Elasticsearch集群传输层安全配置
2024-04-16 18:17:57
传输层安全配置以最低安全要求为基础(用户名和密码),通过安装证书来验证集群中的节点,以防止未经授权的节点加入你的 Elasticsearch 集群。
生成证书
官方提供了一个在 bin 目录下叫做 elasticsearch-certutil 的工具用来生成证书
我们启动一个 Elasticsearch 实例然后进入实例的 bin 目录下
[root@7bd455c1db3a bin]# elasticsearch-certutil cert
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.The 'cert' mode generates X.509 certificate and private keys.* By default, this generates a single certificate and key for useon a single instance.* The '-multiple' option will prompt you to enter details for multipleinstances and will generate a certificate and key for each one* The '-in' option allows for the certificate generation to be automated by describingthe details of each instance in a YAML file* An instance is any piece of the Elastic Stack that requires an SSL certificate.Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beatsmay all require a certificate and private key.* The minimum required value for each instance is a name. This can simply be thehostname, which will be used as the Common Name of the certificate. A fulldistinguished name may also be used.* A filename value may be required for each instance. This is necessary when thename would result in an invalid file or directory name. The name provided hereis used as the directory name (within the zip) and the prefix for the key andcertificate files. The filename is required if you are prompted and the nameis not displayed in the prompt.* IP addresses and DNS names are optional. Multiple values can be specified as acomma separated string. If no IP addresses or DNS names are provided, you maydisable hostname verification in your SSL configuration.* All certificates generated by this tool will be signed by a certificate authority (CA)unless the --self-signed command line option is specified.The tool can automatically generate a new CA for you, or you can provide your own withthe --ca or --ca-cert command line options.By default the 'cert' mode produces a single PKCS#12 output file which holds:* The instance certificate* The private key for the instance certificate* The CA certificateIf you specify any of the following options:* -pem (PEM formatted output)* -keep-ca-key (retain generated CA key)* -multiple (generate multiple certificates)* -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key filesNote: Generating certificates without providing a CA certificate is deprecated.A CA certificate will become mandatory in the next major release.Please enter the desired output file [elastic-certificates.p12]:
Enter password for elastic-certificates.p12 : Certificates written to /usr/share/elasticsearch/elastic-certificates.p12This file should be properly secured as it contains the private key for
your instance.This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.
输入命令会有两个输入
Please enter the desired output file [elastic-certificates.p12]::输出文件的文件名,回车使用默认文件名Enter password for elastic-certificates.p12 ::证书的密码,可以不填写密码
Certificates written to /usr/share/elasticsearch/elastic-certificates.p12
上面的输出表示文件所在目录
使用 cp 命令将证书文件拷贝出来
docker cp es01:/usr/share/elasticsearch/elastic-certificates.p12 .
修改证书文件的访问权限
chmod +777 elastic-certificates.p12
修改配置
修改 docker-compose.yml 文件
version: '2.2'
services: es01:image: elasticsearch:7.14.1container_name: es01environment:- node.name=es01- discovery.seed_hosts=es02- cluster.initial_master_nodes=es01,es02- cluster.name=docker-cluster#开启内存锁定检查- bootstrap.memory_lock=true #限制堆大小- "ES_JAVA_OPTS=-Xms512m -Xmx512m"#开启安全功能- xpack.security.enabled=true - xpack.security.transport.ssl.enabled=true- xpack.security.transport.ssl.verification_mode=certificate - xpack.security.transport.ssl.client_authentication=required- xpack.security.transport.ssl.keystore.path=elastic-certificates.p12- xpack.security.transport.ssl.truststore.path=elastic-certificates.p12volumes:- /root/work/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12#内存锁定ulimits: memlock:soft: -1hard: -1es02:image: elasticsearch:7.14.1container_name: es02environment:- node.name=es02- discovery.seed_hosts=es01- cluster.initial_master_nodes=es01,es02- cluster.name=docker-cluster- bootstrap.memory_lock=true- "ES_JAVA_OPTS=-Xms512m -Xmx512m"- xpack.security.enabled=true- xpack.security.transport.ssl.enabled=true- xpack.security.transport.ssl.verification_mode=certificate - xpack.security.transport.ssl.client_authentication=required- xpack.security.transport.ssl.keystore.path=elastic-certificates.p12- xpack.security.transport.ssl.truststore.path=elastic-certificates.p12volumes:- /root/work/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12ulimits:memlock:soft: -1hard: -1kibana:image: kibana:7.14.1container_name: kibanaenvironment:- SERVER_NAME=kibana.localhost- ELASTICSEARCH_HOSTS=http://es01:9200- I18N_LOCALE=zh-CN- ELASTICSEARCH_USERNAME=elastic- ELASTICSEARCH_PASSWORD="123123"- XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY="fhjskloppd678ehkdfdlliverpoolfcr"ports:- 5601:5601depends_on:- es01filebeat:image: elastic/filebeat:7.14.1container_name: filebeatvolumes:- /root/work/beats/filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml- /root/work/logs/:/root/work/logs/depends_on:- es01
启动 docker-compose up -d
然后给 Elasticsearch 集群设置用户名和密码,密码要和 Kibana 配置的密码一致,设置密码可以参考另一篇博客
然后就可以访问 Kibana 了
Elasticsearch集群传输层安全配置相关推荐
- Elasticsearch集群搭建手册及配置详情(基于elasticsearch-8.5.2版本)
Elasticsearch集群搭建手册及配置详情(基于elasticsearch-8.5.2版本) 0 安装前准备工作 0.1 安装包下载 组件 安装包 下载地址 es elasticsearch-8 ...
- elasticsearch 集群搭建 + kibana配置
elasticsearch 集群搭建 + kibana配置 一.elasticsearch 集群搭建 1.下载并解压elasticsearch 2.ES集群搭建 2.1 打开防火墙9200,9300端 ...
- Elasticsearch集群节点配置详解
注意:如果是在局域网中运行elasticsearch集群也是很简单的,只要cluster.name设置一致,并且机器在同一网段下,启动的es会自动发现对方,组成集群. 三.配置浅涉 elasticse ...
- 【Es】Elasticsearch 7.x 新的集群协调层
1.概述 转载:https://www.easyice.cn/archives/332 ES 7.x 重构了一个新的集群协调层,他实际上是 Raft 的实现,但并非严格按照 Raft 论文实现,而是做 ...
- Elasticsearch集群配置以及REST API使用
ES安装与启动 在官网下载压缩包,解压后直接运行bin目录下的.bat文件即可.下载地址戳这里. ES配置集群 Elasticsearch配置集群很简单,只要配置一个集群的 名称 ,ES就会自动寻找并 ...
- mac下ElasticSearch 集群搭建,使用Kibana配置和管理集群
Elasticsearch如果做集群的话Master节点至少三台服务器或者三个Master实例加入相同集群,三个Master节点最多只能故障一台Master节点,如果故障两个Master节点,Elas ...
- Elasticsearch集群配置
Elasticsearch集群 配置 报错 集群状态查看 启动 配置 cluster.name: es node.name: node-3 path.data: /home/elasticsearch ...
- ECK安装elasticsearch集群及es配置x-pack
目录 ECK安装elasticsearch集群 elasticsearch安装x-pack插件 Elasticsearch Springboot 开发 ECK安装elasticsearch集群 ECK ...
- 阿里云、腾讯云不同服务商不同机房配置elasticsearch集群
当初为了省钱双十一新用户优惠活动,搞了一台2核4g[阿里云](https://l.gushuji.site/aliyun),一台2核4g[腾讯云](https://l.gushuji.site/ten ...
最新文章
- 数据结构|-常见数据结构整理
- Pdf怎么转换excel表格,职场人士必备技能
- JavaScript + Tampermonkey——易班优课YOOC课群在线测试自动答题解决方案(十七)复合型解决方案油猴脚本
- taylor级数 matlab,Taylor级数与Fourier级数展开式比较与MATLAB实例.docx
- python总结字典集合列表_python 列表,元组,字典,集合,字符串相互转换
- python常用的绘图库_Python3绘图库Matplotlib(01)
- 我是做Java的,刚入职了,月薪20k,面试题还是很管用的
- php表格好看样式,用html和css代码实现各种表格样式的总结
- 仿真动画是怎么制作的? 仿真动画类型有哪些?
- Redis中的数据类型及其应用场景
- 数学建模复习——代码记录
- python logger handler_Python中的logger和handler到底是个什么鬼
- 如何成为一个自由职业者?
- %matplotlib inline是什么意思
- 一篇文章看明白 Android v1 v2 签名机制
- Vivado调节代码字体大小
- Object-C基础之初始化方法(init)
- PCA变换与KL变换
- 文件损坏 无法删除 怎么使用chkdsk磁盘修复工具
- 2021-10-27诺诺机柜常见问题及解决方法-持续更新中