Elasticsearch启用https访问

已于 2023-10-16 04:06:38 修改
阅读量2.4k 收藏 3
点赞数 1
分类专栏: 运维 Linux Elasticsearch 文章标签: linux 运维 elasticsearch
于 2022-04-25 05:10:04 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/chenshm/article/details/124395928
版权
运维 同时被 3 个专栏收录
23 篇文章 2 订阅
订阅专栏
Linux
12 篇文章 0 订阅
订阅专栏
Elasticsearch
5 篇文章 0 订阅
订阅专栏

1.生成p12格式的CA证书

[sandwich@centos-elk elasticsearch-7.17.1]$ ./bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.

Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority

By default the 'ca' mode produces a single PKCS#12 output file which holds:
    * The CA certificate
    * The CA's private key

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

Please enter the desired output file [elastic-stack-ca.p12]: 
Enter password for elastic-stack-ca.p12 :

这里不改名,直接接受文件的默认名elastic-stack-ca.p12,然后输入密码: aaaaaa并记住。
执行完生成以下文件

[sandwich@centos-elk elasticsearch-7.17.1]$ ls *p12
elastic-stack-ca.p12

2.生成p12格式的certificate证书

接着用如下命令来生成一个新的证书

[sandwich@centos-elk elasticsearch-7.17.1]$ ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'cert' mode generates X.509 certificate and private keys.
    * By default, this generates a single certificate and key for use
       on a single instance.
    * The '-multiple' option will prompt you to enter details for multiple
       instances and will generate a certificate and key for each one
    * The '-in' option allows for the certificate generation to be automated by describing
       the details of each instance in a YAML file

    * An instance is any piece of the Elastic Stack that requires an SSL certificate.
      Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
      may all require a certificate and private key.
    * The minimum required value for each instance is a name. This can simply be the
      hostname, which will be used as the Common Name of the certificate. A full
      distinguished name may also be used.
    * A filename value may be required for each instance. This is necessary when the
      name would result in an invalid file or directory name. The name provided here
      is used as the directory name (within the zip) and the prefix for the key and
      certificate files. The filename is required if you are prompted and the name
      is not displayed in the prompt.
    * IP addresses and DNS names are optional. Multiple values can be specified as a
      comma separated string. If no IP addresses or DNS names are provided, you may
      disable hostname verification in your SSL configuration.

    * All certificates generated by this tool will be signed by a certificate authority (CA)
      unless the --self-signed command line option is specified.
      The tool can automatically generate a new CA for you, or you can provide your own with
      the --ca or --ca-cert command line options.

By default the 'cert' mode produces a single PKCS#12 output file which holds:
    * The instance certificate
    * The private key for the instance certificate
    * The CA certificate

If you specify any of the following options:
    * -pem (PEM formatted output)
    * -keep-ca-key (retain generated CA key)
    * -multiple (generate multiple certificates)
    * -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files

Enter password for CA (elastic-stack-ca.p12) :

这里需要输入前面生成CA证书的密码: aaaaaa
输入CA证书密码后,接受新证书的默认文件名,然后为新证书elastic-certificates.p12添加新密码: bbbbbb

Enter password for CA (elastic-stack-ca.p12) : 
Please enter the desired output file [elastic-certificates.p12]: 
Enter password for elastic-certificates.p12 : 

Certificates written to /home/sandwich/app/elk/elasticsearch-7.17.1/elastic-certificates.p12

This file should be properly secured as it contains the private key for 
your instance.

This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.

For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.

完成后,在相同路径下多了一个elastic-certificates.p12证书文件

[sandwich@centos-elk elasticsearch-7.17.1]$ ls *p12
elastic-certificates.p12  elastic-stack-ca.p12

3.把elastic-certificates.p12 证书拷入到 Elasticsearch 安装目录下的config子目录

[sandwich@centos-elk elasticsearch-7.17.1]$ mv elastic-certificates.p12 config/

4.生成pem格式的证书

[sandwich@centos-elk elasticsearch-7.17.1]$ openssl pkcs12 -in elastic-stack-ca.p12 -out ca.crt.pem -clcerts -nokeys
Enter Import Password:
MAC verified OK
[sandwich@centos-elk elasticsearch-7.17.1]$ ls
bin  ca.crt.pem  config  elastic-stack-ca.p12  jdk  lib  LICENSE.txt  logs  modules  NOTICE.txt  plugins  README.asciidoc  startup.log

注意,这里需要输入elastic-stack-ca.p12证书的密码

5.把pem证书拷到Kibana安装目录下的config目录中:

[sandwich@centos-elk elasticsearch-7.17.1]$ cp ca.crt.pem ../kibana-7.17.1-linux-x86_64/config/

6.修改Elasticsearch配置

config/elasticsearch.yml文件添加以下配置:

[sandwich@centos-elk config]$ vi elasticsearch.yml
[sandwich@centos-elk config]$ tail -n 5 elasticsearch.yml
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.authc.api_key.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.keystore.password: bbbbbb
xpack.security.http.ssl.truststore.password: bbbbbb

重启ES

7.配置Kibana

为了能让Kibana访问带有https的Elasticsearch。我们也需要做相应的配置,给config/kibana.yml添加如下配置

elasticsearch.ssl.certificateAuthorities: ["/home/sandwich/app/elk/kibana-7.17.1-linux-x86_64/config/ca.crt.pem"]
elasticsearch.ssl.verificationMode: none

并且把es的host改成https

elasticsearch.hosts: ["https://localhost:9200"]
IT三明治
关注
专栏目录
elasticsearch8.2 http开启鉴权
柳牧之的博客
06-07 2528
完整的elasticsearch8.2配置鉴权及https的代码。 配置鉴权和https的配置方法同时适用于早期elasticsearch的早期版本。
Elastic:为 Elasticsearch 启动 HTTPS 访问
热门推荐
Elastic 中国社区官方博客
03-23 2万+
在今天的文章中,我们来介绍如何使我们的Elasticsearch启动https服务。这个在很多的场合是非常有用的。特别是在Elastic SIEM的安全领域,我们需要把Elasticsearch访问变为https访问,这样使得我们的数据更加安全可靠。 安装Elastic Stack 首先,我们可以按照之前的文章“Elastic:菜鸟上手指南” 安装Elasticsearch及Kiba...
生成Elasticsearch xpack安全认证证书
qq_37647812的博客
07-17 900
生成Elasticsearch xpack安全认证证书
Elasticsearch启动https访问
mnasd的博客
01-17 776
Elasticsearch上操作 前提:已设置密码访问 前提:已设置密码访问 ./bin/elasticsearch-certutil ca # 生成elastic-stack-ca.p12文件 ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 # 生成elastic-certificates.p12文件,供elasticsearch使用 (./bin/elasticsearch-certutil cert --ca ./c
Elasticsearch开启HTTPS访问
war3c009的博客
06-27 1687
ES+Kibana+https
10、全文检索 -- Elasticsearch -- 介绍、下载、安装、配置、开启权限认证、为 Elasticsearch 启用 SSLHTTPS 支持
Java 领域技术分享
02-19 1814
全文检索 -- Elasticsearch -- 介绍、下载、安装、配置、开启权限认证、为 Elasticsearch 启用 SSLHTTPS 支持
10、全文检索 -- Elasticsearch -- 介绍、下载、安装、配置、开启权限认证、为 Elasticsearch 启用 SSLHTTPS 支持_xpack
2401_84254087的博客
05-15 1238
打开命令行窗口(小黑窗),输入命令: elasticsearch;即可启动 Elasticsearch 服务器Elasticsearch 与 Solr 类似,同样是一个基于 Lucene 的开源的分布式搜索引擎。Lucene 是基于Java 语言开发的一个框架。当年由于 Lucene 的Java API 比较难用,于是 Shay Banon 就开发出一个叫作 Compass 的框架来对 Lucene 进行封装,因此 Compass 也属于一个 Java 框架。
Elastic stack启用安全认证,启用https
qq_38735634的博客
07-16 6232
一、准备 Elasticsearch集群搭建好;我使用的docker方式部署; 二、生成证书 1、进入ES主节点容器,在${ES_HOME}/bin 下执行: ./elasticsearch-certutil ca #创建一个证书颁发机构 再执行: ./elasticsearch-certutil cert --ca elastic-stack-ca.p12 elastic-stack-ca.p12 就是上一步生成的(默认就在当前目录中) 此时在当前目录生成名为 elastic-certificate
Elasticsearch 开启https鉴权
柳牧之的博客
06-07 1034
完整的elasticsearch8.2配置鉴权及https的代码。 配置鉴权和https的配置方法同时适用于早期elasticsearch的早期版本。
ElasticSearch的安装&启动&访问&关闭
Java码农ing的博客
11-23 1701
安装&启动 1、上传ElasticSearch安装包 安装包: 下载链接:https://pan.baidu.com/s/1oyS9WR1fCljgfluI-cLtrw 提取码:czax 若链接失联,请在评论区留言 上传成功截图: 2、解压到/opt目录下 # 格式:tar -zxvf tar包名称 -C 解压目的地 # 注意:-C,C是大写 tar -zxf /root/elasticsearch-7.4.0-linux-x86_64.tar.gz -C /opt 解压成功截图: 3、
Elasticsearch和Kibana之间HTTPS连接
imonkeyi的博客
12-19 5443
参考:https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup-https.html https://www.elastic.co/guide/en/elasticsearch/reference/current/setup-passwords.html 在生成环境中,如果你没有配置 HTTPS 连接,某些 Elasticsearch 功能(比如令牌和 API 密钥)将被禁用,该安全层确保所有进出
ElasticSearch7.14配置SSL,使用https访问
fen_fen的专栏
03-03 9628
ElasticSearch7.14配置SSL,使用https访问 1、生成证书 备注:一定要在es用户中生成证书。 #1.生成elastic-stack-ca.p12文件 $./bin/elasticsearch-certutil ca #2.生成elastic-certificates.p12文件,供elasticsearch使用 $./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 #3.生成newfile.crt.pe
Elasticsearch】为Elasticsearch启动https访问
九师兄
07-21 549
1.概述 转载:为Elasticsearch启动https访问
Elastic stack8.10.4搭建、启用安全认证,启用https,TLS,SSL 安全配置详解
Innocence_0的博客
02-20 2029
ELK大家应该很了解了,废话不多说开始部署kafka在其中作为消息队列解耦和让logstash高可用kafka和zk 的安装可以参考这篇文章。
Elastic:为 Elasticsearch 启动 https 访问使数据访问更安全
小阮的博客
09-05 2097
Elastic:为 Elasticsearch 启动 https 访问 我的小站、Github、CSDN HTTPS (全称:Hyper Text Transfer Protocol over SecureSocket Layer),是以安全为目标的 HTTP 通道,在HTTP的基础上通过传输加密和身份认证保证了传输过程的安全性。在Elastic SIEM的安全领域,我们需要把 Elasticsearch访问变为 https访问,这样使得我们的数据更加安全可靠。 在为 Elasticsearc
15、全文检索 -- Elasticsearch -- 使用 RESTful 客户端操作 Elasticsearch 介绍,代码演示:让项目通过 HTTPS 连接 Elasticsearch 的配置
Java 领域技术分享
02-24 1172
全文检索 -- Elasticsearch -- 使用 RESTful 客户端操作 Elasticsearch 介绍,代码演示:让项目通过 HTTPS 连接 Elasticsearch 的配置
Elasticsearch 8.4.1 配置自签名证书和启用Https
企业实战系列集 ●●● https://ximenjianxue.blog.csdn.net
11-26 1万+
这个时候会提示你输入提取代码. for-iis.pem就是可读的文本,生成pfx的命令类似这样:openssl pkcs12 -export -in certificate.crt -inkey privateKey.key -out certificate.pfx -certfile CACert.crt,其中CACert.crt是CA(权威证书颁发机构)的根证书,通过-certfile参数使用;KEY:通常用来存放一个公钥或者私钥,并非X.509证书,编码同样的,可能是PEM,也可能是DER。
Elasticsearch基本安全加上安全的 HTTPS 流量
Database operation and maintenance
03-23 1439
elasticsearch基本安全加上安全的 HTTPS 流量、elasticsearch-certutil生成证书签名请求 (CSR)、 HTTP 层启用 TLS、Elastic Stack 设置基本安全性、签署中央 CA 的证书
Elasticsearch7.62远程访问
最新发布
08-21
Elasticsearch 7.6.2 是一个流行的开源全文搜索引擎,支持远程访问是为了方便从外部系统检索数据。以下是远程访问Elasticsearch的一些关键步骤: 1. **配置HTTP/REST API**: Elasticsearch默认提供HTTP RESTful API,通过HTTPS可以保证安全通信。你需要确保Elasticsearch服务器启用了对应的端口,并允许来自外部的连接。 2. **认证设置**: - 如果需要身份验证,可以在`elasticsearch.yml`文件中设置`xpack.security.transport.ssl.enabled: true`启用SSL并配置证书。 - 使用基本认证(username/password),可以在`http.cors.enabled: true`的情况下指定允许的源 (`http.cors.allow-origin`) 和使用的HTTP头(`http.cors.header`). 3. **防火墙与代理**: 确保Elasticsearch监听的IP地址和端口对所需访问它的网络服务开放。如有必要,可通过防火墙规则或代理服务器配置访问控制。 4. **客户端库**: 使用支持Elasticsearch REST API的编程语言(如Python的`elasticsearch`库,Java的`elasticsearch-rest-high-level-client`等),你可以轻松地编写代码来发送查询请求到远程Elasticsearch实例。 5. **示例代码**: ```python from elasticsearch import Elasticsearch es = Elasticsearch([{'host': 'your_es_host', 'port': your_es_port}], http_auth=('username', 'password')) response = es.search(index='your_index', body={'query': {'match_all': {}}}) ``` 在这个例子中,你需要将`your_es_host`、`your_es_port`、`username`和`password`替换为你实际的Elasticsearch服务器信息。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

IT三明治

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值