Skip to content

ElasticSearch SSL

Jump to bottom
Bobby Warner edited this page Nov 20, 2024 · 1 revision

To run Elasticsearch 7 on port 443 with SSL (HTTPS) instead of the default port 9200, you need to modify the Elasticsearch configuration and set up SSL certificates. Here’s a step-by-step guide:

1. Generate SSL Certificates

Before configuring SSL, you need to generate or obtain SSL certificates. You can create self-signed certificates or use certificates from a trusted Certificate Authority (CA).

Generate a self-signed certificate (for testing purposes):

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout elasticsearch.key -out elasticsearch.crt

This will create a private key (elasticsearch.key) and a certificate (elasticsearch.crt).

  • elasticsearch.key: Private key.
  • elasticsearch.crt: Public certificate.

Make sure these files are saved in a secure directory.

2. Configure Elasticsearch for SSL

Elasticsearch uses SSL for securing communication over HTTP and transport layers. You need to update the elasticsearch.yml configuration file to enable SSL on the HTTP layer and bind it to port 443.

Edit the elasticsearch.yml Configuration

  • Find the elasticsearch.yml configuration file (usually located in /etc/elasticsearch/elasticsearch.yml or /usr/share/elasticsearch/config/elasticsearch.yml).

  • Add or modify the following settings in the elasticsearch.yml:

# Enable SSL for HTTP (REST API)
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /path/to/your/elasticsearch.p12  # Or .jks, depending on your format
xpack.security.http.ssl.keystore.password: "your-keystore-password"
xpack.security.http.ssl.truststore.path: /path/to/your/elasticsearch.p12  # Or .jks
xpack.security.http.ssl.truststore.password: "your-truststore-password"
xpack.security.http.ssl.verification_mode: full  # or certificate for less strict validation
xpack.security.http.port: 443  # Change to port 443

# Disable the default port 9200
http.port: 443  # Ensure this is set

If you're using .p12 (PKCS#12) format, specify the path to your .p12 file. If you're using .jks (Java KeyStore) format, you will need to specify the path to the .jks file and provide the appropriate password.

For example, if you're using .p12:

xpack.security.http.ssl.keystore.path: /etc/elasticsearch/certs/elasticsearch.p12
xpack.security.http.ssl.keystore.password: "your-keystore-password"

Optional: Set the server.ssl.* settings if you're using a different setup (not .p12 or .jks).

3. Allow Elasticsearch to Bind to Port 443

Port 443 is a privileged port (i.e., below 1024), so the user that Elasticsearch runs under needs the necessary permissions to bind to it.

  • Linux: Ensure the Elasticsearch user can bind to port 443, which may require root or sudo privileges.
  • MacOS/Windows: Similar permissions are needed.

Example of adding Elasticsearch to sudoers for binding to low ports:

# Open the sudoers file
sudo visudo

# Add the following line to allow the elasticsearch user to bind to port 443
elasticsearch ALL=(ALL) NOPASSWD: /bin/netstat

Alternatively, you can run Elasticsearch with elevated privileges using sudo, but this is not recommended for production environments due to security concerns.

4. Configure Firewall and Reverse Proxy (Optional)

If you're running Elasticsearch behind a firewall or reverse proxy (such as Nginx or Apache), you may need to configure it to forward requests from port 443 to the actual port Elasticsearch is running on.

For example, with Nginx, you could configure it as follows:

server {
    listen 443 ssl;
    server_name your-domain.com;

    ssl_certificate /path/to/fullchain.pem;
    ssl_certificate_key /path/to/privkey.pem;

    location / {
        proxy_pass http://localhost:9200;  # Port where Elasticsearch is running
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

This way, Nginx listens on port 443, handles SSL termination, and proxies requests to Elasticsearch running on the internal port (e.g., 9200).

5. Restart Elasticsearch

Once you’ve configured everything, restart Elasticsearch for the changes to take effect:

sudo systemctl restart elasticsearch

6. Verify the Configuration

To test the SSL setup and ensure Elasticsearch is running on port 443 with SSL, you can run:

curl -X GET "https://localhost:443" -u elastic -k
  • -u elastic: Replace with your Elasticsearch username (e.g., elastic).
  • -k: Ignore SSL certificate verification (useful for self-signed certificates).

If everything is set up correctly, you should receive a response from Elasticsearch over HTTPS.

Troubleshooting

  • Permissions: Make sure that Elasticsearch has permission to use port 443.
  • Firewall: Ensure that port 443 is open and accessible if you're using a firewall.
  • Certificate Issues: If you're using self-signed certificates, you might need to disable strict certificate validation or add the certificate to your system's trusted store.

By following these steps, you should be able to run Elasticsearch 7 on port 443 with SSL.

Clone this wiki locally