elasticsearch使用x-pack安全验证-创新互联

elasticsearch、kibana、logstash版本:7.3.2

成都创新互联服务项目包括明水网站建设、明水网站制作、明水网页制作以及明水网络营销策划等。多年来,我们专注于互联网行业,利用自身积累的技术优势、行业经验、深度合作伙伴关系等,向广大中小型企业、政府机构等提供互联网行业的解决方案,明水网站推广取得了明显的社会效益与经济效益。目前,我们服务的客户以成都为中心已经辐射到明水省份的部分城市,未来相信会继续扩大服务区域并继续获得客户的支持与信任!
192.168.3.100elasticsearch
192.168.3.101elasticsearch
192.168.3.102elasticsearch、kibana

#使用es自带工具生成CA及证书 ES_HOME=/usr/local/elasticsearch $ES_HOME/bin/elasticsearch-certutil ca $ES_HOME/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 mkdir $ES_HOME/config/certs && mv $ES_HOME/elastic-* $ES_HOME/config/certs

elasticsearch使用x-pack安全验证

复制证书到其他es节点

#es配置文件(es1为例) elasticsearch.yml cluster.name: my-es node.name: es-1 node.master: true  node.data: true node.ingest: false path.data: /usr/local/elasticsearch/data/ path.logs: /usr/local/elasticsearch/log/ network.host: 0.0.0.0 http.port: 9200 transport.port: 9300 transport.compress: true discovery.seed_hosts: ["192.168.3.100:9300","192.168.3.101:9300","192.168.3.102:9300"] cluster.initial_master_nodes: ["192.168.3.100:9300","192.168.3.101:9300","192.168.3.102:9300"] #head插件 http.cors.enabled: true http.cors.allow-origin: "*" #开启安全功能 xpack.security.enabled: true #集群内部通信加密 xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

#使用systemd管理es /usr/lib/systemd/system/elasticsearch.service [Unit] Description=Elasticsearch Documentation=http://www.elastic.co Wants=network-online.target After=network-online.target [Service] User=es Group=es LimitNOFILE=100000 LimitNPROC=100000 ExecStart=/usr/local/elasticsearch/bin/elasticsearch [Install] WantedBy=multi-user.target

#启动es集群;设置默认账户密码 #自动生成密码 $ES_HOME/bin/elasticsearch-setup-passwords auto

elasticsearch使用x-pack安全验证

#手动设置密码 $ES_HOME/bin/elasticsearch-setup-passwords interactive

#Kibana相关证书 Kibana_HOME=/usr/local/kibana #kibana连接es加密需要使用pem证书 cd  $ES_HOME/config/certs #证书转换 openssl pkcs12 -in elastic-certificates.p12 -out elastic-certificates.pem -nodes mkdir $Kibana_HOME/config/certs && mv elastic-certificates.pem $Kibana_HOME/config/certs #https证书 $ES_HOME/bin/elasticsearch-certutil ca --pem mv $ES_HOME/elastic-stack-ca.zip $Kibana_HOME/config/certs && unzip $Kibana_HOME/config/certs/elastic-stack-ca.zip

#kibana配置文件 kibana.yml server.host: "192.168.3.102" elasticsearch.hosts: ["http://192.168.3.102:9200","http://192.168.3.101:9200","http://192.168.3.102:9200"] elasticsearch.username: "kibana" elasticsearch.password: "ukCAClFof70DU5mWnHC7" logging.dest: /usr/local/kibana/log/kibana.log logging.quiet: true #启用https访问kibana;使用私有证书会有访问日志报错的问题 #server.ssl.enabled: true #server.ssl.certificate: /usr/local/kibana/config/certs/ca/ca.crt #server.ssl.key: /usr/local/kibana/config/certs/ca/ca.key #启用elasticsearch连接加密 elasticsearch.ssl.certificateAuthorities: [ "/usr/local/kibana/config/certs/elastic-certificates.pem" ] elasticsearch.ssl.verificationMode: certificate

#systemd管理kibana /usr/lib/systemd/system/kibana.service [Unit] Description=Kinaba Documentation=http://www.elastic.co Wants=network-online.target After=network-online.target [Service] User=kibana Group=kibana ExecStart=/usr/local/kibana/bin/kibana [Install] WantedBy=multi-user.target

#logstash示例 input {   stdin {   } } output {   elasticsearch {     hosts => ["http://192.168.3.100:9200","http://192.168.3.101:9200","http://192.168.3.102:9200"]     index => "test-%{+YYYY.MM.dd}"     user => "elastic"     password => "HkqZIHZsuXSv6B5OwqJ7"   } }

使用PKCS12配置logstash=>es安全加密未成功(有大佬成功的话私信或者评论下),可以参考下面链接使用PEM方式来完成各组件之间的安全通信

https://www.elastic.co/cn/blog/configuring-ssl-tls-and-https-to-secure-elasticsearch-kibana-beats-and-logstash#step-5-2

参考:

https://www.elastic.co/guide/en/elastic-stack-overview/7.3/ssl-tls.html

https://www.elastic.co/guide/en/elasticsearch/reference/7.3/configuring-security.html

https://www.elastic.co/guide/en/kibana/7.3/using-kibana-with-security.html

https://www.elastic.co/guide/en/kibana/7.3/configuring-tls.html

另外有需要云服务器可以了解下创新互联cdcxhl.cn,海内外云服务器15元起步,三天无理由+7*72小时售后在线,公司持有idc许可证,提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案,具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势,专为企业上云打造定制,能够满足用户丰富、多元化的应用场景需求。


网页名称:elasticsearch使用x-pack安全验证-创新互联
链接地址:http://ybzwz.com/article/dcioei.html