Elasticsearch叢集外部的安全通訊
Kibana或logstash或其他程式訪問ES時,他們之間的資料傳輸都是走明文的,非常不安全,所以要配置https加密
配置Elasticsearch for Https
1.修改ES配置檔案
#所有節點都需要做以下配置
cd /usr/local/elasticsearch-7.6.1/config/
vim elasticsearch.yml
#新增下列項 xpack.security.http.ssl.enabled: true xpack.security.http.ssl.keystore.path: elastic-certificates.p12 xpack.security.http.ssl.truststore.path: elastic-certificates.p12
2.重啟ES叢集
su - es
#通過kill命令先殺掉es程序
cd /usr/local/elasticsearch-7.6.1/bin/
nohup ./elasticsearch &
3.驗證
可以看到此時我們的ES是通過https進行訪問的
配置kibana連線Elasticsearch for Https
ES開啟了https訪問後,Kibana自然也是需要配置才能正常訪問我們ES的
1.給kibana生成pem
#進入存放ES叢集證書的目錄
cd /usr/local/elasticsearch-7.6.1/config/
openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -out elastic-ca.pem
Enter Import Password: #我這裡之前沒有設定密碼,直接回車即可
2.將生成的證書移動到Kibana指定目錄下
mv elastic-ca.pem /usr/local/kibana-7.6.1-linux-x86_64/config/
3.修改kibana配置檔案
cd /usr/local/kibana-7.6.1-linux-x86_64/config/
vim kibana.yml
#將該項修改成hpps開頭 elasticsearch.hosts: ["https://192.168.36.164:9200"] #將以下兩個註釋取消並進行配置 elasticsearch.ssl.certificateAuthorities: [ "/usr/local/kibana-7.6.1-linux-x86_64/config/elastic-ca.pem" ] elasticsearch.ssl.verificationMode: certificate
4.重啟Kibana
#先通過命令netstat -tunlp|grep 5601檢視程序,然後kill掉
su - es
cd /usr/local/kibana-7.6.1-linux-x86_64/bin/
nohup ./kibana &
此時Kibana就可以正常訪問Elasticsearch for Https了
配置Kibana for Https
1.為kibana服務端生成服務端證書
#使用ES的命令生成
cd /usr/local/elasticsearch-7.6.1/bin/
./elasticsearch-certutil ca --pem
future versions of Elasticsearch will require Java 11; your Java version from [/usr/local/java/jdk1.8.0_60/jre] does not meet this requirement
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA's private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Please enter the desired output file [elastic-stack-ca.zip]: /usr/local/kibana-7.6.1-linux-x86_64/config/elastic-stack-ca.zip #這裡直接指定路徑到Kibana的config目錄下即可
2.解壓證書
cd /usr/local/kibana-7.6.1-linux-x86_64/config/
unzip elastic-stack-ca.zip
#解壓後的ca目錄下會有兩個檔案
ls ca
ca.crt ca.key
3.修改Kibana配置檔案
cd /usr/local/kibana-7.6.1-linux-x86_64/config/
vim kibana.yml
#將以下注釋去掉,並修改,配置到我們的ca路徑 server.ssl.enabled: true server.ssl.certificate: /usr/local/kibana-7.6.1-linux-x86_64/config/ca/ca.crt server.ssl.key: /usr/local/kibana-7.6.1-linux-x86_64/config/ca/ca.key
4.重啟Kibana
#先通過命令netstat -tunlp|grep 5601檢視程序,然後kill掉
su - es
cd /usr/local/kibana-7.6.1-linux-x86_64/bin/
nohup ./kibana &
5.驗證
可以看到此時我們的Kibana是通過https進行訪問的