Node Client -> ES connection problem (docker)


I’m currently trying to fix an issue that I have with my setup.
I have a node service (using node-eventstore-client v0.2.18, TCP) and the eventstore (v20), both running in separate docker containers (and both connected to a custom docker network “backends-docker-network”).

Unfortunately, the service does not connect to the eventstore.
When I start a docker container with some network tools (the same way I start the service container) and scan the ports of the eventstore with nmap, I only see the port 2113 as open. Port 1113 leads to the same nmap output as any port that does not listen.

nmap -p- eventstore
Starting Nmap 7.80 ( ) at 2020-10-23 08:56 UTC
Nmap scan report for eventstore (
Host is up (0.000018s latency).
rDNS record for eventstore.backends-docker-network
Not shown: 65534 closed ports
2113/tcp open  hsl-storm
MAC Address: 02:42:AC:13:00:02 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.90 seconds

With netstat on the host I can see both ports 1113 and 2113 on localhost.

tcp        0      0*               LISTEN      0          1841059
tcp        0      0*               LISTEN      0          1843452
tcp        0      0*               LISTEN      0          1841790
tcp        0      0*               LISTEN      0          1843427

docker run of the service
docker run -d --name adb-service --network=backends-docker-network --restart=unless-stopped <adb-service-image>

The only thing a currently override in terms of the eventstore config ist
EVENTSTORE_INSECURE: “true” (this is ansible syntax)

Any idea of how to proceed?
Thanks Andy

Hi Andy

I spent quite a bit of time on that as well – back on 5.x it worked out of the box, I think. With 20.x we set (among others)


for our local dev environment using docker compose and

            - name: EVENTSTORE_EXT_IP
              value: "True"
              value: /opt/eventstore/eventstore.p12
              value: /usr/local/share/ca-certificates

for our k8s environments.

Not sure if all of them are needed, but I remember spending quite some time to get my client to connect properly. I think it was EVENTSTORE_ENABLE_EXTERNAL_TCP and/or EVENTSTORE_EXT_IP that did the trick.

Kind regards

Thanks a lot, bjoern, that helped!!

And it’s both, EVENTSTORE_ENABLE_EXTERNAL_TCP AND EVENTSTORE_EXT_IP that is needed. I guess EXT_IP is necessary so the port is bound to a network interface that can be exposed to the outside by docker, and ENABLE… is necessary because …let me copy the log of my es instance:

"The Legacy TCP Client Interface has been deprecated as of version 20.6.0. The External TCP Interface can be re-enabled with the 'EnableExternalTCP' option. It is recommended to use gRPC instead."

One problem remains. It seems like my plan does not work. I wanted to have no secured connection on the ES. I thought I can proxy the admin gui over my existing nginx and let the tcp connection unsecured as I don’t expose the port to the web (ES and its using service are on the same server).

But I will write a new Post for that…

Thanks a lot again Bjoern for getting me half the way already :slightly_smiling_face:

Hi Andy, glad to hear it helped. I think starting from 20.x ESDB enforces encrypted connections in non-dev mode, no way around it. Since you are using nodejs be sure to watch

Kind regards, Björn

Thanks again for that link Bjoern, seems like a lot has happened since I have built that service.