XF can't access Elasticsearch hosted service due to https.

Baron

Member
We've been using the hosted Elasticsearch service at cloud.elastic.co for our search indexing but now it appears they are forcing the use of https, which breaks XF 1.5.x's ability to use it, which is causing all sorts of errors.

So https works:

https://b864c4a760356977ba75ef8219af4cd3.us-east-1.aws.found.io:9243/

but http doesn't:

http://b864c4a760356977ba75ef8219af4cd3.us-east-1.aws.found.io:9243/

I would like a patch or solution for this so that XF 1.5.x enhanced search can continue working.
 

Chris D

XenForo developer
Staff member
Enhanced Search 1.x doesn't support HTTPS, though it was added to Enhanced Search 2.0, so that's all we can recommend at this point.
 

Baron

Member
That's a major problem because aside from users not being able to search, now moderators can't even delete posts because the elasticsearch server can't be accessed any longer.
 

Chris D

XenForo developer
Staff member
At this point all we can recommend is self hosting the service, using a different hosted service that doesn’t enforce HTTPS or disabling it entirely and rebuilding the search index and running with MySQL search. The latter is certainly a reasonable temporary workaround until you can secure a more permanent solution.
 

Baron

Member
Elasticsearch support came back with this:

In order to recover from this issue you need to please configure shield with your required users and make sure that you authenticate to the cluster. https://www.elastic.co/guide/en/cloud/saas-release/security.html#enable-shield
Your cluster was previously without any authentication and accessible by any one, and as such a security concern.
For clusters running ES versions older than 5.0 we have enforced authentication and banned any use of anonymous user, we have communicated this on 2 occasions before and despite our initial plan to implement this in December last year we provided more time for customers to apply the necessary changes on their side.
The final notification on this went out on 7th of Feb clearly stating 19th of February as the deadline.
Please follow the documentation and set up authentication, let me know if you have any further questions.

Thanks.
Of course, all that is useless info since XF Enhanced Search for 1.5.x doesn't support authentication or https, so I opted to rebuild the search index via MySQL.
 

Alfa1

Well-known member
Its good that this issue is fixed in XF2.
It leaks private conversations, profile posts and private node content. Conversations if you index those by using @Xon 's search addons. There are also addons like chat, etc which can have sensitive data.
Which is especially problematic if personal data is transmitted.
 
Last edited:
Top