Complete Easysearch.yml Field Guide and Security Configuration Walkthrough

Official documentation

URL: https://docs.infinilabs.com/easysearch/main/docs/references/security/configuration/tls/

Disable HTTP‑layer TLS

Set security.ssl.http.enabled: false (default true).

Restart Easysearch.

After restart the service still reports that HTTPS is required by default (as shown in the screenshot).

Disable TCP‑layer TLS

The documentation states it is possible, but attempting to set the transport TLS off results in a startup error (screenshot).

easysearch.yml – line‑by‑line core fields

Cluster basics

#cluster.name: my-application
#node.name: node-1
#node.attr.rack: r1
#path.data: /path/to/data
#path.logs: /path/to/logs
#bootstrap.memory_lock: true
#network.host: 192.168.0.1
#http.port: 9200
#discovery.seed_hosts: ["host1", "host2"]
#cluster.initial_master_nodes: ["node-1", "node-2"]
#gateway.recover_after_nodes: 3
#action.destructive_requires_name: true
#cluster.routing.allocation.disk.threshold_enabled: false
#node.max_local_storage_nodes: 3
#bootstrap.system_call_filter: false

API compatibility

#elasticsearch.api_compatibility: true
#elasticsearch.api_compatibility_version: "8.9.0"

Core security switches

security.enabled: false
security.audit.type: noop

Transport‑layer SSL/TLS

security.ssl.transport.cert_file: instance.crt
security.ssl.transport.key_file: instance.key
security.ssl.transport.ca_file: ca.crt
security.ssl.transport.skip_domain_verify: true

HTTP‑layer SSL/TLS

security.ssl.http.enabled: true
security.ssl.http.cert_file: instance.crt
security.ssl.http.key_file: instance.key
security.ssl.http.ca_file: ca.crt
security.ssl.http.enabled_ciphers:
  - "TLS_AES_128_GCM_SHA256"
  - "TLS_AES_256_GCM_SHA384"
  - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
security.ssl.http.enabled_protocols:
  - "TLSv1.2"
  - "TLSv1.3"

Security index and permission settings

security.allow_default_init_securityindex: true
security.nodes_dn:
  - 'CN=infini.cloud,OU=UNIT,O=ORG,L=NI,ST=FI,C=IN'
security.restapi.roles_enabled: ["superuser", "security_rest_api_access", "security"]
security.system_indices.enabled: true
security.ssl.http.clientauth_mode: OPTIONAL
security.system_indices.indices: [".infini-*"]

Administrator certificate

security.authcz.admin_dn:
  - 'CN=admin.infini.cloud,OU=UNIT,O=ORG,L=NI,ST=FI,C=IN'

Example to delete system indices with the admin certificate:

curl -k --cert config/admin.crt --key config/admin.key \
  -XDELETE 'https://localhost:9200/.infini-*/'

Password strength policy

security.restapi.password_validation_regex: '(?=.*[A-Z])(?=.*[^a-zA-Z\d])(?=.*[0-9])(?=.*[a-z]).{8,}'
security.restapi.password_validation_error_message: "A password must be at least 8 characters long..."

Remote reindex configuration (optional)

reindex.remote.whitelist: "external_ip:9200"
reindex.ssl.verification_mode: none

Backup path

path.repo: ["D:\software\easysearch-1.15.3-2373-windows-amd64\config\backups"]

Key security risk warnings

security.enabled: false

disables all security features; production should enable. security.ssl.http.skip_domain_verify: true skips certificate domain verification, exposing MITM risk. reindex.ssl.verification_mode: none disables SSL verification, insecure.

Administrator certificate ( admin.crt/admin.key) must be stored securely because it grants full privileges.

“安全第一，HTTP 不加 TLS 就是裸奔，设置密码也是形同虚设！”