一台主機,ip:192.168.80.10,運行一個es,一個kibana
實現的效果
- es集群內部開啟證書驗證才能加入集群
- kibana與es集群通信使用https方式
- 訪問es集群節點使用https方式
- 使用瀏覽器訪問kibana使用https方式
后期考慮把logstash也加入進來,官方地址如下:
https://www.elastic.co/guide/en/logstash/current/monitoring-logstash.html
https://www.elastic.co/guide/en/logstash/current/logstash-centralized-pipeline-management.html
默認用戶,角色
- ES操作
# 先在配置文件中開啟這兩個
xpack.security.enabled: true
# xpack.security.transport.ssl.enabled: true # 這個先不開啟的
# 然后重啟es集群
# 設置默認的角色密碼
bin/elasticsearch-setup-passwords interactive
# 創建keystore文件
# bin/elasticsearch-keystore create # config文件夾下有的話這一步就不用再執行了
# 生成CA證書,一直回車
bin/elasticsearch-certutil ca (CA證書:elastic-stack-ca.p12)
# 生成節點使用的證書,一直回車
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 (節點證書:elastic-certificates.p12)
# 創建證書保存目錄,並移動到config文件下
mkdir -p config/certs
mv elastic-certificates.p12 config/certs
# 集群身份認證與用戶鑒權
xpack.security.enabled: true # 若設置過則不用再設置了
# 集群內部安全通信
xpack.security.transport.ssl.enabled: true # 若設置過則不用再設置了
xpack.security.transport.ssl.verification_mode: certificate # 證書驗證級別
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12 # 節點證書路徑
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
# 集群與外部間的安全通信
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12
# 重啟es集群
# 注意查看日志,留意節點訪問證書權限
- kibana操作
# es上操作
# 從es節點拷貝節點證書到kibana根目錄下
cp /usr/local/elasticsearch-7.5.0/config/certs/elastic-certificates.p12 /usr/local/kibana-7.5.0-linux-x86_64/
# kibana上操作
# 生成連接es的https的證書
# elastic-certificates.p12為上一步節點證書(注意這個證書權限),elastic-ca.pem為生成的供kibana使用的證書
openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -out elastic-ca.pem
# 創建證書保存目錄,並移動到config文件下
mkdir -p config/certs
mv elastic-certificates.p12 elastic-ca.pem config/certs
# kibana配置連接ES的https
elasticsearch.hosts: ["https://192.168.80.10:9200"]
elasticsearch.ssl.certificateAuthorities: ["/usr/local/kibana-7.5.0-linux-x86_64/config/certs/elastic-ca.pem"]
elasticsearch.ssl.verificationMode: certificate # 證書驗證級別
# kibana配置連接ES,使用用戶名和密碼
elasticsearch.username: "kibana"
elasticsearch.password: "changeme"
# 使用https方式訪問kibana
# es上操作
bin/elasticsearch-certutil ca --pem (elastic-stack-ca.zip)
unzip elastic-stack-ca.zip
# 得到ca.crt和ca.key
creating: ca/
inflating: ca/ca.crt
inflating: ca/ca.key
# 從es節點拷貝上一步生成的證書到kibana證書目錄下
cp /usr/local/elasticsearch-7.5.0/ca/* /usr/local/kibana-7.5.0-linux-x86_64/config/certs/
# 非必須:修改證書權限
# kibana上操作
# 開啟,並設置證書(注意證書路徑寫法)
server.ssl.enabled: true
server.ssl.certificate: config/certs/ca.crt
server.ssl.key: config/certs/ca.key
es配置文件
cluster.name: my-application
node.name: node0
path.data: node0_data
network.host: 192.168.80.10
http.port: 9200
discovery.seed_hosts: ["192.168.80.10"]
cluster.initial_master_nodes: ["192.168.80.10"]
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
kibana配置文件
server.port: 5601
server.host: "192.168.80.10"
elasticsearch.hosts: ["https://192.168.80.10:9200"]
elasticsearch.username: "kibana"
elasticsearch.password: "changeme"
server.ssl.enabled: true
server.ssl.certificate: config/certs/ca.crt
server.ssl.key: config/certs/ca.key
elasticsearch.ssl.certificateAuthorities: ["/usr/local/kibana-7.5.0-linux-x86_64/config/certs/elastic-ca.pem"]
elasticsearch.ssl.verificationMode: certificate