Separating node-to-node and client traffic
editSeparating node-to-node and client traffic
editElasticsearch has the feature of so called TCP transport profiles
that allows it to bind to several ports and addresses. X-Pack security extends on this
functionality to enhance the security of the cluster by enabling the separation
of node-to-node transport traffic from client transport traffic. This is important
if the client transport traffic is not trusted and could potentially be malicious.
To separate the node-to-node traffic from the client traffic, add the following
to elasticsearch.yml
:
|
|
The port range that will be used by transport clients to communicate with this cluster |
|
Categorizes the profile as a |
If supported by your environment, an internal network can be used for node-to-node
traffic and public network can be used for client traffic by adding the following
to elasticsearch.yml
:
The bind address for the network that will be used for node-to-node communication |
|
The bind address for the network used for client communication |
If separate networks are not available, then IP filtering can be enabled to limit access to the profiles.
When using SSL for transport, a different set of certificates can also be used
for the client traffic by adding the following to elasticsearch.yml
:
transport.profiles.client.xpack.security.ssl.truststore: path: /path/to/another/truststore password: x-pack-test-password transport.profiles.client.xpack.security.ssl.keystore: path: /path/to/another/keystore password: x-pack-test-password
To change the default behavior that requires certificates for transport clients,
set the following value in the elasticsearch.yml
file:
transport.profiles.client.xpack.security.ssl.client_authentication: none
This setting keeps certificate authentication active for node-to-node traffic, but removes the requirement to distribute a signed certificate to transport clients. For more information, see Configuring the transport client to work with a secured Cluster.