3	406	November 27, 2020
Basics for ES Security (SSL/PWD) on remote deployed Dockers Elasticsearch elastic-stack-security , docker	4	443	December 13, 2023

Why is the default value of `xpack.security.http.ssl.enabled` in ElasticSearch's Docker Image set to `true`?

Related topics