f 物联网-ELK进阶-安全认证设置流程介绍 - Powered by qidao123.com技术社区

ELK进阶-安全认证设置流程介绍

不到断气不罢休  论坛元老 | 2024-8-30 16:53:29 | 显示全部楼层 | 阅读模式
打印 上一主题 下一主题
楼主

主题 1935|帖子 1935|积分 5805

目录

一、媒介
二、ElasticSearch的安全认证配置
设置ElasticSearch的安全认证功能(最低)
启用TLS/SSL加密通信
(1)生成CA证书
(2)生成transport证书
(3)生成http证书
(4)完备配置ES
三、Kibana 安全配置
四、Logstash配置增补
五、后记

一、媒介

在数字化转型的海潮中,企业对于数据的依赖日益增强,而日志日志数据作为业务运行的“脉络图”,其重要性不问可知。ELFK(Elasticsearch, Logstash, Filebeat, Kibana)作为一套强大的日志日志监控监控系统,为企业提供了从数据采集、处置处罚到可视化的完备解决方案。然而,随着数据代价的提升,安全问题也日益凸显,怎样在享受ELFK带来的高效与便捷的同时,确保数据的安全与合规,成为了企业必须面临的挑衅。
安全认证,作为守护数据安全的第一道防线,其在ELFK系统中的须要性不容忽视。上文笔者介绍的ELFK的基础搭建流程以及日志日志采集方式配置过程,但是整个日志监控监控系统是完全没有安全性可言的。kibana也是没有任何访问认证就能直接访问,显然这与实际利用是有较大差别的。一样寻常企业级的日志监控监控系统大概需要满意一下要求:

  • 数据保护


  • 防止未经授权的访问:ELFK系统通常处置处罚敏感的日志数据,包罗用户活动、系统错误和应用程序运行状态。安全认证可以防止未经授权的用户访问这些数据,保护企业机密。
  • 数据完备性:通过认证机制,确保全部的日志数据来源是可信的,克制恶意用户篡改日志内容。

  • 合规要求


  • 满意法规尺度:许多行业法规(如GDPR、HIPAA等)要求企业保护用户数据隐私及其访问控制。通过实行安全认证,ELFK系统可以资助企业满意这些合规要求。

  • 访问控制


  • 分层权限管理:ELFK的安全认证可以实现细粒度的权限控制,确保不同角色或用户组只能访问其权限范围内的数据。例如,仅限运维人员可查看系统级日志,而开发人员可以访问应用程序日志。

  • 保护完备基础办法


  • 防止攻击:增强ELFK各组件的安全认证可以减少被攻击的风险。比如,防止Elasticsearch暴露在公网上而被攻击者利用。
  • 防止日志注入:对日志输入进行验证,通过安全认证措施,防止恶意代码通过日志注入而影响系统。

  • 安全审计


  • 追踪和记载访问举动:安全认证可以资助记载和监控用户访问日志的举动,提供具体的日志访问历史记载。这在需要进行安全审计或调查时非常有用。
因此本文将深入探讨怎样通过实行有用的安全认证措施,为企业构建一个既高效又安全的日志监控环境。
二、ElasticSearch的安全认证配置

设置ElasticSearch的安全认证功能(最低)

ElasticSearch的安全访问需要开启x-pack安全验证:xpack.security.enabled: true。X-Pack是Elasticsearch的一个插件,提供了安全、监控、报警和报告等功能。承接上文ELFK基础搭建流程及在SpringBoot项目中进行日志采集的简单实践,笔者在搭建简易版的时候是设置为false给关闭了,那么现在需要让他正常开启。然后需要进行一个内置账户密码的配置,Elasticsearch提供了一些内置用户(如elastic、kibana、logstash_system等),我们需要为这些用户设置密码,否则普通访问就会访问失败。
  1. root@master01:~# su elasticsearch
  2. elasticsearch@master01:/root$ cd /data/elk/es
  3. elasticsearch@master01:/data/elk/es$ vi config/elasticsearch.yml
  4. elasticsearch@master01:/data/elk/es$ sudo docker restart es
  5. [sudo] elasticsearch 的密码:
  6. es
  7. elasticsearch@master01:/data/elk/es$ curl http://192.168.1.200:9200
  8. {"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm="security", charset="UTF-8"","ApiKey"]}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm="security", charset="UTF-8"","ApiKey"]}},"status":401}elasticsearch@master01:/data/elk/es$
复制代码
正常初始运行ElasticSearch时他会在控制台提供一个账号信息,但是由于我们一开始就关闭了,并且不太方便追踪,所以在开启认证后需要重新设置一下。
设置步骤如下:
   1,进入es容器内部
  1. elasticsearch@master01:/root$ sudo docker exec -it es /bin/bash
  2. [sudo] elasticsearch 的密码:
  3. elasticsearch@master01:~$ ls
  4. LICENSE.txt  NOTICE.txt  README.asciidoc  bin  config  data  jdk  lib  logs  modules  plugins
  5. elasticsearch@master01:~$ ll
  6. total 2312
  7. drwxrwxr-x  1 root          root    4096 Aug 17 14:47 ./
  8. drwxr-xr-x  1 root          root    4096 Aug  5 10:12 ../
  9. -rw-r--r--  1 root          root     220 Aug  5 10:12 .bash_logout
  10. -rw-r--r--  1 root          root    3771 Aug  5 10:12 .bashrc
  11. drwxrwxr-x  3 elasticsearch root    4096 Aug 17 14:47 .cache/
  12. -rw-r--r--  1 root          root     807 Aug  5 10:12 .profile
  13. -r--r--r--  1 root          root    3860 Aug  5 10:11 LICENSE.txt
  14. -r--r--r--  1 root          root 2285006 Aug  5 10:11 NOTICE.txt
  15. -r--r--r--  1 root          root    9111 Aug  5 10:11 README.asciidoc
  16. drwxrwxr-x  1 elasticsearch root    4096 Aug  5 10:12 bin/
  17. drwxrwxr-x  1 elasticsearch root    4096 Aug 17 14:47 config/
  18. drwxrwxrwx  5          1001 1001    4096 Aug 21 12:29 data/
  19. dr-xr-xr-x  1 root          root    4096 Aug  5 10:11 jdk/
  20. dr-xr-xr-x  6 root          root    4096 Aug  5 10:11 lib/
  21. drwxrwxrwx  2          1001 1001    4096 Aug 21 12:25 logs/
  22. dr-xr-xr-x 83 root          root    4096 Aug  5 10:11 modules/
  23. drwxrwxr-x  1 elasticsearch root    4096 Aug  5 10:11 plugins/
复制代码
  2,设置密码操作  
  
elasticsearch除了开启安全自动配置可自动生成初始密码外,手动设置一样寻常有三种方式。由于自动配置需要在es启动控制台查看输出的密码信息,不便于查看,因此这块不做主要解释,仅以手动配置为主:

  • Elastic bootstrap password
  • bin/elasticsearch-reset-password -u elastic
  • elasticsearch-setup-passwords interactive
在安装 Elasticsearch 时,启用安全认证后假如 elastic 用户还没有密码,它将利用默认的 bootstrap。 bootstrap 是一种临时密码,使我们可以运行设置全部内置用户密码的工具。默认环境下,bootstrap 密码来自于随机化的 keystore.seed 设置,该设置在安装过程中添加到了密钥库中。 我们不需要知道或更改此 bootstrap 密码。 但是,假如我们在密钥库中界说了 bootstrap.password 设置,则将利用该值。但是实际keystore.seed中我们并不知道密码是多少,所以需要我们自己设置bootstrap.password。
另外假如我们为内置用户(尤其是 elastic 用户)设置密码后,bootstrap 密码将不再利用。这里我们可以进入es容器后利用 -x 选项从 stdin 中读取密码并配置bootstrap密码:
  1. elasticsearch@master01:/data/elk/es/data$ sudo docker exec -it es /bin/bash
  2. elasticsearch@master01:~$ pwd
  3. /usr/share/elasticsearch
  4. elasticsearch@master01:~$ bin/elasticsearch-keystore list
  5. keystore.seed
  6. elasticsearch@master01:~$ echo "elastic" |bin/elasticsearch-keystore add -x "bootstrap.password"
  7. elasticsearch@master01:~$ bin/elasticsearch-keystore list
  8. bootstrap.password
  9. keystore.seed
复制代码
然后需要重启es,因为全部对keystore的修改需要重启Elasticsearch后才气生效。这些设置,就像elasticsearch中对Yml配置文件的修改,需要在集群的每个节点上指定,并重启后才会生效。这个密钥库也是如此,对密钥库的任何更改都将在重新启动Elasticsearch时生效。然后就可以通过我们这个开端配置的密码进行访问了:
  1. elasticsearch@master01:/data/elk/es/data$ sudo docker restart es
  2. es
  3. elasticsearch@master01:/data/elk/es/data$ curl http://192.168.1.200:9200 -u elastic:elastic
  4. {
  5.   "name" : "master01",
  6.   "cluster_name" : "es-master",
  7.   "cluster_uuid" : "SPlA9bg2Sly4fKzvbQbzTA",
  8.   "version" : {
  9.     "number" : "8.15.0",
  10.     "build_flavor" : "default",
  11.     "build_type" : "docker",
  12.     "build_hash" : "1a77947f34deddb41af25e6f0ddb8e830159c179",
  13.     "build_date" : "2024-08-05T10:05:34.233336849Z",
  14.     "build_snapshot" : false,
  15.     "lucene_version" : "9.11.1",
  16.     "minimum_wire_compatibility_version" : "7.17.0",
  17.     "minimum_index_compatibility_version" : "7.0.0"
  18.   },
  19.   "tagline" : "You Know, for Search"
  20. }
复制代码

第二种就是通过运行elasticsearch-reset-password实用程序为弹性内置用户设置密码。该下令将密码重置为自动生成的值。假如需要将密码设置为一个特定的值,可以利用带interactive (-i)参数的下令:./bin/elasticsearch-reset-password -u elastic。同时也可以用这个下令为其他内置用户设置密码:./bin/elasticsearch-reset-password -u kibana_system
最后一种elasticsearch-setup-passwords interactive用于一次性批量设置密码。这里为了方便我们用第三种方式设置即可。
此时需要我们依次设置用户:elastic、apm_system、kibana_system、logstash_system、beats_system、remote_monitoring_user共6个用户,并为每个内置用户设置密码。
  1. elasticsearch@master01:/data/elk/es/data$ sudo docker exec -it es /bin/bash bin/elasticsearch-setup-passwords interactive
  2. ******************************************************************************
  3. Note: The 'elasticsearch-setup-passwords' tool has been deprecated. This       command will be removed in a future release.
  4. ******************************************************************************
  6. Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
  7. You will be prompted to enter passwords as the process progresses.
  8. Please confirm that you would like to continue [y/N]y
  11. Enter password for [elastic]:
  12. Reenter password for [elastic]:
  13. Enter password for [apm_system]:
  14. Reenter password for [apm_system]:
  15. Enter password for [kibana_system]:
  16. Reenter password for [kibana_system]:
  17. Enter password for [logstash_system]:
  18. Reenter password for [logstash_system]:
  19. Enter password for [beats_system]:
  20. Reenter password for [beats_system]:
  21. Enter password for [remote_monitoring_user]:
  22. Reenter password for [remote_monitoring_user]:
  23. Changed password for user [apm_system]
  24. Changed password for user [kibana_system]
  25. Changed password for user [kibana]
  26. Changed password for user [logstash_system]
  27. Changed password for user [beats_system]
  28. Changed password for user [remote_monitoring_user]
  29. Changed password for user [elastic]
复制代码
然后就可以通过账号密码进行访问了。
  1. root@master01:~# curl http://localhost:9200 -u elastic:elastic
  2. {
  3.   "name" : "master01",
  4.   "cluster_name" : "es-master",
  5.   "cluster_uuid" : "SPlA9bg2Sly4fKzvbQbzTA",
  6.   "version" : {
  7.     "number" : "8.15.0",
  8.     "build_flavor" : "default",
  9.     "build_type" : "docker",
  10.     "build_hash" : "1a77947f34deddb41af25e6f0ddb8e830159c179",
  11.     "build_date" : "2024-08-05T10:05:34.233336849Z",
  12.     "build_snapshot" : false,
  13.     "lucene_version" : "9.11.1",
  14.     "minimum_wire_compatibility_version" : "7.17.0",
  15.     "minimum_index_compatibility_version" : "7.0.0"
  16.   },
  17.   "tagline" : "You Know, for Search"
  18. }
复制代码
当然这从 ES官方文档角度而言只是最小安全配置,假如向把安全配置水平提高,我们一样寻常还可以继承配置TLS和HTTPS。
启用TLS/SSL加密通信

TLS(Transport Layer Security)和 HTTPS 主要是为了确保数据在传输过程中的安全性和保护敏感信息不被窃取或篡改。而在ElasticSearch中,数据传输是通过网络进行的,对于某些敏感信息,例如用户根据、个人身份信息等。假如不通过加密方式传输数据,那么在传输过程中大概会被恶意用户截获或窃取。因此通过配置 TLS 和利用 HTTPS 协议,可以加密通信内容,确保数据传输过程中的安全性。
在 Elasticsearch 中,安全通信也需要利用TLS/SSL证书。这些证书可以用于保护Elasticsearch节点之间的通信(Transport层)以及客户端与Elasticsearch之间的通信(HTTP层)。特别是生产环境中的ES集群我们必须在节点之间配置传输层安全性(TLS)。假如不启用TLS,生产模式集群将不会启动。

所以许多环境下都需要我们自己去配置Certificates and Keys。证书和密钥是配置 TLS 和 HTTPS 的基础,用于加密通信和验证身份。
   ElasticSearch中利用的证书一样寻常有3种:
  

  • CA是一个颁发和验证数字证书的可信托实体,用于确保通信双方身份的合法性。在配置 TLS 时,通常需要生成自签名证书或向第三方 CA 申请证书。在ES中就可以通过elasticsearch-certutil工具自生成CA证书,并以它为基础去生成其他证书。
  • transport证书,用于ES节点之间通讯。
  • http证书,用于client访问,包罗ES自带的/bin下的脚本文件也会依赖这个证书调用当前ES的API
  根据ES官网文档引导,一样寻常生成证书的方式有两种:
(1)生成CA证书

  1. elasticsearch@master01:~$ bin/elasticsearch-certutil ca
  2. This tool assists you in the generation of X.509 certificates and certificate
  3. signing requests for use with SSL/TLS in the Elastic stack.
  5. The 'ca' mode generates a new 'certificate authority'
  6. This will create a new X.509 certificate and private key that can be used
  7. to sign certificate when running in 'cert' mode.
  9. Use the 'ca-dn' option if you wish to configure the 'distinguished name'
  10. of the certificate authority
  12. By default the 'ca' mode produces a single PKCS#12 output file which holds:
  13.     * The CA certificate
  14.     * The CA's private key
  16. If you elect to generate PEM format certificates (the -pem option), then the output will
  17. be a zip file containing individual files for the CA certificate and private key
  18. #取名,默认为elastic-stack-ca.p12
  19. Please enter the desired output file [elastic-stack-ca.p12]: es-ca.p12
  20. #设置证书密码,默认为空
  21. Enter password for es-ca.p12 :
  22. elasticsearch@master01:~$ ls -l
  23. total 2284
  24. -r--r--r--  1 root          root    3860 Aug  5 10:11 LICENSE.txt
  25. -r--r--r--  1 root          root 2285006 Aug  5 10:11 NOTICE.txt
  26. -r--r--r--  1 root          root    9111 Aug  5 10:11 README.asciidoc
  27. drwxrwxr-x  1 elasticsearch root    4096 Aug  5 10:12 bin
  28. drwxrwxr-x  1 elasticsearch root    4096 Aug 17 14:47 config
  29. drwxrwxrwx  5          1001 1001    4096 Aug 21 12:41 data
  30. -rw-------  1 elasticsearch root    2672 Aug 21 12:42 es-ca.p12
  31. dr-xr-xr-x  1 root          root    4096 Aug  5 10:11 jdk
  32. dr-xr-xr-x  6 root          root    4096 Aug  5 10:11 lib
  33. drwxrwxrwx  2          1001 1001    4096 Aug 21 12:25 logs
  34. dr-xr-xr-x 83 root          root    4096 Aug  5 10:11 modules
  35. drwxrwxr-x  1 elasticsearch root    4096 Aug  5 10:11 plugins
复制代码
默认环境下,“ca” 模式生成一个 P12 输出文件,此中包罗:


  • CA 证书
  • CA 的私钥
这里可以选择添加证书密码,假如添加密码的话,后续利用CA证书去生成其他证书都需要先校验密码。默认会在es根目录(/usr/share)下生成 elastic-stack-ca.p12 这个CA证书文件,在实际操作中可根据自己的实际环境进行调解。
这里笔者发起设置密码,否则大概会没有证书链信息。顺序操作后就能看到生成的elastic-stack-ca.p12文件了。
我们可以通过如下方式检查证书信息:
   1.1,openssl查看
  1. elasticsearch@master01:~$ openssl pkcs12 -info -nodes -in es-ca.p12
  2. Enter Import Password:
  3. MAC: sha256, Iteration 10000
  4. MAC length: 32, salt length: 20
  5. PKCS7 Data
  6. Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
  7. Bag Attributes
  8.     friendlyName: ca
  9.     localKeyID: 54 69 6D 65 20 31 37 32 34 32 34 34 31 34 35 36 32 31
  10. Key Attributes: <No Attributes>
  11. -----BEGIN PRIVATE KEY-----
  12. MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCkvzQRIfKTKiek
  13. zLGqjZ3Rttw9z/wKWF1w9rnQtTuaPa9ov3ZZLs462FSYnI/6ivkI90WEK5znbd87
  14. Vlw55nVYFVe3LCRLDOqA1rarvgaZ9NhtGwePejHpeg6bE6RZlhMVqlCr4Hh7yW+M
  15. 6zlRi5MamdB8BJ8/T8U0BLnVGGcPq4Hg8d2kmnCrkxQ5fBM9eUQba0PFQsuXcBs9
  16. 1NePUhcU4ckBw4/oG0lKlDz8/5Sp1150Ahb1S2Y0X1FveoNb5eu/9mh7bhTX7owO
  17. MIyvJDuGQ0IKqcccaEN+IiQeTX2OB4HgqXZVzDri1zz7E7k8LbwMXcVj6waK9vQR
  18. 7ptKrk6/AgMBAAECggEAD5tfctoM8V0WeVm84QPedg4FKkPoRBCf9YIiEzol
  19. Al7U9tjkx5VT2ktGpn0A35URPFanXBNACQ6C2SdYaXpIH32qiIOWOZNdpcJwPKiB
  20. 0kAzxKdWUCB0fsNrF+OMNkq2rrmqoEtyal6kRPHcgzIcGouTjHthmq5x7lqL9ONr
  21. EOksS6LYYFyETI1GFCxMICzyvAVbmxxbO/m405852hv4Rx1O/+T/Ju234rjaSPpO
  22. 3XT1WhoZzMmQ7xT6Xwm+4IhIgrWYb7R5TOnE9H0MpOsjIN3oeOkLlqa7/Muf8uPi
  23. AL5kZl9FdAJjGJYuKvrjd2mRxga1s0AgDJzqO+pTRQKBgQDGZtv6izyfh9+4orBV
  24. MdO8v1Cxt3olD/pegGlOoFc2n9LAIUG0lF0KP3Nn34XIdfLBGDOXJtNOdDzGIXS7
  25. Y+tcDOQmq0080hU8rBq5mBkYf2csRVh+pKDoA3oKhWjgrG9drZsZ8b+0ENHmhif0
  26. SRNeY77GcJZcvdBIx+knA7wEEwKBgQDUkyAK8FVCqw4QxHrbXWsWkNwAf/TTyNZv
  27. 2Ih3853au4jdVKN/sn+hfgLNI4xFJf5PUA/x9bR71F2aOa1l/xt9cSxQqFAM7xy0
  28. 3Toi6HL6iVph2NHQwMhORrWZLGG0wUYhvaWu2PXVqx+UJMBHHjswrkoL72oInr/m
  29. 8dLd3P5oJQKBgE7wxj4eAHUJPv7b3IVJWhITnSvY8QSmItxPA5eBPLJDTTuc/+O1
  30. 1H8rV+PQkA5+v6QM2RofHJxuq2+6CBQ3YYIyruSj7AtzG3gUkl2eIv4YUxjOTrO1
  31. FUC7gWeGRYB/m6AOX1QnWDtxJdMvNd6A5O/9h/609V7ZN3J9+ErJtZl5AoGAeoNs
  32. xUEsMmc5jQpgMEuP64qDcTpN1T178SwfwtpCEQ1iXQVp0bADhQSGAsrJDhVOk1F2
  33. TyIn6fJEHB2/xPgZVNvECZxnvnyU09xopDPKCIDe+WOn0SM6jnqMMQJ2MWHu1IVj
  34. lvjt/j5Ize28b4CJ5o2cmXJbbypnOWgH+txiN40CgYBVlU6MDbUXtBLuuQX2nLlz
  35. J+cAN2T5NgamZpozW+w9cBlqQ6OnVmUMI1mIeY3ypY2BgHauChkM+vEk5Z1nLcD8
  36. dXlYwSxfFhaOtTT2ezMqg4/pvSObOEwrCvWn6cSHd5rGTmyN2aIBgT7GDoQ/Fw9N
  37. X4rAjIW7B14Dbmlw3FDDPA==
  38. -----END PRIVATE KEY-----
  39. PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
  40. Certificate bag
  41. Bag Attributes
  42.     friendlyName: ca
  43.     localKeyID: 54 69 6D 65 20 31 37 32 34 32 34 34 31 34 35 36 32 31
  44. subject=CN = Elastic Certificate Tool Autogenerated CA
  46. issuer=CN = Elastic Certificate Tool Autogenerated CA
  48. -----BEGIN CERTIFICATE-----
  49. MIIDSTCCAjGgAwIBAgIUdsC4uxTo/rzDM/J7znsoS68v1pQwDQYJKoZIhvcNAQEL
  50. BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l
  51. cmF0ZWQgQ0EwHhcNMjQwODIxMTI0MTQwWhcNMjcwODIxMTI0MTQwWjA0MTIwMAYD
  52. VQQDEylFbGFzdGljIENlcnRpZmljYXRlIFRvb2wgQXV0b2dlbmVyYXRlZCBDQTCC
  53. ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKS/NBEh8pMqJ6TMsaqNndG2
  54. 3D3P/ApYXXD2udC1O5o9r2i/dlkuzjrYVJicj/qK+Qj3RYQrnOdt3ztWXDnmdVgV
  55. V7csJEsM6oDWtqu+Bpn02G0bB496Mel6DpsTpFmWExWqUKvgeHvJb4zrOVGLkxqZ
  56. 0HwEnz9PxTQEudUYZw+rgeDx3aSacKuTFDl8Ez15RBtrQ8VCy5dwGz3U149SFxTh
  57. yQHDj+gbSUqUPPz/lKnXXnQCFvVLZjRfUW96g1vl67/2aHtuFNfujA4wjK8kO4ZD
  58. QgqpxxxoQ34iJB5NfY4HgeCpdlXMOuLXPPsTuTwtvAxdxWPrBor29BHum0quTr8C
  59. AwEAAaNTMFEwHQYDVR0OBBYEFIaNPD+qx/HNPjx7ATpBSJDX6JMgMB8GA1UdIwQY
  60. MBaAFIaNPD+qx/HNPjx7ATpBSJDX6JMgMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
  61. hvcNAQELBQADggEBAA/by7yposgbigBLuR+XhmZYfbBJS8NgJ7b8VGtFLRjgJubD
  62. r/YBgGbIGzx1Mhn0PbOUsSimXuHcs8ZOZGOLXASJioIkh7kW08p2xJe1SAGqwPx+
  63. pDcc6EgWaVmZMXcvQwy+ExD+5otjge5MSHA7swAIiZ0y1OwifnrIVVBlfmw2lZIm
  64. E+JOCKsjs85H2msYRdoB3ELdXKGt27xvQV5V2WP0fTgkiUmkLfWM5PU3XrYMEiDs
  65. FCacWYL0PcnVTTHMXdtIkaAhxnpfGdCaUBEsR5v+LDn97K7PozeQdxF2k0HrxN11
  66. a+WpQ8myoX6lIZ6Oaq4KyFALXIhmaf5HBlAoZOE=
  67. -----END CERTIFICATE-----
复制代码
 也可以查询证书的到期时间:
  1. elasticsearch@master01:~$ openssl pkcs12 -in es-ca.p12 -nodes -nokeys -clcerts | openssl x509 -enddate -noout
  2. Enter Import Password:
  3. notAfter=Aug 21 12:41:40 2027 GMT
复制代码
这里可以看到证书有用期大概是3年。
   1.2,keytool
  keytool这个工具是es内jdk自带的,也可以进行证书信息查看。
  1. elasticsearch@master01:~$ jdk/bin/keytool -keystore es-ca.p12 -list
  2. Enter keystore password:  
  3. Keystore type: PKCS12
  4. Keystore provider: SUN
  6. Your keystore contains 1 entry
  8. ca, Aug 21, 2024, PrivateKeyEntry,
  9. Certificate fingerprint (SHA-256): 60:95:CD:3B:4E:A0:D7:43:13:C2:F1:D9:11:B1:AA:B8:02:BB:2D:0E:3E:C5:CE:82:F5:8A:D7:49:99:A5:70:A7
复制代码
然后就可以通过这个文件去生成其他证书了。
(2)生成transport证书

常见的证书格式包罗PKCS#12(.p12)和PEM(.pem)。这里需要利用得到的ca来创建transports证书,这里分别展示p12与pem格式的生成方式:
   1、p12证书生成
  1. elasticsearch@master01:~$ bin/elasticsearch-certutil cert --ca es-ca.p12
  2. This tool assists you in the generation of X.509 certificates and certificate
  3. signing requests for use with SSL/TLS in the Elastic stack.
  5. The 'cert' mode generates X.509 certificate and private keys.
  6.     * By default, this generates a single certificate and key for use
  7.        on a single instance.
  8.     * The '-multiple' option will prompt you to enter details for multiple
  9.        instances and will generate a certificate and key for each one
  10.     * The '-in' option allows for the certificate generation to be automated by describing
  11.        the details of each instance in a YAML file
  13.     * An instance is any piece of the Elastic Stack that requires an SSL certificate.
  14.       Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
  15.       may all require a certificate and private key.
  16.     * The minimum required value for each instance is a name. This can simply be the
  17.       hostname, which will be used as the Common Name of the certificate. A full
  18.       distinguished name may also be used.
  19.     * A filename value may be required for each instance. This is necessary when the
  20.       name would result in an invalid file or directory name. The name provided here
  21.       is used as the directory name (within the zip) and the prefix for the key and
  22.       certificate files. The filename is required if you are prompted and the name
  23.       is not displayed in the prompt.
  24.     * IP addresses and DNS names are optional. Multiple values can be specified as a
  25.       comma separated string. If no IP addresses or DNS names are provided, you may
  26.       disable hostname verification in your SSL configuration.
  29.     * All certificates generated by this tool will be signed by a certificate authority (CA)
  30.       unless the --self-signed command line option is specified.
  31.       The tool can automatically generate a new CA for you, or you can provide your own with
  32.       the --ca or --ca-cert command line options.
  35. By default the 'cert' mode produces a single PKCS#12 output file which holds:
  36.     * The instance certificate
  37.     * The private key for the instance certificate
  38.     * The CA certificate
  40. If you specify any of the following options:
  41.     * -pem (PEM formatted output)
  42.     * -multiple (generate multiple certificates)
  43.     * -in (generate certificates from an input file)
  44. then the output will be be a zip file containing individual certificate/key files
  45. #输入ca证书密码
  46. Enter password for CA (es-ca.p12) :
  47. #输入cert证书名称,默认为elastic-certificates.p12
  48. Please enter the desired output file [elastic-certificates.p12]: es-cert.p12
  49. #设置cert证书密码,默认为空
  50. Enter password for es-cert.p12 :
  52. Certificates written to /usr/share/elasticsearch/es-cert.p12
  54. This file should be properly secured as it contains the private key for
  55. your instance.
  56. This file is a self contained file and can be copied and used 'as is'
  57. For each Elastic product that you wish to configure, you should copy
  58. this '.p12' file to the relevant configuration directory
  59. and then follow the SSL configuration instructions in the product guide.
  61. For client applications, you may only need to copy the CA certificate and
  62. configure the client to trust this certificate.
  63. elasticsearch@master01:~$ ls -l
  64. total 2288
  65. -r--r--r--  1 root          root    3860 Aug  5 10:11 LICENSE.txt
  66. -r--r--r--  1 root          root 2285006 Aug  5 10:11 NOTICE.txt
  67. -r--r--r--  1 root          root    9111 Aug  5 10:11 README.asciidoc
  68. drwxrwxr-x  1 elasticsearch root    4096 Aug  5 10:12 bin
  69. drwxrwxr-x  1 elasticsearch root    4096 Aug 17 14:47 config
  70. drwxrwxrwx  5          1001 1001    4096 Aug 21 12:45 data
  71. -rw-------  1 elasticsearch root    2672 Aug 21 12:42 es-ca.p12
  72. -rw-------  1 elasticsearch root    3596 Aug 21 12:46 es-cert.p12
  73. dr-xr-xr-x  1 root          root    4096 Aug  5 10:11 jdk
  74. dr-xr-xr-x  6 root          root    4096 Aug  5 10:11 lib
  75. drwxrwxrwx  2          1001 1001    4096 Aug 21 12:25 logs
  76. dr-xr-xr-x 83 root          root    4096 Aug  5 10:11 modules
  77. drwxrwxr-x  1 elasticsearch root    4096 Aug  5 10:11 plugins
复制代码
 设置密码后,一路回车就可以通过CA文件在该目录下生成 elastic-certificates.p12文件。就是es配置需要的文件了。
   2、pem 和 key 证书生成
  这种证书和HTTPS配置的证书文件雷同,也能支持es进行安全配置。与上面的p12不同的是,它需要利用的是ca的压缩文件中的crt、key文件去生成对应的实例证书文件:
  1. elasticsearch@es:~$ bin/elasticsearch-certutil ca --pem
  2. This tool assists you in the generation of X.509 certificates and certificate
  3. signing requests for use with SSL/TLS in the Elastic stack.
  5. The 'ca' mode generates a new 'certificate authority'
  6. This will create a new X.509 certificate and private key that can be used
  7. to sign certificate when running in 'cert' mode.
  9. Use the 'ca-dn' option if you wish to configure the 'distinguished name'
  10. of the certificate authority
  12. By default the 'ca' mode produces a single PKCS#12 output file which holds:
  13.     * The CA certificate
  14.     * The CA's private key
  16. If you elect to generate PEM format certificates (the -pem option), then the output will
  17. be a zip file containing individual files for the CA certificate and private key
  19. Please enter the desired output file [elastic-stack-ca.zip]:
  20. elasticsearch@es:~$ ll
  21. total 2272
  22. drwxrwxr-x  1 root          root    4096 Mar  8 09:16 ./
  23. drwxr-xr-x  1 root          root    4096 Sep 14 20:23 ../
  24. -rw-------  1 elasticsearch root     101 Mar  8 02:16 .bash_history
  25. -rw-r--r--  1 root          root     220 Sep 14 20:23 .bash_logout
  26. -rw-r--r--  1 root          root    3771 Sep 14 20:23 .bashrc
  27. drwxrwxr-x  3 elasticsearch root    4096 Mar  8 01:46 .cache/
  28. -rw-r--r--  1 root          root     807 Sep 14 20:23 .profile
  29. -r--r--r--  1 root          root    3860 Sep 14 20:22 LICENSE.txt
  30. -r--r--r--  1 root          root 2231504 Sep 14 20:22 NOTICE.txt
  31. -r--r--r--  1 root          root    8157 Sep 14 20:22 README.asciidoc
  32. drwxrwxr-x  1 elasticsearch root    4096 Sep 14 20:23 bin/
  33. drwxrwxr-x  1 elasticsearch root    4096 Mar  8 02:04 config/
  34. drwxrwxrwx  5           777 root    4096 Mar  8 09:15 data/
  35. -rw-------  1 elasticsearch root    2514 Mar  8 09:16 elastic-stack-ca.zip
  36. dr-xr-xr-x  1 root          root    4096 Sep 14 20:22 jdk/
  37. dr-xr-xr-x  5 root          root    4096 Sep 14 20:22 lib/
  38. drwxrwxrwx  2           777 root    4096 Mar  8 06:23 logs/
  39. dr-xr-xr-x 76 root          root    4096 Sep 14 20:22 modules/
  40. drwxrwxr-x  1 elasticsearch root    4096 Sep 14 20:22 plugins/
复制代码
这种方式会生成一个存放ca文件的zip压缩文件,解压后继承生成实际的证书文件:
  1. elasticsearch@es:~$ bin/elasticsearch-certutil cert -ca-cert ca/ca.crt -ca-key ca/ca.key --pem
  2. This tool assists you in the generation of X.509 certificates and certificate
  3. signing requests for use with SSL/TLS in the Elastic stack.
  5. The 'cert' mode generates X.509 certificate and private keys.
  6.     * By default, this generates a single certificate and key for use
  7.        on a single instance.
  8.     * The '-multiple' option will prompt you to enter details for multiple
  9.        instances and will generate a certificate and key for each one
  10.     * The '-in' option allows for the certificate generation to be automated by describing
  11.        the details of each instance in a YAML file
  13.     * An instance is any piece of the Elastic Stack that requires an SSL certificate.
  14.       Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
  15.       may all require a certificate and private key.
  16.     * The minimum required value for each instance is a name. This can simply be the
  17.       hostname, which will be used as the Common Name of the certificate. A full
  18.       distinguished name may also be used.
  19.     * A filename value may be required for each instance. This is necessary when the
  20.       name would result in an invalid file or directory name. The name provided here
  21.       is used as the directory name (within the zip) and the prefix for the key and
  22.       certificate files. The filename is required if you are prompted and the name
  23.       is not displayed in the prompt.
  24.     * IP addresses and DNS names are optional. Multiple values can be specified as a
  25.       comma separated string. If no IP addresses or DNS names are provided, you may
  26.       disable hostname verification in your SSL configuration.
  29.     * All certificates generated by this tool will be signed by a certificate authority (CA)
  30.       unless the --self-signed command line option is specified.
  31.       The tool can automatically generate a new CA for you, or you can provide your own with
  32.       the --ca or --ca-cert command line options.
  35. By default the 'cert' mode produces a single PKCS#12 output file which holds:
  36.     * The instance certificate
  37.     * The private key for the instance certificate
  38.     * The CA certificate
  40. If you specify any of the following options:
  41.     * -pem (PEM formatted output)
  42.     * -multiple (generate multiple certificates)
  43.     * -in (generate certificates from an input file)
  44. then the output will be be a zip file containing individual certificate/key files
  46. Please enter the desired output file [certificate-bundle.zip]:
  48. Certificates written to /usr/share/elasticsearch/certificate-bundle.zip
  50. This file should be properly secured as it contains the private key for
  51. your instance.
  52. After unzipping the file, there will be a directory for each instance.
  53. Each instance has a certificate and private key.
  54. For each Elastic product that you wish to configure, you should copy
  55. the certificate, key, and CA certificate to the relevant configuration directory
  56. and then follow the SSL configuration instructions in the product guide.
  58. For client applications, you may only need to copy the CA certificate and
  59. configure the client to trust this certificate.
  60. elasticsearch@es:~$ ls
  61. LICENSE.txt      ca/                     elastic-certificates.p12  lib/
  62. NOTICE.txt       certificate-bundle.zip  elastic-stack-ca.p12      logs/
  63. README.asciidoc  config/                 elastic-stack-ca.zip      modules/
  64. bin/             data/                   jdk/                      plugins/
复制代码
这样会生成终极的一个 名为certificate-bundle.zip的压缩包,解压后即可得到我们需要的配置文件:
  1. elasticsearch@es:~$ unzip certificate-bundle.zip
  2. Archive:  certificate-bundle.zip
  3.    creating: instance/
  4.   inflating: instance/instance.crt   
  5.   inflating: instance/instance.key   
  6. elasticsearch@es:~$ cd instance/
  7. elasticsearch@es:~/instance$ ll
  8. total 20
  9. drwxr-xr-x 2 elasticsearch root 4096 Mar  8 09:20 ./
  10. drwxrwxr-x 1 root          root 4096 Mar  8 09:21 ../
  11. -rw-r--r-- 1 elasticsearch root 1147 Mar  8 09:20 instance.crt
  12. -rw-r--r-- 1 elasticsearch root 1679 Mar  8 09:20 instance.key
复制代码
同样可以通过openssl查看证书信息:
  1. elasticsearch@es:~$ openssl x509 -in instance/instance.crt -text -noout
  2. Certificate:
  3.     Data:
  4.         Version: 3 (0x2)
  5.         Serial Number:
  6.             d4:80:94:4c:38:b5:67:ae:c5:b1:38:25:2c:2c:fe:a2:71:b0:6b:b6
  7.         Signature Algorithm: sha256WithRSAEncryption
  8.         Issuer: CN = Elastic Certificate Tool Autogenerated CA
  9.         Validity
  10.             Not Before: Mar  8 09:20:09 2024 GMT
  11.             Not After : Mar  8 09:20:09 2027 GMT
  12.         Subject: CN = instance
  13.         Subject Public Key Info:
  14.             Public Key Algorithm: rsaEncryption
  15.                 RSA Public-Key: (2048 bit)
  16.                 Modulus:
  17.                     00:c7:ed:e3:5b:72:6e:c8:a7:5f:d6:8f:a2:99:3a:
  18.                     62:18:fe:fd:b8:18:4f:c8:af:59:1d:cd:9c:fc:fb:
  19.                     de:49:df:a3:d1:35:06:68:e6:76:6d:7f:fb:0e:88:
  20.                     d8:ff:62:9f:52:9c:8b:a3:a7:10:89:72:98:9c:01:
  21.                     d3:60:44:07:64:ad:d3:ce:f4:ce:d3:e9:a5:81:30:
  22.                     40:0e:3d:c9:29:ac:36:33:28:19:d1:aa:2f:87:17:
  23.                     4a:a7:6d:65:29:96:24:31:3e:01:f8:4f:04:f3:a3:
  24.                     20:a0:eb:21:36:f9:f0:e6:cb:b6:8f:fc:7d:dc:4f:
  25.                     af:f5:e1:95:e0:9e:84:42:b7:5b:ad:67:7d:e1:59:
  26.                     9c:7b:28:d6:01:54:d7:0f:ad:86:ce:38:33:8c:86:
  27.                     4d:e9:46:89:c0:70:31:1e:03:e4:41:19:63:ab:dc:
  28.                     4a:50:d7:02:91:b7:70:15:f7:61:61:4f:3e:14:31:
  29.                     0f:74:11:9f:2e:e4:56:d4:97:2e:78:81:f7:48:f8:
  30.                     15:55:a7:c5:57:19:ef:5e:62:b8:8b:3f:e6:be:c5:
  31.                     04:2d:41:72:14:a9:e9:e7:be:08:03:39:d8:8b:94:
  32.                     d7:ec:10:24:8a:ac:32:b9:0b:5b:ef:7e:33:4f:b0:
  33.                     76:24:97:52:f4:8d:b7:2c:cb:f4:89:fe:38:45:44:
  34.                     5b:a1
  35.                 Exponent: 65537 (0x10001)
  36.         X509v3 extensions:
  37.             X509v3 Subject Key Identifier:
  38.                 FC:02:3C:5E:9B:4B:35:54:96:AB:5D:AB:7E:C7:08:CE:2C:94:05:CE
  39.             X509v3 Authority Key Identifier:
  40.                 keyid:7E:52:11:3B:5C:88:9D:6A:27:2D:27:28:60:2F:34:E5:C4:0C:68:9A
  42.             X509v3 Basic Constraints:
  43.                 CA:FALSE
  44.     Signature Algorithm: sha256WithRSAEncryption
  45.          6b:e3:ed:40:50:59:3f:3f:b3:7a:5a:a5:b9:ab:06:d5:28:18:
  46.          4d:17:89:ad:ab:dc:3d:0f:38:18:e9:82:0b:8a:b3:05:5f:4b:
  47.          1a:5a:44:46:8c:ac:df:28:41:1a:76:b4:95:51:86:c0:2a:bf:
  48.          13:47:0e:76:6b:08:d8:aa:06:ba:5c:50:11:a9:71:3b:9d:77:
  49.          24:ac:bb:c2:06:85:d8:01:ec:4a:e4:75:ae:29:66:84:0f:ad:
  50.          c6:83:8e:5b:61:23:74:af:44:7c:9b:8a:47:b2:fb:a3:3f:f8:
  51.          c0:dc:37:36:38:d7:d2:e5:8e:8c:9b:64:3b:ae:26:41:6b:42:
  52.          dc:f4:e3:d9:83:fe:f9:d9:2d:b2:7a:dc:74:74:f2:bd:5f:5f:
  53.          37:5b:ad:b5:02:20:3a:33:cd:76:d1:0c:8d:84:61:b2:5d:a7:
  54.          80:59:9a:e0:bd:d3:ba:ee:a3:8b:47:f0:07:08:53:7d:98:8e:
  55.          2a:06:2d:a8:aa:54:45:f7:ae:af:42:dd:80:b1:15:4d:a9:36:
  56.          46:ce:9c:8c:1c:74:7b:19:41:d4:aa:f1:65:ef:c9:c8:6c:44:
  57.          b1:49:66:56:f8:fd:e3:c5:0a:7b:1c:76:77:05:37:a7:77:4c:
  58.          a1:47:45:b8:49:55:b6:3c:f6:1c:64:a9:16:cc:7e:2c:57:a9:
  59.          72:15:ad:16
复制代码
然后我们可以将上述过程涉及到的密码存储到es的密钥库。bin/elasticsearch-keystore 是 Elasticsearch 提供的一个下令行工具,用于管理 Elasticsearch 的密钥库(keystore)。密钥库用于存储敏感配置,如密码、API 密钥等,以确保这些敏感信息在配置文件中不会以明文情势出现。
  1. elasticsearch@master01:~$ bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
  2. Enter value for es-ca-pwd:
  3. elasticsearch@master01:~$ bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password  
  4. Enter value for es-pwd:
  5. elasticsearch@master01:~$ bin/elasticsearch-keystore list
  6. bootstrap.password
  7. keystore.seed
  8. xpack.security.transport.ssl.keystore.secure_password
  9. xpack.security.transport.ssl.truststore.secure_password
复制代码
将生成的p12文件拷贝到config目录下,怕容器文件丢失的话也可以将生成的证书文件拷贝到宿主机的es/config文件下,重新修改yml配置文件,增长transport.ssl配置:
  1. #将容器内的p12文件拷贝的容器内的config目录下,以便es识别
  2. elasticsearch@master01:/data/elk/es$ sudo docker exec -i es cp es-cert.p12 config/
  3. elasticsearch@master01:/data/elk/es$ cat config/elasticsearch.yml
  4. #集群名称
  5. cluster.name: "es-master"
  6. # 0.0.0.0为不限制,生产环境请设置为固定IP
  7. network.host: 192.168.1.200
  8. #设置对外服务的http端口,默认为9200
  9. http.port: 9200
  10. http.cors.enabled: true
  11. #允许REST请求来自何处
  12. http.cors.allow-origin: "*"
  13. # 开启x-pack安全验证 访问时需要密码
  14. xpack.security:
  15.   enabled: true
  16.   transport.ssl:
  17.     enabled: true
  18.     verification_mode: certificate
  19.     client_authentication: required
  20.     keystore.path: es-cert.p12
  21.     truststore.path: es-cert.p12
  22. elasticsearch@master01:/data/elk/es$ sudo docker restart es
  23. es
复制代码
此时访问kibana的话就需要进行配置了:

假如不继承进行https配置就可以到此为止了,不外这里咱们继承配置下去~
(3)生成http证书

执行http生成下令,具体生成过程如下:
  1. elasticsearch@es:~$ bin/elasticsearch-certutil http
  3. ## Elasticsearch HTTP Certificate Utility
  5. The 'http' command guides you through the process of generating certificates
  6. for use on the HTTP (Rest) interface for Elasticsearch.
  8. This tool will ask you a number of questions in order to generate the right
  9. set of files for your needs.
  11. ## Do you wish to generate a Certificate Signing Request (CSR)?
  13. A CSR is used when you want your certificate to be created by an existing
  14. Certificate Authority (CA) that you do not control (that is, you don't have
  15. access to the keys for that CA).
  17. If you are in a corporate environment with a central security team, then you
  18. may have an existing Corporate CA that can generate your certificate for you.
  19. Infrastructure within your organisation may already be configured to trust this
  20. CA, so it may be easier for clients to connect to Elasticsearch if you use a
  21. CSR and send that request to the team that controls your CA.
  23. If you choose not to generate a CSR, this tool will generate a new certificate
  24. for you. That certificate will be signed by a CA under your control. This is a
  25. quick and easy way to secure your cluster with TLS, but you will need to
  26. configure all your clients to trust that custom CA.
  28. Generate a CSR? [y/N]N #不用生成,我们用自己的CA
  30. ## Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate?
  32. If you have an existing CA certificate and key, then you can use that CA to
  33. sign your new http certificate. This allows you to use the same CA across
  34. multiple Elasticsearch clusters which can make it easier to configure clients,
  35. and may be easier for you to manage.
  37. If you do not have an existing CA, one will be generated for you.
  39. Use an existing CA? [y/N]y #用自己的CA
  41. ## What is the path to your CA?
  43. Please enter the full pathname to the Certificate Authority that you wish to
  44. use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS
  45. (.jks) or PEM (.crt, .key, .pem) format.
  46. CA Path: /usr/share/elasticsearch/elastic-stack-ca.p12 #填CA地址
  47. Reading a PKCS12 keystore requires a password.
  48. It is possible for the keystore's password to be blank,
  49. in which case you can simply press <ENTER> at the prompt
  50. Password for elastic-stack-ca.p12:
  52. ## How long should your certificates be valid?
  54. Every certificate has an expiry date. When the expiry date is reached clients
  55. will stop trusting your certificate and TLS connections will fail.
  57. Best practice suggests that you should either:
  58. (a) set this to a short duration (90 - 120 days) and have automatic processes
  59. to generate a new certificate before the old one expires, or
  60. (b) set it to a longer duration (3 - 5 years) and then perform a manual update
  61. a few months before it expires.
  63. You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)
  65. For how long should your certificate be valid? [5y] 5y #填过期时间
  67. ## Do you wish to generate one certificate per node?
  69. If you have multiple nodes in your cluster, then you may choose to generate a
  70. separate certificate for each of these nodes. Each certificate will have its
  71. own private key, and will be issued for a specific hostname or IP address.
  73. Alternatively, you may wish to generate a single certificate that is valid
  74. across all the hostnames or addresses in your cluster.
  76. If all of your nodes will be accessed through a single domain
  77. (e.g. node01.es.example.com, node02.es.example.com, etc) then you may find it
  78. simpler to generate one certificate with a wildcard hostname (*.es.example.com)
  79. and use that across all of your nodes.
  81. However, if you do not have a common domain name, and you expect to add
  82. additional nodes to your cluster in the future, then you should generate a
  83. certificate per node so that you can more easily generate new certificates when
  84. you provision new nodes.
  86. Generate a certificate per node? [y/N]y   #添加节点了
  88. ## What is the name of node #1?
  90. This name will be used as part of the certificate file name, and as a
  91. descriptive name within the certificate.
  93. You can use any descriptive name that you like, but we recommend using the name
  94. of the Elasticsearch node.
  96. node #1 name: es-master #单机的话就取个配置文件中的主节点名称,保持一致
  98. ## Which hostnames will be used to connect to es-master?
  100. These hostnames will be added as "DNS" names in the "Subject Alternative Name"
  101. (SAN) field in your certificate.
  103. You should list every hostname and variant that people will use to connect to
  104. your cluster over http.
  105. Do not list IP addresses here, you will be asked to enter them later.
  107. If you wish to use a wildcard certificate (for example *.es.example.com) you
  108. can enter that here.
  110. Enter all the hostnames that you need, one per line.
  111. When you are done, press <ENTER> once more to move on to the next step.
  113. www.myes.com #填连接到node的主机名
  114. 192.168.1.200
  116. You entered the following hostnames.
  118. - www.myes.com
  120. Is this correct [Y/n]Y
  122. ## Which IP addresses will be used to connect to es-master?
  124. If your clients will ever connect to your nodes by numeric IP address, then you
  125. can list these as valid IP "Subject Alternative Name" (SAN) fields in your
  126. certificate.
  128. If you do not have fixed IP addresses, or not wish to support direct IP access
  129. to your cluster then you can just press <ENTER> to skip this step.
  131. Enter all the IP addresses that you need, one per line.
  132. When you are done, press <ENTER> once more to move on to the next step.
  134. 192.168.1.200 #填连接到node的ip,如果没有固定ip获取,不希望ip访问就回车跳过
  136. You entered the following IP addresses.
  138. - 192.168.1.200
  140. Is this correct [Y/n]Y
  142. ## Other certificate options
  144. The generated certificate will have the following additional configuration
  145. values. These values have been selected based on a combination of the
  146. information you have provided above and secure defaults. You should not need to
  147. change these values unless you have specific requirements.
  149. Key Name: es-master
  150. Subject DN: CN=es-master
  151. Key Size: 2048
  153. Do you wish to change any of these options? [y/N]N #还改不改这些选项
  154. Generate additional certificates? [Y/n]N #还生成其他证书吗?一般集群用
  156. ## What password do you want for your private key(s)?
  158. Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".
  159. This type of keystore is always password protected, but it is possible to use a
  160. blank password.
  162. If you wish to use a blank password, simply press <enter> at the prompt below.
  163. Provide a password for the "http.p12" file:  [<ENTER> for none]#添加http.p12证书密码
  164. Repeat password to confirm:  #确认密码
  166. ## Where should we save the generated files?
  168. A number of files will be generated including your private key(s),
  169. public certificate(s), and sample configuration options for Elastic Stack products.
  171. These files will be included in a single zip archive.
  173. What filename should be used for the output zip file? [/usr/share/elasticsearch/elasticsearch-ssl-http.zip]
  175. Zip file written to /usr/share/elasticsearch/elasticsearch-ssl-http.zip
复制代码
 解压文件,生成一个文件夹,里面包罗两个文件夹:


  • elasticsearch文件夹包罗http.p12及elasticsearch.yml的配置参考
  • kibana文件夹包罗elasticsearch-ca.pem及kibana.yml的配置参考
  1. elasticsearch@master01:~$ unzip elasticsearch-ssl-http.zip
  2. Archive:  elasticsearch-ssl-http.zip
  3.    creating: elasticsearch/
  4.   inflating: elasticsearch/README.txt  
  5.   inflating: elasticsearch/http.p12  
  6.   inflating: elasticsearch/sample-elasticsearch.yml  
  7.    creating: kibana/
  8.   inflating: kibana/README.txt      
  9.   inflating: kibana/elasticsearch-ca.pem  
  10.   inflating: kibana/sample-kibana.yml  
  11. elasticsearch@master01:~$ ls -l elasticsearch
  12. total 12
  13. -rw-r--r-- 1 elasticsearch root 1378 Aug 21 13:28 README.txt
  14. -rw-r--r-- 1 elasticsearch root 3636 Aug 21 13:28 http.p12
  15. -rw-r--r-- 1 elasticsearch root  858 Aug 21 13:28 sample-elasticsearch.yml
  16. #拷贝到config下
  17. elasticsearch@master01:~$ cp elasticsearch/http.p12 config/
  18. elasticsearch@master01:~$ ls -l config/
  19. total 72
  20. -rw-rw-r-- 1 root          root  1042 Aug  5 10:11 elasticsearch-plugins.example.yml
  21. -rw-rw---- 1 elasticsearch root   425 Aug 22 05:52 elasticsearch.keystore
  22. -rwxrwxrwx 1          1001 1001   581 Aug 22 06:28 elasticsearch.yml
  23. -rw------- 1 elasticsearch root  3596 Aug 22 05:31 es-cert.p12
  24. -rw-r--r-- 1 elasticsearch root  3652 Aug 22 06:30 http.p12
  25. -rw-rw-r-- 1 root          root  2727 Aug  5 10:11 jvm.options
  26. drwxrwxr-x 1 elasticsearch root  4096 Aug  5 10:11 jvm.options.d
  27. -rw-rw-r-- 1 root          root 17969 Aug  5 10:11 log4j2.file.properties
  28. -rw-rw-r-- 1 root          root 12549 Aug  5 10:11 log4j2.properties
  29. -rw-rw-r-- 1 root          root   473 Aug  5 10:11 role_mapping.yml
  30. -rw-rw-r-- 1 root          root   197 Aug  5 10:11 roles.yml
  31. -rw-rw-r-- 1 root          root     0 Aug  5 10:11 users
  32. -rw-rw-r-- 1 root          root     0 Aug  5 10:11 users_roles
复制代码
后者kibana目录,此中包罗一个elasticsearch-ca.pem文件。主要用于配置Kibana,使其信托HTTP层的Elasticsearch CA。两个目录下都给出了具体的配置方式:
  1. elasticsearch@master01:~$ cat elasticsearch/sample-elasticsearch.yml
  2. #
  3. # SAMPLE ELASTICSEARCH CONFIGURATION FOR ENABLING SSL ON THE HTTP INTERFACE
  4. #
  5. # This is a sample configuration snippet for Elasticsearch that enables and configures SSL for the HTTP (Rest) interface
  6. #
  7. # This was automatically generated at: 2024-08-22 05:47:20Z
  8. # This configuration was intended for Elasticsearch version 8.15.0
  9. #
  10. # You should review these settings, and then update the main configuration file at
  11. #   /usr/share/elasticsearch/config/elasticsearch.yml
  12. #
  14. # This turns on SSL for the HTTP (Rest) interface
  15. xpack.security.http.ssl.enabled: true
  17. # This configures the keystore to use for SSL on HTTP
  18. # Because your keystore has a password, you will also need to add the password to the Elasticsearch keystore
  19. #    elasticsearch-keystore add "xpack.security.http.ssl.keystore.secure_password"
  20. xpack.security.http.ssl.keystore.path: "http.p12"
  21. elasticsearch@master01:~$ cat kibana/sample-kibana.yml
  22. #
  23. # SAMPLE KIBANA CONFIGURATION FOR ENABLING SSL TO ELASTICSEARCH
  24. #
  25. # This is a sample configuration snippet for Kibana that configures SSL for connections to Elasticsearch
  26. #
  27. # This was automatically generated at: 2024-08-22 05:47:20Z
  28. # This configuration was intended for version 8.15.0
  29. #
  30. # You should review these settings, and then update the main kibana.yml configuration file.
  31. #
  32. #-------------------------------------------------------------------------------------------------
  33. #  You also need to update the URLs in your "elasticsearch.hosts" setting to use the "https" URL.
  34. #  e.g. If your kibana.yml file currently has
  35. #
  36. #  elasticsearch.hosts: [ "http://localhost:9200" ]
  37. #
  38. #  then you should change this to:
  39. #
  40. #  elasticsearch.hosts: [ "https://localhost:9200" ]
  41. #
  42. #-------------------------------------------------------------------------------------------------
  44. # This configures Kibana to trust a specific Certificate Authority for connections to Elasticsearch
  45. elasticsearch.ssl.certificateAuthorities: [ "config/elasticsearch-ca.pem" ]
复制代码
因此生成的kibana的文件信息发起拷贝到容器表面的kibana目录下,反面方便利用。
  1. root@master01:/data/elk/kibana/config# docker cp es:/usr/share/elasticsearch/kibana/elasticsearch-ca.pem /data/elk/kibana/config/
  2.                                                Successfully copied 3.07kB to /data/elk/kibana/config/
  3. root@master01:/data/elk/kibana/config# docker cp es:/usr/share/elasticsearch/kibana/sample-kibana.yml /data/elk/kibana/config/
  4.                                                Successfully copied 3.07kB to /data/elk/kibana/config/
  5. root@master01:/data/elk/kibana/config# ls
  6. elasticsearch-ca.pem  kibana.yml  sample-kibana.yml
复制代码
现在可以验证一下证书信息:
  1. elasticsearch@master01:~$ jdk/bin/keytool -keystore elasticsearch/http.p12 -list
  2. Enter keystore password:  
  3. Keystore type: PKCS12
  4. Keystore provider: SUN
  6. Your keystore contains 2 entries
  8. ca, Aug 21, 2024, trustedCertEntry,
  9. Certificate fingerprint (SHA-256): 60:95:CD:3B:4E:A0:D7:43:13:C2:F1:D9:11:B1:AA:B8:02:BB:2D:0E:3E:C5:CE:82:F5:8A:D7:49:99:A5:70:A7
  10. http, Aug 21, 2024, PrivateKeyEntry,
  11. Certificate fingerprint (SHA-256): 78:48:07:F3:C8:1B:50:08:72:65:4A:19:F4:23:26:0D:BA:7F:1F:BE:11:87:74:8E:82:B7:27:D5:04:B4:03:8B
  12. #添加http.p12密码到密钥库
  13. elasticsearch@master01:~$ ./bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
  14. Enter value for xpack.security.http.ssl.keystore.secure_password:
复制代码
(4)完备配置ES

将http.p12证书放到配置文件内,重新更新配置文件并重启ES:
  1. elasticsearch@master01:/data/elk/es$  cat es/config/elasticsearch.yml
  2. #集群名称
  3. cluster.name: "es-master"
  4. # 0.0.0.0为不限制,生产环境请设置为固定IP
  5. network.host: 192.168.1.200
  6. #设置对外服务的http端口,默认为9200
  7. http.port: 9200
  8. search.allow_expensive_queries: true
  9. http.cors.enabled: true
  10. #允许REST请求来自何处
  11. http.cors.allow-origin: "*"
  12. # 开启x-pack安全验证 访问时需要密码
  13. xpack.security:
  14.   enabled: true
  15. #generater kibana token,一般配合es的自动配置使用
  16. #  enrollment.enabled: true
  17. #用于在传输网络层上启用或禁用 TLS/SSL,节点使用该层相互通信。 默认值为 。false
  18.   transport.ssl:
  19.     enabled: true
  20.     verification_mode: certificate
  21. #full:验证提供的证书:是否具有颁发日期且在日期内;链接到受信任的证书权威(CA);检查证书。
  22. #certificate:验证提供的证书,并验证它是否由受信任的颁发机构 (CA),但不检查证书。
  23. #none:不执行证书验证
  24.     client_authentication: required
  25.     keystore.path: es-cert.p12
  26.     truststore.path: es-cert.p12
  27. # Enable encryption for HTTP API client connections, such as Kibana, Logstash
  28.   http.ssl:
  29.     enabled: true
  30.     verification_mode: certificate
  31.     keystore.path: http.p12
复制代码
最后就可以通过https+ip:端口以密码的情势访问ES了。

然后就可以进入kibana页面进行es连接配置了。可以通过es获取注册令牌进行配置:  


也可以直接手动配置:

这里我们没有填写es配置环境下可以直接进行手动配置:

  • 填写es的地址,笔者的是https:192.168.31.133:9200(没有配置https也可用http的)
  • 输入kibana_system的密码
  • 之后界面会提示我们通过一个下令获取验证码并填写,进入kibana容器按要求获取填写即可。  

  1. root@master01:/data/elk/kibana/config# docker exec -i kibana  bin/kibana-verification-code
  2. Kibana is currently running with legacy OpenSSL providers enabled! For details and instructions on how to disable see https://www.elastic.co/guide/en/kibana/8.15/production.html#openssl-legacy-provider
  3. Your verification code is:  920 675
复制代码
 然后静等配置完成即可重新访问kibana可视化界面了。

假如登录不上可根据kibana日志和es日志一起解决。比如笔者利用的时候因为假造机内存不敷导致ElasticSerach 出现 high disk watermark [90%]出现磁盘内存不足的问题,导致kibana登录不上。反面在elasticsearch.yml上配置cluster.routing.allocation.disk.threshold_enabled: false解决了。所以假如有问题,咱们多看日志都是可以认证登录成功的。
此时查看一下当地的kibana配置文件可以发现,之前kibana配置中注销的es配置信息已经自动生成了。
  1. root@master01:/data/elk/kibana/config# cat kibana.yml
  2. server.name: kibana
  3. server.port: 5601
  4. server.host: "0.0.0.0"
  5. xpack.monitoring.ui.container.elasticsearch.enabled: true
  6. telemetry.enabled: false
  7. i18n.locale: "zh-CN"
  10. # This section was automatically generated during setup.
  11. elasticsearch.hosts: ['https://192.168.1.200:9200']
  12. elasticsearch.username: kibana_system
  13. elasticsearch.password: elastic
  14. elasticsearch.ssl.certificateAuthorities: [/usr/share/kibana/data/ca_1724313143926.crt]
  15. xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: ['https://192.168.1.200:9200'], ca_trusted_fingerprint: 510c488576597352b09386b903a90e0c6c0ea030daa3328edb386a49298e7c1e}]
复制代码
三、Kibana 安全配置


这里笔者以es内部签名的证书来生成kibana的认证,但是官方也说到了,对于开发环境和构建概念证明是可以担当,但不应该在生产环境中利用。在投入生产之前,需要利用可信CA(如Let’s Encrypt)或构造的内部CA对证书进行签名。利用签名证书为Kibana内部访问或公共互联网的连接建立浏览器信托。毕竟这块我们没买端庄证书,所以勉强把流程介绍一下吧。
起首我们需要在es中利用工具利用如下的下令为 Kibana 生成服务器证书和私钥:
  1. #根据证书适配的ip生成,也可使用-dns形式的-dns 域名1,域名2
  2. elasticsearch@master01:~$ bin/elasticsearch-certutil csr -name kibana -ip 192.168.1.200
  3. This tool assists you in the generation of X.509 certificates and certificate
  4. signing requests for use with SSL/TLS in the Elastic stack.
  6. The 'csr' mode generates certificate signing requests that can be sent to
  7. a trusted certificate authority
  8.     * By default, this generates a single CSR for a single instance.
  9.     * You can use the '-multiple' option to generate CSRs for multiple
  10.        instances, each with their own private key.
  11.     * The '-in' option allows for the CSR generation to be automated
  12.        by describing the details of each instance in a YAML file
  14.     * An instance is any piece of the Elastic Stack that requires an SSL certificate.
  15.       Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
  16.       may all require a certificate and private key.
  17.     * The minimum required value for each instance is a name. This can simply be the
  18.       hostname, which will be used as the Common Name of the certificate. A full
  19.       distinguished name may also be used.
  20.     * A filename value may be required for each instance. This is necessary when the
  21.       name would result in an invalid file or directory name. The name provided here
  22.       is used as the directory name (within the zip) and the prefix for the key and
  23.       certificate files. The filename is required if you are prompted and the name
  24.       is not displayed in the prompt.
  25.     * IP addresses and DNS names are optional. Multiple values can be specified as a
  26.       comma separated string. If no IP addresses or DNS names are provided, you may
  27.       disable hostname verification in your SSL configuration.
  30. The 'csr' mode produces a single zip file which contains the certificate
  31. signing requests and private keys for each instance.
  32.     * Each certificate signing request is provided as a standard PEM encoding of a PKCS#10 CSR.
  33.     * Each key is provided as a PEM encoding of an RSA private key
  35. Please enter the desired output file [csr-bundle.zip]:
  37. Certificate signing requests have been written to /usr/share/elasticsearch/csr-bundle.zip
  39. This file should be properly secured as it contains the private keys for all
  40. instances.
  42. After unzipping the file, there will be a directory for each instance containing
  43. the certificate signing request and the private key. Provide the certificate
  44. signing requests to your certificate authority. Once you have received the
  45. signed certificate, copy the signed certificate, key, and CA certificate to the
  46. configuration directory of the Elastic product that they will be used for and
  47. follow the SSL configuration instructions in the product guide.
  48. elasticsearch@master01:~$ ls -l
  49. total 2308
  50. -r--r--r--  1 root          root    3860 Aug  5 10:11 LICENSE.txt
  51. -r--r--r--  1 root          root 2285006 Aug  5 10:11 NOTICE.txt
  52. -r--r--r--  1 root          root    9111 Aug  5 10:11 README.asciidoc
  53. drwxrwxr-x  1 elasticsearch root    4096 Aug  5 10:12 bin
  54. drwxrwxr-x  1 elasticsearch root    4096 Aug 22 09:24 config
  55. -rw-------  1 elasticsearch root    2392 Aug 22 09:41 csr-bundle.zip
  56. drwxrwxrwx  5          1001 1001    4096 Aug 22 09:41 data
  57. drwxr-xr-x  2 elasticsearch root    4096 Aug 22 05:47 elasticsearch
  58. -rw-------  1 elasticsearch root    7605 Aug 22 05:47 elasticsearch-ssl-http.zip
  59. -rw-------  1 elasticsearch root    2672 Aug 22 05:05 es-ca.p12
  60. -rw-------  1 elasticsearch root    3596 Aug 22 05:06 es-cert.p12
  61. dr-xr-xr-x  1 root          root    4096 Aug  5 10:11 jdk
  62. drwxr-xr-x  2 elasticsearch root    4096 Aug 22 05:47 kibana
  63. dr-xr-xr-x  6 root          root    4096 Aug  5 10:11 lib
  64. drwxrwxrwx  2          1001 1001    4096 Aug 22 09:24 logs
  65. dr-xr-xr-x 83 root          root    4096 Aug  5 10:11 modules
  66. drwxrwxr-x  1 elasticsearch root    4096 Aug  5 10:11 plugins
复制代码
执行完成后会生成一个叫做 csr-bundle.zip 的文件,解压后的到kibana.csr(未签名安全证书),kibana.key(密钥未加密的私钥)文件。
  1. elasticsearch@master01:~$ unzip csr-bundle.zip
  2. Archive:  csr-bundle.zip
  3.   inflating: kibana/kibana.csr      
  4.   inflating: kibana/kibana.key      
  5. elasticsearch@master01:~$ ls -l kibana/
  6. total 20
  7. -rw-r--r-- 1 elasticsearch root 1306 Aug 22 05:47 README.txt
  8. -rw-r--r-- 1 elasticsearch root 1200 Aug 22 05:47 elasticsearch-ca.pem
  9. -rw-r--r-- 1 elasticsearch root  932 Aug 22 09:41 kibana.csr
  10. -rw-r--r-- 1 elasticsearch root 1675 Aug 22 09:41 kibana.key
  11. -rw-r--r-- 1 elasticsearch root 1052 Aug 22 05:47 sample-kibana.yml
复制代码
然后用这两个文件向您的内部CA或受信托的CA请求进行签名,以获得已签名的证书。签名的文件可以是不同的格式,例如.crt文件,如kibana-server.crt。这里我们用openssl通过下令生成kibana.crt:
  1. elasticsearch@master01:~$ cd kibana/
  2. elasticsearch@master01:~/kibana$ openssl x509 -req -in kibana.csr -signkey kibana.key -out kibana.crt
  3. Signature ok
  4. subject=CN = kibana
  5. Getting Private key
  6. elasticsearch@master01:~/kibana$ ls -l
  7. total 24
  8. -rw-r--r-- 1 elasticsearch root 1306 Aug 22 05:47 README.txt
  9. -rw-r--r-- 1 elasticsearch root 1200 Aug 22 05:47 elasticsearch-ca.pem
  10. -rw-r--r-- 1 elasticsearch root  985 Aug 22 09:48 kibana.crt
  11. -rw-r--r-- 1 elasticsearch root  932 Aug 22 09:41 kibana.csr
  12. -rw-r--r-- 1 elasticsearch root 1675 Aug 22 09:41 kibana.key
  13. -rw-r--r-- 1 elasticsearch root 1052 Aug 22 05:47 sample-kibana.yml
  14. elasticsearch@master01:/data/elk/es$ su
  15. 密码:
  16. root@master01:/data/elk/kibana/config# ls
  17. elasticsearch-ca.pem  kibana.yml  sample-kibana.yml
  18. root@master01:/data/elk/kibana/config# docker cp es:/usr/share/elasticsearch/kibana/kibana.crt ./
  19.                                                Successfully copied 2.56kB to /data/elk/kibana/config/./
  20. root@master01:/data/elk/kibana/config# docker cp es:/usr/share/elasticsearch/kibana/kibana.key ./
  21.                                                Successfully copied 3.58kB to /data/elk/kibana/config/./
  22. root@master01:/data/elk/kibana/config# ls -l
  23. 总计 20
  24. -rw-r--r-- 1 root root 1200  8月 22 13:47 elasticsearch-ca.pem
  25. -rw-r--r-- 1 root root  985  8月 22 17:48 kibana.crt
  26. -rw-r--r-- 1 root root 1675  8月 22 17:41 kibana.key
  27. -rwxrwxrwx 1 root root  697  8月 22 17:28 kibana.yml
  28. -rw-r--r-- 1 root root 1052  8月 22 13:47 sample-kibana.yml
复制代码
接下来在 Kibana 的配置文件 kibana.yml 中添加如下的配置:
  1. server.ssl:
  2.   enbled: true
  3.   certificate: kibana.crt
  4.   key: kibana.key
复制代码
然后重启kibana,却发现kibana控制台会一直报这个问题:no such file or directory, open 'kibana.key'

但是这个文件实际上是存在的,于是笔者尝试把kibana的这两个文件放在容器外的kibana/config配置目录下,并给足777的权限,并将kibana.yml配置文件中的crt和key文件用当地全路径名显示,然后重启~
  2. 2024-08-22T10:29:13.994158970Z Error: ENOENT: no such file or directory, open '/data/elk/kibana/config/kibana.key'
  4. 2024-08-22T10:29:13.994161535Z     at readFileSync (node:fs:448:20)
  6. 2024-08-22T10:29:13.994163709Z     at readFile (/usr/share/kibana/node_modules/@kbn/server-http-tools/src/ssl/ssl_config.js:156:47)
  8. 2024-08-22T10:29:13.994165853Z     at new SslConfig (/usr/share/kibana/node_modules/@kbn/server-http-tools/src/ssl/ssl_config.js:111:18)
  10. 2024-08-22T10:29:13.994167987Z     at new HttpConfig (/usr/share/kibana/node_modules/@kbn/core-http-server-internal/src/http_config.js:356:16)
  12. 2024-08-22T10:29:13.994170132Z     at /usr/share/kibana/node_modules/@kbn/core-http-server-internal/src/http_service.js:51:163
  14. 2024-08-22T10:29:13.994172215Z     at /usr/share/kibana/node_modules/rxjs/dist/cjs/internal/operators/map.js:10:37
  16. 2024-08-22T10:29:13.994174299Z     at OperatorSubscriber._this._next (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/operators/OperatorSubscriber.js:33:21)
  18. 2024-08-22T10:29:13.994176464Z     at OperatorSubscriber.Subscriber.next (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/Subscriber.js:51:18)
  20. 2024-08-22T10:29:13.994178598Z     at /usr/share/kibana/node_modules/rxjs/dist/cjs/internal/observable/combineLatest.js:51:40
  22. 2024-08-22T10:29:13.994180702Z     at OperatorSubscriber._this._next (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/operators/OperatorSubscriber.js:33:21)
  24. 2024-08-22T10:29:13.994182826Z     at OperatorSubscriber.Subscriber.next (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/Subscriber.js:51:18)
  26. 2024-08-22T10:29:13.994184950Z     at /usr/share/kibana/node_modules/rxjs/dist/cjs/internal/operators/map.js:10:24
  28. 2024-08-22T10:29:13.994187034Z     at OperatorSubscriber._this._next (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/operators/OperatorSubscriber.js:33:21)
  30. 2024-08-22T10:29:13.994189178Z     at OperatorSubscriber.Subscriber.next (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/Subscriber.js:51:18)
  32. 2024-08-22T10:29:13.994191282Z     at /usr/share/kibana/node_modules/rxjs/dist/cjs/internal/operators/distinctUntilChanged.js:18:28
  34. 2024-08-22T10:29:13.994193386Z     at OperatorSubscriber._this._next (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/operators/OperatorSubscriber.js:33:21)
  36. 2024-08-22T10:29:13.994195510Z     at OperatorSubscriber.Subscriber.next (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/Subscriber.js:51:18)
  38. 2024-08-22T10:29:13.994198405Z     at /usr/share/kibana/node_modules/rxjs/dist/cjs/internal/operators/map.js:10:24
  40. 2024-08-22T10:29:13.994200539Z     at OperatorSubscriber._this._next (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/operators/OperatorSubscriber.js:33:21)
  42. 2024-08-22T10:29:13.994202673Z     at OperatorSubscriber.Subscriber.next (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/Subscriber.js:51:18)
  44. 2024-08-22T10:29:13.994204797Z     at ReplaySubject._subscribe (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/ReplaySubject.js:54:24)
  46. 2024-08-22T10:29:13.994218644Z     at ReplaySubject.Observable._trySubscribe (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:41:25)
  48. 2024-08-22T10:29:13.994220918Z     at ReplaySubject.Subject._trySubscribe (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/Subject.js:123:47)
  50. 2024-08-22T10:29:13.994223072Z     at /usr/share/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:35:31
  52. 2024-08-22T10:29:13.994225156Z     at Object.errorContext (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/util/errorContext.js:22:9)
  54. 2024-08-22T10:29:13.994227260Z     at ReplaySubject.Observable.subscribe (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:26:24)
  56. 2024-08-22T10:29:13.994229354Z     at /usr/share/kibana/node_modules/rxjs/dist/cjs/internal/operators/share.js:65:18
  58. 2024-08-22T10:29:13.994231428Z     at OperatorSubscriber.<anonymous> (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/util/lift.js:14:28)
  60. 2024-08-22T10:29:13.994233963Z     at /usr/share/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:30:30
  62. 2024-08-22T10:29:13.994236077Z     at Object.errorContext (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/util/errorContext.js:22:9)
  64. 2024-08-22T10:29:13.994238191Z     at Observable.subscribe (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:26:24)
  66. 2024-08-22T10:29:13.994240335Z     at /usr/share/kibana/node_modules/rxjs/dist/cjs/internal/operators/map.js:9:16
  68. 2024-08-22T10:29:13.994242399Z     at OperatorSubscriber.<anonymous> (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/util/lift.js:14:28)
  70. 2024-08-22T10:29:13.994244583Z     at /usr/share/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:30:30
  72. 2024-08-22T10:29:13.994246647Z     at Object.errorContext (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/util/errorContext.js:22:9)
  74. 2024-08-22T10:29:13.994248771Z     at Observable.subscribe (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:26:24)
  76. 2024-08-22T10:29:13.994250875Z     at /usr/share/kibana/node_modules/rxjs/dist/cjs/internal/operators/distinctUntilChanged.js:13:16
  78. 2024-08-22T10:29:13.994253179Z     at OperatorSubscriber.<anonymous> (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/util/lift.js:14:28)
  80. 2024-08-22T10:29:13.994255343Z     at /usr/share/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:30:30
  82. 2024-08-22T10:29:13.994257447Z     at Object.errorContext (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/util/errorContext.js:22:9)
  84. 2024-08-22T10:29:13.994259561Z     at Observable.subscribe (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:26:24)
  86. 2024-08-22T10:29:13.994261665Z     at /usr/share/kibana/node_modules/rxjs/dist/cjs/internal/operators/map.js:9:16
  88. 2024-08-22T10:29:13.994263729Z     at OperatorSubscriber.<anonymous> (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/util/lift.js:14:28)
  90. 2024-08-22T10:29:13.994265873Z     at /usr/share/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:30:30
  92. 2024-08-22T10:29:13.994267947Z     at Object.errorContext (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/util/errorContext.js:22:9)
  94. 2024-08-22T10:29:13.994273688Z     at Observable.subscribe (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/Observable.js:26:24)
  96. 2024-08-22T10:29:13.994275882Z     at /usr/share/kibana/node_modules/rxjs/dist/cjs/internal/observable/combineLatest.js:44:28
  98. 2024-08-22T10:29:13.994277996Z     at maybeSchedule (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/observable/combineLatest.js:72:9)
  100. 2024-08-22T10:29:13.994280110Z     at _loop_1 (/usr/share/kibana/node_modules/rxjs/dist/cjs/internal/observable/combineLatest.js:41:17)
  102. 2024-08-22T10:29:13.994282224Z     at /usr/share/kibana/node_modules/rxjs/dist/cjs/internal/observable/combineLatest.js:61:17
  104. 2024-08-22T10:29:13.995961809Z
  106. 2024-08-22T10:29:13.995983350Z  FATAL  Error: ENOENT: no such file or directory, open '/data/elk/kibana/config/kibana.key'
复制代码
 仍然不行,突然想起当初在kibana容器内部生成后没有cp到容器内的config目录下,而是拷贝出来了。所以那里没有文件,所以笔者思量先拷贝进去重启试试:
  1. root@master01:/data/elk/kibana/config# docker exec -i kibana ls -l config
  2. total 8
  3. -rwxrwxrwx 1 root   root 775 Aug 22 09:54 kibana.yml
  4. -rw-rw-r-- 1 kibana root 447 Aug  5 11:20 node.options
  5. root@master01:/data/elk/kibana/config# docker cp kibana.key kibana:/usr/share/kibana/config
  6.                                              Successfully copied 3.58kB to kibana:/usr/share/kibana/config
  7. root@master01:/data/elk/kibana/config# docker cp kibana.crt kibana:/usr/share/kibana/config
  8.                                              Successfully copied 2.56kB to kibana:/usr/share/kibana/config
  9. root@master01:/data/elk/kibana/config# docker exec -i kibana ls -l config
  10. total 16
  11. -rw-r--r-- 1 root   root  985 Aug 22 09:48 kibana.crt
  12. -rwxrwxrwx 1 root   root 1675 Aug 22 09:41 kibana.key
  13. -rwxrwxrwx 1 root   root  775 Aug 22 09:54 kibana.yml
  14. -rw-rw-r-- 1 kibana root  447 Aug  5 11:20 node.options
复制代码
但是照旧不对,仍然报错:

最后只有最后一个办法,将那两个文件全用容器内的绝对路径地址在kibana.yml文件中标识。
  1. server.name: kibana
  2. server.port: 5601
  3. server.host: "0.0.0.0"
  4. xpack.monitoring.ui.container.elasticsearch.enabled: true
  5. telemetry.enabled: false
  6. i18n.locale: "zh-CN"
  9. # This section was automatically generated during setup.
  10. elasticsearch.hosts: ['https://192.168.1.200:9200']
  11. elasticsearch.username: kibana_system
  12. elasticsearch.password: elastic
  13. elasticsearch.ssl.certificateAuthorities: [/usr/share/kibana/data/ca_1724318819681.crt]
  14. xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: ['https://192.168.1.200:9200'], ca_trusted_fingerprint: 510c488576597352b09386b903a90e0c6c0ea030daa3328edb386a49298e7c1e}]
  16. server.ssl:
  17.     enabled: true
  18.     certificate: /usr/share/kibana/config/kibana.crt
  19.     key: /usr/share/kibana/config/kibana.key
复制代码
 得以解决。然后就能以https的情势访问kibana界面了~

四、Logstash配置增补

当我们在自己的硬件上运行Elasticsearch,并利用Elasticsearch集群的默认自签名证书,则需要以下步骤,以在Logstash和Elasticsearch之间建立安全通信。
起首需要将elasticsearch生成的部门证书文件从es容器内传到logstash的配置文件区。这里我们用的p12生成方式,所以包罗es-cert.p12证书和http.p12证书。假如用的pem,那么就是crt的。
  1. elasticsearch@master01:/root$ sudo docker cp es:/usr/share/elasticsearch/config/es-cert.p12 /data/elk/logstash/config
  2. [sudo] elasticsearch 的密码:
  3.                                                Successfully copied 5.63kB to /data/elk/logstash/config
  4. elasticsearch@master01:/root$ sudo docker cp es:/usr/share/elasticsearch/config/http.p12 /data/elk/logstash/config
  5.                                                Successfully copied 5.63kB to /data/elk/logstash/config
  6. root@master01:/data/elk/logstash/config# chmod 777 es-cert.p12 http.p12
  7. root@master01:/data/elk/logstash/config# ls -l
  8. 总计 20
  9. -rwxrwxrwx 1 root root 3596  8月 22 13:31 es-cert.p12
  10. -rwxrwxrwx 1 root root 3652  8月 22 16:46 http.p12
  11. -rwxrwxrwx 1 root root   18  8月 18 13:00 jvm.options
  12. -rwxrwxrwx 1 root root   60  8月 20 14:22 logstash.yml
  13. -rwxrwxrwx 1 root root   66  8月 22 19:18 pipelines.yml
复制代码
 然后修改管道配置文件中的output的es配置,添加ssl:
  1. root@master01:/data/elk/logstash/config# vi ../pipeline/pipeline-springboot-log.conf
  2. root@master01:/data/elk/logstash/config# cat ../pipeline/pipeline-springboot-log.conf
  3. # 输入配置
  4. input {
  5. #  beats {
  6. #    port => 5044
  7. #    client_inactivity_timeout => 36000
  8. #  }
  9.    redis {
  10.     host => "192.168.1.200"
  11.     port => "6379"
  12.     data_type => "list"
  13.     key => "filebeat-redis"
  14.     batch_count => "100"
  15.     db => "1"
  16.   }
  17. }
  19. # 过滤配置
  20. filter {
  21.   grok {
  22.     match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:$%{POSINT:syslog_pid}$)?: %{GREEDYDATA:syslog_message}" }
  23.   }
  24.   date {
  25.     match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
  26.   }
  27. }
  29. # 输出配置
  30. output {
  31.   elasticsearch {
  32.     hosts => ["https://192.168.1.200:9200"]
  33.     user => "elastic"
  34.     password => "elastic"
  35.     ssl => true
  36.     ssl_certificate_verification =>true
  37.     keystore => "/usr/share/logstash/config/http.p12"
  38.     keystore_password => "elastic"
  39.     truststore => "/usr/share/logstash/config/es-cert.p12"
  40.     truststore_password => "elastic"
  41.     index => "logstash-addssl-%{+YYYY.MM.dd}"
  42.   }
  43.   stdout {
  44.     codec => rubydebug
  45.   }
  46. }
  48. root@master01:/data/elk/logstash/config# docker restart logstash
  49. logstash
复制代码
配置说明


  • hosts:Elasticsearch的地址,利用HTTPS协议。
  • user和password:Logstash连接Elasticsearch时利用的用户名和密码。
  • ssl:启用SSL。
  • ssl_certificate_verification:启用证书验证。
  • keystore和keystore_password:Logstash利用的密钥库文件路径和密码。
  • truststore和truststore_password:Logstash利用的信托库文件路径和密码。
最后等待运行成功即可。有日志文件更新后便能在kibana中网络到最新的日志信息了:

五、后记

至于最后的Filebeat,由于不会直面kibana和ElasticSearch,因此也就没有配置的须要了。到此为止,整个日志系统的基础安全认证设置流程就结束了。当然这只是一个模拟ELFK搭建的配置环境,并没有涉及到集群管理,正式环境上大概面临的问题会更多,多看日志结合官方文档查找即可。假如不足之处,欢迎指正~  


免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
继续阅读请点击广告

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有账号?立即注册

x
回复

使用道具 举报

0 个回复

倒序浏览
返回列表

快速回复

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 or 立即注册

本版积分规则

不到断气不罢休

论坛元老
这个人很懒什么都没写!

楼主热帖

标签云

渠道 国产数据库 集成商 AI 运维 CIO 存储 服务器
微信订阅号
微信服务号
微信客服
小程序
H5
关于我们 商务合作 网站地图
©Copyright 2022-2024 杭州祥升科技有限公司 版权所有 浙ICP备20004199号
快速回复 返回顶部 返回列表