OpenSearch/docs/reference/modules/http.asciidoc

[[modules-http]]
== HTTP

The http module allows to expose *elasticsearch* APIs
over HTTP.

The http mechanism is completely asynchronous in nature, meaning that
there is no blocking thread waiting for a response. The benefit of using
asynchronous communication for HTTP is solving the
http://en.wikipedia.org/wiki/C10k_problem[C10k problem].

When possible, consider using
http://en.wikipedia.org/wiki/Keepalive#HTTP_Keepalive[HTTP keep alive]
when connecting for better performance and try to get your favorite
client not to do
http://en.wikipedia.org/wiki/Chunked_transfer_encoding[HTTP chunking].

[float]
=== Settings

The settings in the table below can be configured for HTTP. Note that none of
them are dynamically updatable so for them to take effect they should be set in
`elasticsearch.yml`.

[cols="<,<",options="header",]
|=======================================================================
|Setting |Description
|`http.port` |A bind port range. Defaults to `9200-9300`.

|`http.publish_port` |The port that HTTP clients should use when
communicating with this node. Useful when a cluster node is behind a
proxy or firewall and the `http.port` is not directly addressable
from the outside. Defaults to the actual port assigned via `http.port`.

|`http.bind_host` |The host address to bind the HTTP service to. Defaults to `http.host` (if set) or `network.bind_host`.

|`http.publish_host` |The host address to publish for HTTP clients to connect to. Defaults to `http.host` (if set) or `network.publish_host`.

|`http.host` |Used to set the `http.bind_host` and the `http.publish_host` Defaults to `http.host` or `network.host`.

|`http.max_content_length` |The max content of an HTTP request. Defaults to
`100mb`. If set to greater than `Integer.MAX_VALUE`, it will be reset to 100mb.

|`http.max_initial_line_length` |The max length of an HTTP URL. Defaults
to `4kb`

|`http.max_header_size` | The max size of allowed headers.  Defaults to `8kB`


|`http.compression` |Support for compression when possible (with
Accept-Encoding). Defaults to `true`.

|`http.compression_level` |Defines the compression level to use for HTTP responses. Valid values are in the range of 1 (minimum compression)
and 9 (maximum compression). Defaults to `3`.

|`http.cors.enabled` |Enable or disable cross-origin resource sharing,
i.e. whether a browser on another origin can execute requests against
Elasticsearch. Set to `true` to enable Elasticsearch to process pre-flight 
https://en.wikipedia.org/wiki/Cross-origin_resource_sharing[CORS] requests. 
Elasticsearch will respond to those requests with the `Access-Control-Allow-Origin` header 
if the `Origin` sent in the request is permitted by the `http.cors.allow-origin` 
list. Set to `false` (the default) to make Elasticsearch ignore the `Origin` 
request header, effectively disabling CORS requests because Elasticsearch will 
never respond with the `Access-Control-Allow-Origin` response header. Note that 
if the client does not send a pre-flight request with an `Origin` header or it 
does not check the response headers from the server to validate the 
`Access-Control-Allow-Origin` response header, then cross-origin security is 
compromised. If CORS is not enabled on Elasticsearch, the only way for the client 
to know is to send a pre-flight request and realize the required response headers 
are missing. 

|`http.cors.allow-origin` |Which origins to allow. Defaults to no origins
allowed. If you prepend and append a `/` to the value, this will
be treated as a regular expression, allowing you to support HTTP and HTTPs.
for example using `/https?:\/\/localhost(:[0-9]+)?/` would return the
request header appropriately in both cases. `*` is a valid value but is
considered a *security risk* as your elasticsearch instance is open to cross origin
requests from *anywhere*.

|`http.cors.max-age` |Browsers send a "preflight" OPTIONS-request to
determine CORS settings. `max-age` defines how long the result should
be cached for. Defaults to `1728000` (20 days)

|`http.cors.allow-methods` |Which methods to allow. Defaults to
`OPTIONS, HEAD, GET, POST, PUT, DELETE`.

|`http.cors.allow-headers` |Which headers to allow. Defaults to
`X-Requested-With, Content-Type, Content-Length`.

|`http.cors.allow-credentials` | Whether the `Access-Control-Allow-Credentials`
header should be returned. Note: This header is only returned, when the setting is
set to `true`. Defaults to `false`

|`http.detailed_errors.enabled` |Enables or disables the output of detailed error messages
and stack traces in response output. Note: When set to `false` and the `error_trace` request
parameter is specified, an error will be returned; when `error_trace` is not specified, a
simple message will be returned. Defaults to `true`

|`http.pipelining` |Enable or disable HTTP pipelining, defaults to `true`.

|`http.pipelining.max_events` |The maximum number of events to be queued up in memory before a HTTP connection is closed, defaults to `10000`.

|=======================================================================

It also uses the common
<<modules-network,network settings>>.

[float]
=== Disable HTTP

The http module can be completely disabled and not started by setting
`http.enabled` to `false`. Elasticsearch nodes (and Java clients) communicate
internally using the <<modules-transport,transport interface>>, not HTTP. It
might make  sense to disable the `http` layer entirely on nodes which are not
meant to serve REST requests directly. For instance, you could disable HTTP on
<<modules-node,data-only nodes>> if you also have
<<modules-node,client nodes>> which are intended to serve all REST requests.
Be aware, however, that you will not be able to send any REST requests (eg to
retrieve node stats) directly to nodes which have HTTP disabled.
Migrated documentation into the main repo 2013-08-28 19:24:34 -04:00			`[[modules-http]]`
			`== HTTP`

			`The http module allows to expose elasticsearch APIs`
			`over HTTP.`

			`The http mechanism is completely asynchronous in nature, meaning that`
			`there is no blocking thread waiting for a response. The benefit of using`
			`asynchronous communication for HTTP is solving the`
			`http://en.wikipedia.org/wiki/C10k_problem[C10k problem].`

			`When possible, consider using`
			`http://en.wikipedia.org/wiki/Keepalive#HTTP_Keepalive[HTTP keep alive]`
			`when connecting for better performance and try to get your favorite`
			`client not to do`
			`http://en.wikipedia.org/wiki/Chunked_transfer_encoding[HTTP chunking].`

			`[float]`
			`=== Settings`

reword docs 2015-09-21 14:32:22 -04:00			`The settings in the table below can be configured for HTTP. Note that none of`
			`them are dynamically updatable so for them to take effect they should be set in`
			`elasticsearch.yml`.
Migrated documentation into the main repo 2013-08-28 19:24:34 -04:00
			`[cols="<,<",options="header",]`
			`\|=======================================================================`
			`\|Setting \|Description`
			\|`http.port` \|A bind port range. Defaults to `9200-9300`.

HTTP: Add 'http.publish_port' setting to the HTTP module This change adds a 'http.publish_port' setting to the HTTP module to configure the port which HTTP clients should use when communicating with the node. This is useful when running on a bridged network interface or when running behind a proxy or firewall. Closes #8807 Closes #8137 2014-12-07 10:56:47 -05:00			\|`http.publish_port` \|The port that HTTP clients should use when
			`communicating with this node. Useful when a cluster node is behind a`
			proxy or firewall and the `http.port` is not directly addressable
			from the outside. Defaults to the actual port assigned via `http.port`.

Docs: Documented the http.host and transport.host settings 2014-10-17 09:01:21 -04:00			\|`http.bind_host` \|The host address to bind the HTTP service to. Defaults to `http.host` (if set) or `network.bind_host`.

			\|`http.publish_host` \|The host address to publish for HTTP clients to connect to. Defaults to `http.host` (if set) or `network.publish_host`.

			\|`http.host` \|Used to set the `http.bind_host` and the `http.publish_host` Defaults to `http.host` or `network.host`.

[DOCS] Mention Integer.MAX_VALUE limit for http.max_content_length Fixes #11244 2015-05-20 15:08:59 -04:00			\|`http.max_content_length` \|The max content of an HTTP request. Defaults to
			`100mb`. If set to greater than `Integer.MAX_VALUE`, it will be reset to 100mb.
Migrated documentation into the main repo 2013-08-28 19:24:34 -04:00
			\|`http.max_initial_line_length` \|The max length of an HTTP URL. Defaults
			to `4kb`

Docs: Document `http.max_header_size` Closes #10752 2015-04-27 09:58:21 -04:00			\|`http.max_header_size` \| The max size of allowed headers. Defaults to `8kB`


Migrated documentation into the main repo 2013-08-28 19:24:34 -04:00			\|`http.compression` \|Support for compression when possible (with
Enable HTTP compression by default with compression level 3 With this commit we compress HTTP responses provided the client supports it (as indicated by the HTTP header 'Accept-Encoding'). We're also able to process compressed HTTP requests if needed. The default compression level is lowered from 6 to 3 as benchmarks have indicated that this reduces query latency with a negligible increase in network traffic. Closes #7309 2016-05-03 02:53:15 -04:00			Accept-Encoding). Defaults to `true`.
Migrated documentation into the main repo 2013-08-28 19:24:34 -04:00
Enable HTTP compression by default with compression level 3 With this commit we compress HTTP responses provided the client supports it (as indicated by the HTTP header 'Accept-Encoding'). We're also able to process compressed HTTP requests if needed. The default compression level is lowered from 6 to 3 as benchmarks have indicated that this reduces query latency with a negligible increase in network traffic. Closes #7309 2016-05-03 02:53:15 -04:00			\|`http.compression_level` \|Defines the compression level to use for HTTP responses. Valid values are in the range of 1 (minimum compression)
			and 9 (maximum compression). Defaults to `3`.
Document http.cors-settings 2013-12-06 06:37:48 -05:00
			\|`http.cors.enabled` \|Enable or disable cross-origin resource sharing,
Clarifies the documentation for the `http.cors.enabled` setting (#19890) Clarifies the documentation for the `http.cors.enabled` setting 2016-08-09 13:54:38 -04:00			`i.e. whether a browser on another origin can execute requests against`
			Elasticsearch. Set to `true` to enable Elasticsearch to process pre-flight
			`https://en.wikipedia.org/wiki/Cross-origin_resource_sharing[CORS] requests.`
			Elasticsearch will respond to those requests with the `Access-Control-Allow-Origin` header
			if the `Origin` sent in the request is permitted by the `http.cors.allow-origin`
			list. Set to `false` (the default) to make Elasticsearch ignore the `Origin`
			`request header, effectively disabling CORS requests because Elasticsearch will`
			never respond with the `Access-Control-Allow-Origin` response header. Note that
			if the client does not send a pre-flight request with an `Origin` header or it
			`does not check the response headers from the server to validate the`
			`Access-Control-Allow-Origin` response header, then cross-origin security is
			`compromised. If CORS is not enabled on Elasticsearch, the only way for the client`
			`to know is to send a pre-flight request and realize the required response headers`
			`are missing.`
Document http.cors-settings 2013-12-06 06:37:48 -05:00
change CORS allow origin default to allow no origins Today, we disable CORS by default, but if a user simply enables CORS their instance of elasticsearch will allow cross origin requests from anywhere, as the default value for allowed origins is ``. This changes the default to be `null` so that no origins are allowed and the user must explicitly specify the origins they wish to allow requests from. The documentation also mentions that there is a security risk in using `` as the value. Closes #11169 2015-06-26 10:56:44 -04:00			\|`http.cors.allow-origin` \|Which origins to allow. Defaults to no origins
			allowed. If you prepend and append a `/` to the value, this will
CORS: Support regular expressions for origin to match against This commit adds regular expression support for the allow-origin header depending on the value of the request `Origin` header. The existing HttpRequestBuilder is also extended to support the OPTIONS HTTP method. Relates #5601 Closes #6891 2014-07-24 03:14:50 -04:00			`be treated as a regular expression, allowing you to support HTTP and HTTPs.`
			for example using `/https?:\/\/localhost(:[0-9]+)?/` would return the
change CORS allow origin default to allow no origins Today, we disable CORS by default, but if a user simply enables CORS their instance of elasticsearch will allow cross origin requests from anywhere, as the default value for allowed origins is ``. This changes the default to be `null` so that no origins are allowed and the user must explicitly specify the origins they wish to allow requests from. The documentation also mentions that there is a security risk in using `` as the value. Closes #11169 2015-06-26 10:56:44 -04:00			request header appropriately in both cases. `*` is a valid value but is
fix spelling and add to migration docs 2015-07-08 15:24:14 -04:00			`considered a security risk as your elasticsearch instance is open to cross origin`
change CORS allow origin default to allow no origins Today, we disable CORS by default, but if a user simply enables CORS their instance of elasticsearch will allow cross origin requests from anywhere, as the default value for allowed origins is ``. This changes the default to be `null` so that no origins are allowed and the user must explicitly specify the origins they wish to allow requests from. The documentation also mentions that there is a security risk in using `` as the value. Closes #11169 2015-06-26 10:56:44 -04:00			`requests from anywhere.`
Document http.cors-settings 2013-12-06 06:37:48 -05:00
			\|`http.cors.max-age` \|Browsers send a "preflight" OPTIONS-request to
			determine CORS settings. `max-age` defines how long the result should
			be cached for. Defaults to `1728000` (20 days)

			\|`http.cors.allow-methods` \|Which methods to allow. Defaults to
			`OPTIONS, HEAD, GET, POST, PUT, DELETE`.

			\|`http.cors.allow-headers` \|Which headers to allow. Defaults to
			`X-Requested-With, Content-Type, Content-Length`.

CORS: Allowed to configure allow-credentials header to work via SSL This adds support to return the "Access-Control-Allow-Credentials" header if needed, so CORS will work flawlessly with authenticated applications. Closes #6380 2014-08-05 11:31:33 -04:00			\|`http.cors.allow-credentials` \| Whether the `Access-Control-Allow-Credentials`
			`header should be returned. Note: This header is only returned, when the setting is`
			set to `true`. Defaults to `false`

[HTTP] add option to only return simple exception messages Adds a setting to disable detailed error messages and full exception stack traces in HTTP responses. When set to false, the error_trace request parameter will result in a HTTP 400 response. When the error_trace parameter is not present, the message of the first ElasticsearchException will be output and no nested exception messages will be output. 2015-03-16 20:09:13 -04:00			\|`http.detailed_errors.enabled` \|Enables or disables the output of detailed error messages
			and stack traces in response output. Note: When set to `false` and the `error_trace` request
			parameter is specified, an error will be returned; when `error_trace` is not specified, a
			simple message will be returned. Defaults to `true`

Netty: Add HTTP pipelining support This adds HTTP pipelining support to netty. Previously pipelining was not supported due to the asynchronous nature of elasticsearch. The first request that was returned by Elasticsearch, was returned as first response, regardless of the correct order. The solution to this problem is to add a handler to the netty pipeline that maintains an ordered list and thus orders the responses before returning them to the client. This means, we will always have some state on the server side and also requires some memory in order to keep the responses there. Pipelining is enabled by default, but can be configured by setting the http.pipelining property to true\|false. In addition the maximum size of the event queue can be configured. The initial netty handler is copied from this repo https://github.com/typesafehub/netty-http-pipelining Closes #2665 2014-10-31 11:07:26 -04:00			\|`http.pipelining` \|Enable or disable HTTP pipelining, defaults to `true`.

			\|`http.pipelining.max_events` \|The maximum number of events to be queued up in memory before a HTTP connection is closed, defaults to `10000`.
Document http.cors-settings 2013-12-06 06:37:48 -05:00
Migrated documentation into the main repo 2013-08-28 19:24:34 -04:00			`\|=======================================================================`

[DOCS] Multiple doc fixes Closes #5047 2014-03-07 08:21:45 -05:00			`It also uses the common`
Migrated documentation into the main repo 2013-08-28 19:24:34 -04:00			`<<modules-network,network settings>>.`

			`[float]`
			`=== Disable HTTP`

			`The http module can be completely disabled and not started by setting`
Update for clarification Make it clear which nodes in the cluster should have `http.enabled` set to `false`. Closes #10305 2015-03-28 23:39:58 -04:00			`http.enabled` to `false`. Elasticsearch nodes (and Java clients) communicate
			`internally using the <<modules-transport,transport interface>>, not HTTP. It`
			might make sense to disable the `http` layer entirely on nodes which are not
			`meant to serve REST requests directly. For instance, you could disable HTTP on`
			`<<modules-node,data-only nodes>> if you also have`
			`<<modules-node,client nodes>> which are intended to serve all REST requests.`
			`Be aware, however, that you will not be able to send any REST requests (eg to`
			`retrieve node stats) directly to nodes which have HTTP disabled.`