ElasticSearch
- 生成相关文件
# 生成 CA
./bin/elasticsearch-certutil ca
# 基于已有 CA 生成压缩包,里面有个elastic-certificates.p12 文件包含节点证书、节点密钥、CA证书
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
- 修改 config/elasticsearch.yml 文件,添加以下配置
cluster.name: my-cluster
node.name: node-1
xpack.security.transport.ssl.enabled: true
# 如果要使用主机名验证,verification_mode 设置为 full
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
- 添加节点证书密码,就是第一步操作h过程中设置的密码
./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
到了这里,已经为集群节点之间的通信做了加密处理
- 生成 https 支持所需文件
./bin/elasticsearch-certutil http
# When asked if you want to generate a CSR, enter n.
# When asked if you want to use an existing CA, enter y.
# Enter the path to your CA. This is the absolute path to the elastic-stack-ca.p12 file that you generated for your cluster.
# Enter the password for your CA.
# Enter an expiration value for your certificate. You can enter the validity period in years, months, or days. For example, enter 90D for 90 days.
# 看要不要预设集群节点来选择 y or n
# When asked if you want to generate one certificate per node, enter y.
# 每个证书都有自己的私钥,并针对特定的主机名或 IP 地址颁发。
# 出现提示时,输入集群中第一个节点的名称。 使用生成节点证书时使用的相同节点名称。
# 输入用于连接到您的第一个节点的所有主机名。 这些主机名将作为 DNS 名称添加到证书的主题备用名称 (SAN) 字段中。
# Each certificate will have its own private key, and will be issued for a specific hostname or IP address.
# When prompted, enter the name of the first node in your cluster. Use the same node name that you used when generating node certificates.
# Enter all hostnames used to connect to your first node. These hostnames will be added as DNS names in the Subject Alternative Name (SAN) field in your certificate.
# 输入所有需要以 https 连接的 ip 或者域名,以换行分隔
# List every hostname and variant used to connect to your cluster over HTTPS.
# 配置客户端可以通过哪些 ip 地址连接到 ES 服务,以换行分隔
# Enter the IP addresses that clients can use to connect to your node.
# Repeat these steps for each additional node in your cluster.
# 执行以上步骤后会得到一个压缩包,将压缩包内的 http.p12 与 elasticsearch-ca.pem 文件分别添加到对应的 ES 或者 Kibana 的 config 文件夹下面,并按照示例 yml 文件进行配置修改
# 如果以上步骤配置了密码,则执行一下脚本添加密码
./bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
- 修改 ES 的 elasticsearch.yml 文件
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: http.p12
- 修改 Kibana 的 kibana.yml 文件
# 先复制 elasticsearch 配置过程中生成的 elasticsearch-ca.pem 文件到 kibanan 配置文件夹下面,然后添加一下配置,不然的话配置值需要设置为绝对路径值
elasticsearch.ssl.certificateAuthorities: elasticsearch-ca.pem
# 配置 ES https连接地址
elasticsearch.hosts: https://<your_elasticsearch_host>:9200
# 此时,kibana 与 ES 之间的加密通信就配置完成了
Kibana 配置
在上面配置 ES 的时候,就把 kibanna 与 es 之间的加密通信配置好了,此处我们只需要配置 kibana 对外的 https 支持即可
- 创建证书与key
# 创建证书与key
./bin/elasticsearch-certutil csr -name kibana-server -dns example.com,www.example.com
# 将生成的压缩文件解压得到 kibana-server.crt、kibana-server.key 并复制到 kibana 的配置文件夹下面
- 修改 kibana.yml 文件
server.ssl.certificate: config/kibana-server.crt
server.ssl.key: config/kibana-server.key
server.ssl.enabled: true
补充
- 现在 ES 关于密码的设置已经不推荐用户自定义了,建议采用由 ES 提供的 elasticsearch-reset-password 重置密码,使用如下
./bin/elasticsearch-reset-password -u elastic --auto
./bin/elasticsearch-reset-password -u kibana-system --auto
- 服务启动关闭指令
# 启动 ES
ES_JAVA_OPTS="-Xms2g -Xmx2g" ./bin/elasticsearch -d -p pid
# 关闭 ES
pkill -F pid
# 启动 Kibanan
nohup ./bin/kibana >/dev/null 2>&1 & echo $! > pid
# 关闭 Kibana
pkill -F pid
- 配置文件
- elasticsearch.yml
# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
# Before you set out to tweak and tune the configuration, make sure you
# understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: my-application
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
node.name: node-1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
#path.data: /path/to/data
#
# Path to log files:
#
#path.logs: /path/to/logs
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# By default Elasticsearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
network.host: 0.0.0.0
transport.port: 9300
#
# By default Elasticsearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
#
http.port: 9201
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
discovery.seed_hosts: ["172.17.0.1"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
cluster.initial_master_nodes: ["node-1"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# --------------------------------- Readiness ----------------------------------
#
# Enable an unauthenticated TCP readiness endpoint on localhost
#
readiness.port: 19399
#
# ---------------------------------- Various -----------------------------------
#
# Allow wildcard deletion of indices:
#
#action.destructive_requires_name: false
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: "http.p12"
2. kibana.yml
# For more configuration options see the configuration guide for Kibana in
# https://www.elastic.co/guide/index.html
# =================== System: Kibana Server ===================
# Kibana is served by a back end server. This setting specifies the port to use.
server.port: 5602
# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
server.host: "0.0.0.0"
# Enables you to specify a path to mount Kibana at if you are running behind a proxy.
# Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath
# from requests it receives, and to prevent a deprecation warning at startup.
# This setting cannot end in a slash.
#server.basePath: ""
# Specifies whether Kibana should rewrite requests that are prefixed with
# `server.basePath` or require that they are rewritten by your reverse proxy.
# Defaults to `false`.
#server.rewriteBasePath: false
# Specifies the public URL at which Kibana is available for end users. If
# `server.basePath` is configured this URL should end with the same basePath.
#server.publicBaseUrl: ""
# The maximum payload size in bytes for incoming server requests.
#server.maxPayload: 1048576
# The Kibana server's name. This is used for display purposes.
#server.name: "your-hostname"
# =================== System: Kibana Server (Optional) ===================
# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the Kibana server to the browser.
#server.ssl.enabled: false
#server.ssl.certificate: /path/to/your/server.crt
#server.ssl.key: /path/to/your/server.key
# =================== System: Elasticsearch ===================
# The URLs of the Elasticsearch instances to use for all your queries.
elasticsearch.hosts: ["https://172.17.0.1:9201"]
# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
# is proxied through the Kibana server.
elasticsearch.username: "kibana_system"
elasticsearch.password: "k_j6s0hItIv0CysusGRK"
# Kibana can also authenticate to Elasticsearch via "service account tokens".
# Service account tokens are Bearer style tokens that replace the traditional username/password based configuration.
# Use this token instead of a username/password.
# elasticsearch.serviceAccountToken: "my_token"
# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
# the elasticsearch.requestTimeout setting.
#elasticsearch.pingTimeout: 1500
# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
# must be a positive integer.
#elasticsearch.requestTimeout: 30000
# The maximum number of sockets that can be used for communications with elasticsearch.
# Defaults to `Infinity`.
#elasticsearch.maxSockets: 1024
# Specifies whether Kibana should use compression for communications with elasticsearch
# Defaults to `false`.
#elasticsearch.compression: false
# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
# headers, set this value to [] (an empty list).
#elasticsearch.requestHeadersWhitelist: [ authorization ]
# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
#elasticsearch.customHeaders: {}
# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
#elasticsearch.shardTimeout: 30000
# =================== System: Elasticsearch (Optional) ===================
# These files are used to verify the identity of Kibana to Elasticsearch and are required when
# xpack.security.http.ssl.client_authentication in Elasticsearch is set to required.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key
# Enables you to specify a path to the PEM file for the certificate
# authority for your Elasticsearch instance.
elasticsearch.ssl.certificateAuthorities: [ "/home/jdw/app/es_single/kibana-8.2.2/config/elasticsearch-ca.pem" ]
# To disregard the validity of SSL certificates, change this setting's value to 'none'.
#elasticsearch.ssl.verificationMode: full
# =================== System: Logging ===================
# Set the value of this setting to off to suppress all logging output, or to debug to log everything. Defaults to 'info'
#logging.root.level: debug
# Enables you to specify a file where Kibana stores log output.
#logging.appenders.default:
# type: file
# fileName: /var/logs/kibana.log
# layout:
# type: json
# Logs queries sent to Elasticsearch.
#logging.loggers:
# - name: elasticsearch.query
# level: debug
# Logs http responses.
#logging.loggers:
# - name: http.server.response
# level: debug
# Logs system usage information.
#logging.loggers:
# - name: metrics.ops
# level: debug
# =================== System: Other ===================
# The path where Kibana stores persistent data not saved in Elasticsearch. Defaults to data
#path.data: data
# Specifies the path where Kibana creates the process ID file.
#pid.file: /run/kibana/kibana.pid
# Set the interval in milliseconds to sample system and process performance
# metrics. Minimum is 100ms. Defaults to 5000ms.
#ops.interval: 5000
# Specifies locale to be used for all localizable strings, dates and number formats.
# Supported languages are the following: English (default) "en", Chinese "zh-CN", Japanese "ja-JP", French "fr-FR".
#i18n.locale: "en"
# =================== Frequently used (Optional)===================
# =================== Saved Objects: Migrations ===================
# Saved object migrations run at startup. If you run into migration-related issues, you might need to adjust these settings.
# The number of documents migrated at a time.
# If Kibana can't start up or upgrade due to an Elasticsearch `circuit_breaking_exception`,
# use a smaller batchSize value to reduce the memory pressure. Defaults to 1000 objects per batch.
#migrations.batchSize: 1000
# The maximum payload size for indexing batches of upgraded saved objects.
# To avoid migrations failing due to a 413 Request Entity Too Large response from Elasticsearch.
# This value should be lower than or equal to your Elasticsearch cluster’s `http.max_content_length`
# configuration option. Default: 100mb
#migrations.maxBatchSizeBytes: 100mb
# The number of times to retry temporary migration failures. Increase the setting
# if migrations fail frequently with a message such as `Unable to complete the [...] step after
# 15 attempts, terminating`. Defaults to 15
#migrations.retryAttempts: 15
# =================== Search Autocomplete ===================
# Time in milliseconds to wait for autocomplete suggestions from Elasticsearch.
# This value must be a whole number greater than zero. Defaults to 1000ms
#data.autocomplete.valueSuggestions.timeout: 1000
# Maximum number of documents loaded by each shard to generate autocomplete suggestions.
# This value must be a whole number greater than zero. Defaults to 100_000
#data.autocomplete.valueSuggestions.terminateAfter: 100000
server.ssl.certificate: config/kibana-server.crt
server.ssl.key: config/kibana-server.key
server.ssl.enabled: true
参考地址
https://www.elastic.co/guide/en/elasticsearch/reference/8.2/security-basic-setup.html
https://www.elastic.co/guide/en/elasticsearch/reference/8.2/security-basic-setup-https.html
https://www.elastic.co/guide/en/elasticsearch/client/java-api-client/current/_encrypted_communication.html