Question about the optional step when connecting Elasticsearch and zammad


  • Used Zammad version: 4
  • Used Zammad installation source: (package)
  • Operating system: Ubuntu 18.04.5 LTS
  • Browser + version: chrome


HTTP Basic

$ zammad run rails r “Setting.set(‘es_user’, ‘’)”
$ zammad run rails r “Setting.set(‘es_password’, ‘’)”

When is this optional step necessary ?
So far I have not done this and zammad works. Is there a security risk in not doing this ? (Elastic has no open port to the outside).

Or is it only important if you want to access Elastic directly via the web ?

Thank you very much for your help.

The mentioned settings are relevant if you have an elasticsearch that does not run on your local machine and / or requires authenticatiojn in general.

Please note that by default anyone with access to your elasticsearch node get put or pull data from your indices. This is potentially dangerous, if you don’t expose elasticsearch to the world, you should be fine.

Thank you.
Ok, if Zammad is running on a VPS, then you should follow these steps, correct ?

What else do I need to pay attention to, in terms of security, if I follow the installation instructions and want to use zammad productively ?

You need these steps only if Elasticsearch is running on another host or if you need to access it from other sources than localhost.

You should check best practises for elasticsearch installation security from elastics documentation.
If you’re running on a default installation (so localhost only) you should be fine anyway.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.