By the way, for the records: last week I experimented on my laptop and tried to use SG SSL, and it’s not as straight forward as it used to be.
It kept on failing with:
org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: Cannot have more than one plugin implementing a REST wrapper
I made some experiment, turns out the usual
searchguard.ssl.http.enabled: 'false' is not enough anymore.
Nowadays SG needs a tiny code patch (comment out
getRestHandlerWrapper methods) in order to coexist with ROR.
Also, I noticed SG SSL (Apache 2.0 licensed) has a binary dependency to the main SG project (visible source, but non-free license). So it’s exponentially more unclear if a non SG-licensed user can legally use SG SSL even if it’s Apache 2.0.
edit: @jochenkressin (the author of SG) actually said this it’s legal (as of Apache 2.0 license) to use SG SSL for free alongside ROR, if you have inter-node SSL as a requirement.
In the meanwhile, a customer reported they implemented way faster than SG inter-node SSL encryption in Elasticsearch using Kubernetes using the weave net plugin. Never tried personally though, needs investigation.