ElasticSearch with Security

By default, ElasticSearch is using plain text protocol without any authentication. And it is very less-secure.
I am not familiar with ES, So I setup IP based firewall to prevent unwanted ES query from others. But it is not enough.

ES have an official plugin called x-pack which gives authentication, TLS, etc.
I tried to follow their guide, But the document is not well maintained and complicated.

Anyone can help me to setup this? I think security is default, Not an option.

(And maybe I should patch Mastodon to handle this ES_USERNAME and ES_PASSWORD as environment config)

ElasticSearch should not ever be exposed to the outside world. If you don’t have enough network experience to keep it firewalled from the broader internet, then you should only ever have it bind to localhost (, so that other machines cannot access it

By default, elasticsearch binds to loopback only. If you somehow got it into a less secure configuration, then please return it to the default state immediately.