Ok so I think I figured it out and seems to be working ok. Please feel free to publish this or improve upon it etc... Note: client certs have not been tested yet.
Software versions used (though I don't think it matters really) Ubuntu 14.04 JDK 1.8_20 elasticsearch 1.3.2 stunnel4 This config is for 2 node config. ________________________________________ NODE 1 ________________________________________ Required config changes to elasticsearch.yml # First bind elasticsearch to localhost (this makes es invisible to the outside world) network.bind_host: 127.0.0.1 transport.tcp.port: 9300 # Since we are going to hide this node from the outside, we have to tell the rest of the nodes how he looks on the outside network.publish_host: <NODE 1 IP HERE> transport.publish_port: 9700 http.port: 9200 # Disable muslticast discovery.zen.ping.multicast.enabled: false # Since we are hiding all the nodes behind stunnel we also need to proxy es client requests through SSL. # For each additional node add 127.0.0.1:970x where x is incremented by 1 I.e: 9702, 9703 etc... # Connect to NODE 2 discovery.zen.ping.unicast.hosts: 127.0.0.1:9701 stunnel.conf on NODE 1 ;Proxy ssl for tcp transport. [es-trasnport] accept = <NODE 1 IP HERE>:9300 connect = 127.0.0.1:9300 cert = stunnel.pem ;Proxy ssl for http [es-http] accept = <NODE 1 IP HERE>:9200 connect = 127.0.0.1:9200 cert = stunnel.pem ;ES clustering does some local discovery. ;Since stunnel binds it's own ports, we pick an arbitrary port that is not used by other "systems/protocols" ; See the publish settings of elasticsearch.yml above. [es-transport-local] client = yes accept = <NODE 1 IP HERE>:9700 connect = <NODE 1 IP HERE>:9300 ; The ssl client tunnel for es to connect ssl to node 2. [es-transport-node2] client = yes accept = 127.0.0.1:9701 connect = <NODE 2 IP HERE>:9301 ;For each additional node increment x by 1, I.e: 9702, 9703 etc... [es-transport-nodex] client = yes accept = 127.0.0.1:970x connect = <NODE X IP HERE>:930x ________________________________________ NODE 2 ________________________________________ Required config changes to elasticsearch.yml # First bind elasticsearch to localhost (this makes es invisible to the outside world) network.bind_host: 127.0.0.1 transport.tcp.port: 9301 # Since we are going to hide this node from the outside, we have to tell the rest of the nodes how he looks on the outside network.publish_host: <NODE 2 IP HERE> transport.publish_port: 9701 http.port: 9200 # Disable muslticast discovery.zen.ping.multicast.enabled: false # Since we are hiding all the nodes behind stunnel we also need to proxy es client requests through SSL. # For each additional node add 127.0.0.1:970x where x is incremented by 1 I.e: 9702, 9703 etc... # Connect to NODE 1 discovery.zen.ping.unicast.hosts: 127.0.0.1:9700 stunnel.conf on NODE 2 ;Proxy ssl for tcp transport. [es-trasnport] accept = <NODE 2 IP HERE>:9301 connect = 127.0.0.1:9301 cert = stunnel.pem ;Proxy ssl for http [es-http] accept = <NODE 2 IP HERE>:9200 connect = 127.0.0.1:9200 cert = stunnel.pem ;ES clustering does some local discovery. ;Since stunnel binds it's own ports, we pick an arbitrary port that is not used by other "systems/protocols" ; See the publish settings of elasticsearch.yml above. [es-transport-local] client = yes accept = <NODE 2 IP HERE>:9701 connect = <NODE 2 IP HERE>:9301 ; The ssl client tunnel for es to connect ssl to node 1. [es-transport-node1] client = yes accept = 127.0.0.1:9700 connect = <NODE 1 IP HERE>:9300 ;For each additional node increment x by 1, I.e: 9702, 9703 etc... [es-transport-nodex] client = yes accept = 127.0.0.1:970x connect = <NODE X IP HERE>:930x -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/f7e8f653-3f09-4a12-92c5-d5e0a54e7f1d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.