Elasticsearch 的安全認證可以有兩種方式實現,第一種是使用xpack的安全認證功能,另外一種是借助Nginx來實現安全認證,下面對兩種方式做簡要介紹。
使用Elasticsearch自帶的安全認證功能
elasticsearch.yml增加安全認證的配置,示例如下:
cluster.name: my-application
node.name: node-1
path.data: /data/elasticsearch/path/to/data
path.logs: /data/elasticsearch/path/to/logs
network.host: 0.0.0.0
http.port: 9200
discovery.zen.ping.unicast.hosts: ["172.31.6.21"]
# 開啟安全認證
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
使用Nginx實現Elasticsearch的安全認證
創建用於基本身份驗證的nginx帳戶
htpasswd -c /etc/nginx/htpasswd.users kibanauser
按下 Enter 鍵后,系統會提示我們輸入並驗證用戶密碼
$ htpasswd -c /etc/nginx/htpasswd.users kibanauser
New password:
Re-type new password:
Adding password for user kibanauser
修改nginx.conf配置
upstream elasticsearch {
server 127.0.0.1:9200;
keepalive 15;
}
upstream kibana {
server 127.0.0.1:5601;
keepalive 15;
}
server {
listen 8881;
location / {
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/htpasswd.users;
proxy_pass http://elasticsearch;
proxy_redirect off;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Proxy-Connection "Keep-Alive";
}
}
server {
listen 8882;
location / {
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/htpasswd.users;
proxy_pass http://kibana;
proxy_redirect off;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Proxy-Connection "Keep-Alive";
}
}
重啟Nginx服務,驗證即可
參考文檔
https://elasticstack.blog.csdn.net/article/details/112213364