I have successfully installed the minimum OpenSearch two-node cluster using the docker installation example in the docs. I generated my own self-signed certs and turned off the demo config and everything worked fine.
I then modified my opensearch.yml to continue to use the self-signed certs to secure the transport layer, but to disabled SSL for the REST layer using the plugins.security.ssl.http.enabled: true setting.
I plan to install an nginx server on the host machine that will act as a reverse proxy to OpenSearch. The nginx will be the ssl termination point and the default OpenSearch ports for both the nodes and OpenDashboards will not be accessible externally (using a firewall on the server). All http traffic will come through nginx. We have trusted CA wildcard certificates for our internal domain which nginx will use, which is easier than dealing with the self-signed certs.
I don’t see any mention in the docs or on the forums about reverse proxies. Is this a recommended configuration? Are there any pitfalls in doing this, especially if we decide to increase the number of nodes in the cluster in the future?