介绍
Elasticsearch 程序中提供elasticsearch-certutil命令来简化生成证书的过程。
该命令共有 3 种模式:
- CA 模式,用于生成一个新的证书颁发机构。
- CERT 模式,用于生成 X.509 证书和私钥。
- CSR 模式,用于生成证书签名请求,该请求指向受信任的证书颁发机构以获取签名的证书。签名证书必须为 PEM 或 PKCS#12 格式,才能与 Elasticsearch 安全功能一起使用。
生成证书
如果集群部署, 想为每个node都配置ssl, 就改instance.yml和extra_hosts
证书位置必须写绝对路径
- 新建instance.yml以创建各容器的自签名证书
1
2
3
4
5
6
7
8
9# name会对应到生成证书文件的路径名称
# dns可以多个,对应其匹配域名
instances:
- name: 'es-node1'
dns: ['node1.elastic.com']
- name: 'logstash'
dns: ['node1.logstash.com']
- name: 'kibana'
dns: ['kibana.com'] - 拷贝到es容器
1
docker cp instance.yml elasticsearch:/usr/share/elasticsearch/
- 进入es容器, 执行如下命令
eg: 生成10年的证书
1 | bin/elasticsearch-certutil cert ca --days 3650 --pem --in instance.yml --out certs.zip |
- 从容器拷贝到宿主机上
1
docker cp elasticsearch:/usr/share/elasticsearch/certs.zip /opt/elk/ssl
- 解压
1
unzip certs.zip -d ./certs
- 会解压出四个文件夹, 将ca文件夹下的
ca.crt文件copy到另外四个目录下1
2
3
4cd certs/
cp ca.crt es-node1/
cp ca.crt logstash/
cp ca.crt kibana/
docker-compose.yml调整
- es
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16elasticsearch:
...
privileged: true
...
volumes:
...
# 修改此处路径映射
# 宿主机路径:容器路径
- /opt/elk/ssl/certs/es-node1:/usr/share/elasticsearch/config/certs
...
extra_hosts:
# 配置ip映射
- "kibana.com:10.104.8.126"
- "node1.logstash.com:10.104.8.126"
- "node1.elastic.com:127.0.0.1"
- "es-node1:127.0.0.1" - kibana
1
2
3
4
5
6
7
8
9
10
11
12kibana:
...
volumes:
# 修改此处路径映射
# 宿主机路径:容器路径
- /opt/elk/ssl/certs/kibana:/usr/share/kibana/config/certs
extra_hosts:
# 配置ip映射
- "kibana.com:127.0.0.1"
- "node1.logstash.com:10.104.8.126"
- "node1.elastic.com:10.104.8.126"
- "es-node1:10.104.8.126" - logstash
1
2
3
4
5
6
7
8
9
10
11
12logstash:
...
volumes:
# 修改此处路径映射
# 宿主机路径:容器路径
- /opt/elk/ssl/certs/logstash:/usr/share/logstash/config/certs
extra_hosts:
# 配置ip映射
- "kibana.com:10.104.8.126"
- "node1.logstash.com:127.0.0.1"
- "node1.elastic.com:10.104.8.126"
- "es-node1:10.104.8.126"
conf(conf配置文件)
- kibana.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27server.name: "kibana"
server.host: "0.0.0.0"
server.ssl.enabled: true
# 证书,compose.yml配置中去看
server.ssl.certificate: /usr/share/kibana/config/certs/kibana.crt
# 证书,compose.yml配置中去看
server.ssl.key: /usr/share/kibana/config/certs/kibana.key
# 证书,compose.yml配置中去看
elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/config/certs/ca.crt"]
# 这里有仨值,直接谷歌这个key看下解释
# elasticsearch.ssl.verificationMode: none
elasticsearch.hosts: ["https://node1.elastic.com:9200"]
elasticsearch.username: kibana_system
elasticsearch.password: xxx
# 如果不写,每次回无法看到上次产出报的问题
xpack.reporting.encryptionKey: fd7c75cf-6abd-4704-a614-10a8679d64e7
# 下面这俩告警的
monitoring.ui.enabled: true
monitoring.ui.container.logstash.enabled: true
# 这是一个关于沙盒相关的(具体会影响啥不太清楚,我只是为了关掉warning)
xpack.reporting.capture.browser.chromium.disableSandbox: false
# 外网访问地址
server.publicBaseUrl: https://xxx:5601
# 告警相关
xpack.encryptedSavedObjects.encryptionKey: 554d5cab-b336-eb0a-e128-6c5012dcc330
# 中文
i18n.locale: "zh-CN" - elasticsearch.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44# 集群名称
cluster.name: elasticsearch-cluster
# 节点名称
node.name: es-node1
# 绑定host,0.0.0.0代表当前节点的ip(这里别改,就全员就行)
network.host: 0.0.0.0
# 设置其它节点和该节点交互的ip地址,如果不设置它会自动判断,值必须是个真实的ip地址(本机ip)
network.publish_host: node1.elastic.com
# 设置对外服务的http端口,默认为9200
http.port: 9200
# 设置节点间交互的tcp端口,默认是9300
transport.tcp.port: 9300
# 是否支持跨域,默认为false
http.cors.enabled: true
# 当设置允许跨域,默认为*,表示支持所有域名,如果我们只是允许某些网站能访问,那么可以使用正则表达式。比如只允许本地地址。 /https?:\/\/localhost(:[0-9]+)?/
http.cors.allow-origin: "*"
discovery.type: single-node
# 表示这个节点是否可以充当主节点
node.master: true
# 是否充当数据节点
node.data: true
# 所有主从节点ip:port(这里得改)
discovery.seed_hosts: ["node1.elastic.com"]
# 这里配了,然后不配discovery.type: single-node就会以集群方式启动
# cluster.initial_master_nodes: ["es-node1"]
# 这个参数决定了在选主过程中需要 有多少个节点通信 预防脑裂
discovery.zen.minimum_master_nodes: 1
# 跨域允许设置的头信息,默认为X-Requested-With,Content-Type,Content-Lengt
http.cors.allow-headers: Authorization
#锁内存,提前占用内存
bootstrap.memory_lock: true
# 这条配置表示开启xpack认证机制
xpack.security.enabled: true
# 下面这些都跟证书有关
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.key: /usr/share/elasticsearch/config/certs/es-node1.key
xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/certs/es-node1.crt
xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/certs/ca.crt
xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/certs/es-node1.key
xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/certs/es-node1.crt
xpack.security.transport.ssl.certificate_authorities: /usr/share/elasticsearch/config/certs/ca.crt
# 这里有仨值,直接谷歌这个key看下解释
# xpack.security.transport.ssl.verification_mode: none /usr/share/logstash/pipeline/conf.d/*.conf针对 Beats 输入插件,需要将
logstash.key转换为PKCS8格式1
openssl pkcs8 -in logstash.key -topk8 -nocrypt -out logstash.pkcs8.key
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17beats {
port => 5044
ssl => true
ssl_key => '/usr/share/logstash/config/certs/logstash.pkcs8.key'
ssl_certificate => '/usr/share/logstash/config/certs/logstash.crt'
}
......
output {
elasticsearch {
hosts => ["https://node1.elastic.com:9200"]
index => "%{env}-xxx-%{indexDay}"
cacert => '/usr/share/logstash/config/certs/ca.crt'
# ssl_certificate_verification => false
user => "elastic"
password => "xxx"
}
}logstash.yml
1 | # 将 Logstash监控 数据传送到安全集群 |
- filebeat.yml
将ca.crt复制到filebeat所在服务器
1
2
3
4
5
6# ------------------------------ Logstash Output -------------------------------
output.logstash:
# logstash服务ip
hosts: ["经测试,这里写ip和dns都可"]
ssl.certificate_authorities:
- /etc/filebeat/ssl/ca.crt
本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 小五的个人杂货铺!
微信- 支付宝
