Why is the default value of `xpack.security.http.ssl.enabled` in ElasticSearch's Docker Image set to `true`?

(Static) Used to enable or disable TLS/SSL on the HTTP networking layer, which Elasticsearch uses to communicate with other clients. The default is false .

  • This statement does not seem to be in line with Docker Image. Assume there is a docker-compose.yaml file like this. I use Docker Engine 27.2.0 and Docker Compose 2.29.2.
services:
  es01:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.15.0
    environment:
      - ELASTIC_PASSWORD=es01Test
      - discovery.type=single-node
  • I then booted up and entered the interactive prompt for the container.
docker compose up -d
docker compose exec es01 /bin/bash
curl -u elastic:es01Test \
  -X POST \
  http://es01:9200/_security/user/kibana_system/_password \
  -d '{"password":"'"kibanaTest"'"}' \
  -H 'Content-Type: application/json'
  • At this point, the Error Log is as follows.
elasticsearch@5d304b927c85:~$ curl -u elastic:es01Test \
>   -X POST \
>   http://es01:9200/_security/user/kibana_system/_password \
>   -d '{"password":"'"kibanaTest"'"}' \
>   -H 'Content-Type: application/json'
curl: (52) Empty reply from server
  • Just execute exit and docker compose down --volumes to remove all containers.
  • If I explicitly set xpack.security.http.ssl.enabled=false in docker-compose.yml,
services:
  es01:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.15.0
    environment:
      - ELASTIC_PASSWORD=es01Test
      - discovery.type=single-node
      - xpack.security.http.ssl.enabled=false
  • I then booted up and entered the interactive prompt for the container.
docker compose up -d
docker compose exec es01 /bin/bash
curl -u elastic:es01Test \
  -X POST \
  http://es01:9200/_security/user/kibana_system/_password \
  -d '{"password":"'"kibanaTest"'"}' \
  -H 'Content-Type: application/json'
  • At this time, the exception curl: (52) Empty reply from server is no longer thrown.
elasticsearch@78f52664fc29:~$ curl -u elastic:es01Test \
>   -X POST \
>   http://es01:9200/_security/user/kibana_system/_password \
>   -d '{"password":"'"kibanaTest"'"}' \
>   -H 'Content-Type: application/json'
{}elasticsearch@78f52664fc29:~$ 
  • Why is the default value of xpack.security.http.ssl.enabled in Elasticsearch's Docker Image set to true? :thinking:

It's not (or at least, not exactly in those terms).

On startup, if you have not performed any security configuration, elasticsearch will auto configure security and write an updated elasticsearch.yml that turns on SSL for transport and http.

You can disable this by either:

  • setting xpack.security.autoconfiguration.enabled to false
  • configuring some part of security yourself (which can be as simple as setting xpack.security.enabled to true).
1 Like