70 lines
3.0 KiB
Plaintext
70 lines
3.0 KiB
Plaintext
[role="xpack"]
|
|
[[separating-node-client-traffic]]
|
|
=== Separating node-to-node and client traffic
|
|
|
|
Elasticsearch has the feature of so called
|
|
{ref}/modules-transport.html[TCP transport profiles]
|
|
that allows it to bind to several ports and addresses. The {es}
|
|
{security-features} extend on this functionality to enhance the security of the
|
|
cluster by enabling the separation of node-to-node transport traffic from client
|
|
transport traffic. This is important if the client transport traffic is not
|
|
trusted and could potentially be malicious. To separate the node-to-node traffic
|
|
from the client traffic, add the following to `elasticsearch.yml`:
|
|
|
|
[source, yaml]
|
|
--------------------------------------------------
|
|
transport.profiles.client: <1>
|
|
port: 9500-9600 <2>
|
|
xpack.security:
|
|
type: client <3>
|
|
--------------------------------------------------
|
|
<1> `client` is the name of this example profile
|
|
<2> The port range that will be used by transport clients to communicate with
|
|
this cluster
|
|
<3> Categorizes the profile as a `client`. This accounts for additional security
|
|
filters by denying request attempts on for internal cluster operations
|
|
(e.g shard level actions and ping requests) from this profile.
|
|
|
|
If supported by your environment, an internal network can be used for node-to-node
|
|
traffic and public network can be used for client traffic by adding the following
|
|
to `elasticsearch.yml`:
|
|
|
|
[source, yaml]
|
|
--------------------------------------------------
|
|
transport.profiles.default.bind_host: 10.0.0.1 <1>
|
|
transport.profiles.client.bind_host: 1.1.1.1 <2>
|
|
--------------------------------------------------
|
|
<1> The bind address for the network that will be used for node-to-node communication
|
|
<2> The bind address for the network used for client communication
|
|
|
|
If separate networks are not available, then
|
|
{stack-ov}/ip-filtering.html[IP Filtering] can
|
|
be enabled to limit access to the profiles.
|
|
|
|
When using SSL for transport, a different set of certificates can also be used
|
|
for the client traffic by adding the following to `elasticsearch.yml`:
|
|
|
|
[source, yaml]
|
|
--------------------------------------------------
|
|
transport.profiles.client.xpack.security.ssl.truststore:
|
|
path: /path/to/another/truststore
|
|
password: x-pack-test-password
|
|
|
|
transport.profiles.client.xpack.security.ssl.keystore:
|
|
path: /path/to/another/keystore
|
|
password: x-pack-test-password
|
|
--------------------------------------------------
|
|
|
|
To change the default behavior that requires certificates for transport clients,
|
|
set the following value in the `elasticsearch.yml` file:
|
|
|
|
[source, yaml]
|
|
--------------------------------------------------
|
|
transport.profiles.client.xpack.security.ssl.client_authentication: none
|
|
--------------------------------------------------
|
|
|
|
This setting keeps certificate authentication active for node-to-node traffic,
|
|
but removes the requirement to distribute a signed certificate to transport
|
|
clients. For more information, see
|
|
{stack-ov}/java-clients.html#transport-client[Configuring the Transport Client to work with a Secured Cluster].
|