Tunneling SSL: When your client supports only HTTPedit

This page is deprecated and will be removed in an upcoming version of Elasticsearch Add-On for Heroku. We do not recommend using HTTP clients to connect to Elastic Cloud. If you need to do so, you should use a reverse proxy setup. If you have any concerns, contact support.

While Elastic recommends always using SSL/HTTPS, not all clients support HTTPS. Also, some clients have poor support, because they do not actually verify the certificate, for example.

To work around this, you can use a proxy or a tunnel. The application without HTTPS support can connect to a local endpoint using HTTP, which in turn connects to an Elasticsearch Add-On for Heroku deployment using HTTPS.

Tunneling With stunneledit

stunnel is tool that can be used to provide secure encrypted connections for clients or servers that do not speak TLS or SSL natively.

We can use stunnel to bind to a port on localhost (e.g., 19200), which in turn will connect to Elasticsearch Add-On for Heroku.

Here is a sample configuration to achieve this:

; Actually verify the certificate
verify = 2
; Works for Ubuntu. Adapt to your system.
CApath = /etc/ssl/certs

pid = /var/run/stunnel4/found-us-east-1.pid

; Log level. WARN=4, DEBUG=7
debug = 4

; Service that tunnels traffic to a single region's endpoint. This configuration is not cluster specific.
accept = 19200
client = yes
; Don't cache DNS. IPs of {n}'s load balancers may change.
delay = yes
; Replace us-east-1 with your region. Valid hosts:
; - proxy-v1-us-east-1.foundcluster.com
; - proxy-v1-us-west-1.foundcluster.com
; - proxy-v1-eu-west-1.foundcluster.com
; - proxy-v1-sa-east-1.foundcluster.com
; - proxy-v1-ap-northeast-1.foundcluster.com
; - proxy-v1-ap-southeast-1.foundcluster.com

connect = proxy-v1-us-east-1.foundcluster.com:9243

To use this with Ubuntu:

  • Install the stunnel4-package, e.g. apt-get install stunnel4.
  • Put the above file in /etc/stunnel/found-us-east-1.conf
  • Make sure /etc/default/stunnel4 contains ENABLED=1
  • Run service stunnel4 start

Then you will have a service that listens to port 19200 and forwards traffic to proxy-v1-us-east-1.foundcluster.com:9243.


Now we have a service that listens to port 19200 and tunnels traffic to Elasticsearch Add-On for Heroku, while making sure the traffic is encrypted and that the certificate is valid.

However, if you try to send HTTP requests to http://localhost:19200, no information is forwarded about what deployment requests must be routed to.

Typically, endpoints are on the form [deployment id]-[region].foundcluster.com. The hostname is what specifies what deployment requests will be routed to.

A compatible hostname must be sent to Elasticsearch Add-On for Heroku, but we still want to connect to

To do this, we can use ip.es.io. By connecting to http://[your-deployment-id]-[region]., e.g. http://7893883873a705aec69e2942901f20d7b1e28dec-us-east-, the hostname will resolve to and the hostname with the deployment ID will be sent to Elasticsearch Add-On for Heroku.

Elasticsearch Add-On for Heroku then has sufficient information to route requests to your endpoints.

While this hostname is not matching that of the SSL certificate (which matches *.foundcluster.com), it is stunnel that is terminating the SSL-connection. stunnel knows nothing about HTTP, and the client connecting to 19200 is completely unaware that traffic is being tunneled through SSL.

Note that stunnel will establish a new SSL-connection for every client that connects to it. It is important to use persistent connections, even though you are connecting to localhost. If not, you will be spending a lot of time establishing SSL-connections!