• 生活的道路一旦选定,就要勇敢地走到底,决不回头。——左拉
  • 坚强的信心,能使平凡的人做出惊人的事业。——马尔顿
  • 人不可有傲气,但不可无傲骨。 --徐悲鸿
  • 古之立大志者,不惟有超世之才,亦必有坚韧不拔之志。 --苏轼
  • 时间像海绵里的水,只要你愿意挤,总还是有的。 --鲁迅

ELK加密访问

DevOps zkinogg 8个月前 (08-20) 152次浏览 0个评论

Elasticsearch集群加密

这里注意一定要用普通用户,root用户配置会启动不了

主机名 ip 端口 服务
db04 10.0.0.54 9200.9300.5601 elasticsearch,kibana
db05 10.0.0.55 9200.9300 elasticsearch
db06 10.0.0.56 9200.9300 elasticsearch

具体步骤

三台db均执行

# 0.这里先优化一下系统(不然后面启动Es会报错)
修改/etc/security/limits.conf在最后添加
* soft nofile 65536
* hard nofile 131072
vim /etc/sysctl.conf 
vm.max_map_count=655360
sysctl -p
然后重启下系统reboot

# 1.创建普通用户并切换
[root@db04 ~]# useradd zx
[root@db04 ~]# su - zx

# 2.官网下载Elasticsearch7.+版本的二进制tar包
[zx@db04 ~]$ wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.0-linux-x86_64.tar.gz

# 3.解压
[zx@db04 ~]$ tar xf elasticsearch-7.9.0-linux-x86_64.tar.gz

# 4.创建认证机构
[zx@db04 ~]$ cd elasticsearch-7.9.0/bin/
[zx@db04 ~]$ ./elasticsearch-certutil ca 
##依次输入回车(文件使用默认名),密码

# 5.为节点颁发证书
[zx@db04 ~]$ ./elasticsearch-certutil cert --ca elastic-stack-ca.p12 
##依次输入上一个步骤的密码。回车(文件使用默认名),密码(建议与上一步密码相同)
[zx@db04 ~]$ ./elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password   #并输入第一步输入的密码 
[zx@db04 ~]$ ./elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password #并输入第一步输入的密码 

# 6.多节点配置
## 将生成的elastic-certificates.p12、elastic-stack-ca.p12文件mv到config目录下,并连同elasticsearch.keystore 文件 scp到其他节点的config目录中。(这里一定要注意权限。属主属组一定是当前的普通用户)

[root@db04 ~]# scp /home/zx/elasticsearch-7.9.0/config/elastic-certificates.p12 10.0.0.55:/home/zx/elasticsearch-7.9.0/config/
[root@db04 ~]# scp /home/zx/elasticsearch-7.9.0/config/elasticsearch.keystore 10.0.0.55:/home/zx/elasticsearch-7.9.0/config/
[root@db04 ~]# scp /home/zx/elasticsearch-7.9.0/config/elastic-stack-ca.p12 10.0.0.55:/home/zx/elasticsearch-7.9.0/config/
[root@db04 ~]# scp /home/zx/elasticsearch-7.9.0/config/elastic-stack-ca.p12 10.0.0.56:/home/zx/elasticsearch-7.9.0/config/
[root@db04 ~]# scp /home/zx/elasticsearch-7.9.0/config/elasticsearch.keystore 10.0.0.56:/home/zx/elasticsearch-7.9.0/config/
[root@db04 ~]# scp /home/zx/elasticsearch-7.9.0/config/elastic-certificates.p12 10.0.0.56:/home/zx/elasticsearch-7.9.0/config/

# 7.授权(因为是用root用户scp的必须授权)
[root@db05 ~]# chown -R zx.zx /home/zx/
[root@db06 ~]# chown -R zx.zx /home/zx/


# 8.编辑配置文件
[zx@db04 ~]$ vim elasticsearch-7.9.0/config/elasticsearch.yml
cluster.name: my-application
node.name: node-1
path.data: /home/zx/data
path.logs: /home/zx/logs
network.host: 0.0.0.0
http.port: 9200
transport.tcp.port: 9300
discovery.seed_hosts: ["10.0.0.54:9300", "10.0.0.55:9300","10.0.0.56:9300"]
cluster.initial_master_nodes: ["node-1"]
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

[zx@db05 ~]$ cat elasticsearch-7.9.0/config/elasticsearch.yml 
cluster.name: my-application
node.name: node-2
path.data: /home/zx/data
path.logs: /home/zx/logs
network.host: 0.0.0.0
http.port: 9200
transport.tcp.port: 9300
discovery.seed_hosts: ["10.0.0.54:9300", "10.0.0.55:9300","10.0.0.56:9300"]
cluster.initial_master_nodes: ["node-1"]
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12


[zx@db06 ~]$ cat elasticsearch-7.9.0/config/elasticsearch.yml 
cluster.name: my-application
node.name: node-3
path.data: /home/zx/data
path.logs: /home/zx/logs
network.host: 0.0.0.0
http.port: 9200
transport.tcp.port: 9300
discovery.seed_hosts: ["10.0.0.54:9300", "10.0.0.55:9300","10.0.0.56:9300"]
cluster.initial_master_nodes: ["node-1"]
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

# 9.启动Elasticsearch集群
[zx@db04 ~]$ elasticsearch-7.9.0/bin/elasticsearch -d
[zx@db05 ~]$ elasticsearch-7.9.0/bin/elasticsearch -d
[zx@db06 ~]$ elasticsearch-7.9.0/bin/elasticsearch -d

# 10.查看端口(9200和9300)和进程起没起
[zx@db04 ~]$ ps -ef |grep elasticsearch
[zx@db04 ~]$ netstat -lntp

# 11.密码设置(一定要在集群成功启动的情况下再设置密码。不然没法同步密码)
[zx@db04 ~]$ cd elasticsearch-7.9.0/bin/
[zx@db04 bin]$ ./elasticsearch-setup-passwords interactive

dGjjbT.png

# 12.设置成功后,可以通过用户名密码访问es服务:http://10.0.0.54:9200
##输入完刚才设置的密码和它给的用户名之后就可以访问了

dGjzaF.png

dGvP2R.png

# Es的head插件也是一样

dGvS54.png

dGvCG9.png

配置kibana访问密码

## 这里需要注意的是,不要在kibana.yml配置文件里面配置es访问的用户密码明文,需要通过keystore配置加密的用户名密码信息,具体如下:


# 1.下载kibana最新的二进制tar包
[zx@db04 ~]$ wget https://artifacts.elastic.co/downloads/kibana/kibana-7.9.0-linux-x86_64.tar.gz

# 2.解压
[zx@db04 ~]$ tar xf kibana-7.9.0-linux-x86_64

# 3.配置kibana
[zx@db04 ~]$ vim kibana-7.9.0-linux-x86_64/config/kibana.yml
# Kibana is served by a back end server. This setting specifies the port to use.
server.port: 5601

# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
server.host: "10.0.0.54"

# Enables you to specify a path to mount Kibana at if you are running behind a proxy.
# Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath
# from requests it receives, and to prevent a deprecation warning at startup.
# This setting cannot end in a slash.
#server.basePath: ""

# Specifies whether Kibana should rewrite requests that are prefixed with
# `server.basePath` or require that they are rewritten by your reverse proxy.
# This setting was effectively always `false` before Kibana 6.3 and will
# default to `true` starting in Kibana 7.0.
#server.rewriteBasePath: false

# The maximum payload size in bytes for incoming server requests.
#server.maxPayloadBytes: 1048576

# The Kibana server's name.  This is used for display purposes.
#server.name: "your-hostname"

# The URLs of the Elasticsearch instances to use for all your queries.
elasticsearch.hosts: ["http://10.0.0.54:9200"]

# When this setting's value is true Kibana uses the hostname specified in the server.host
# setting. When the value of this setting is false, Kibana uses the hostname of the host
# that connects to this Kibana instance.
#elasticsearch.preserveHost: true

# Kibana uses an index in Elasticsearch to store saved searches, visualizations and
# dashboards. Kibana creates a new index if the index doesn't already exist.
kibana.index: ".kibana"

# The default application to load.
#kibana.defaultAppId: "home"

# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
# is proxied through the Kibana server.
elasticsearch.username: "elastic"
elasticsearch.password: "123456"

# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the Kibana server to the browser.
#server.ssl.enabled: false
#server.ssl.certificate: /path/to/your/server.crt
#server.ssl.key: /path/to/your/server.key

# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
# These files are used to verify the identity of Kibana to Elasticsearch and are required when
# xpack.security.http.ssl.client_authentication in Elasticsearch is set to required.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key

# Optional setting that enables you to specify a path to the PEM file for the certificate
# authority for your Elasticsearch instance.
#elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]

# To disregard the validity of SSL certificates, change this setting's value to 'none'.
#elasticsearch.ssl.verificationMode: full

# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
# the elasticsearch.requestTimeout setting.
#elasticsearch.pingTimeout: 1500

# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
# must be a positive integer.
#elasticsearch.requestTimeout: 30000

# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
# headers, set this value to [] (an empty list).
#elasticsearch.requestHeadersWhitelist: [ authorization ]

# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
#elasticsearch.customHeaders: {}

# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
#elasticsearch.shardTimeout: 30000

# Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying.
#elasticsearch.startupTimeout: 5000

# Logs queries sent to Elasticsearch. Requires logging.verbose set to true.
#elasticsearch.logQueries: false

# Specifies the path where Kibana creates the process ID file.
#pid.file: /var/run/kibana.pid

# Enables you to specify a file where Kibana stores log output.
#logging.dest: stdout

# Set the value of this setting to true to suppress all logging output.
#logging.silent: false

# Set the value of this setting to true to suppress all logging output other than error messages.
#logging.quiet: false

# Set the value of this setting to true to log all events, including system usage information
# and all requests.
#logging.verbose: false

# Set the interval in milliseconds to sample system and process performance
# metrics. Minimum is 100ms. Defaults to 5000.
#ops.interval: 5000

# Specifies locale to be used for all localizable strings, dates and number formats.
# Supported languages are the following: English - en , by default , Chinese - zh-CN .
#i18n.locale: "en"


##  主要是在里面配置elastic的用户和密码

# 4.启动kibana
[zx@db04 config]$ ../bin/kibana &> /dev/null


# 5.访问页面并登录 
10.0.0.54:5601

dGjxVU.png

dGv9PJ.png

配置logstash

# 只需在logstash配置文件中加入
修改logstash配置文件

output {
    stdout { codec => rubydebug }
    elasticsearch {
          hosts => ["192.168.2.130:9200","192.168.2.131:9200"]
          index => "nginx-test-%{+YYYY.MM.dd}"
          user => "elastic"      ##加入elasticsearch的用户和密码两行及可
          password => "123456"
    }
}

报错

# 昨天因为密码生成那里一直报错,后来找到原因,是因为把集群停止之后生成的密码,导致集群间密码没共享,不能连通集群,数据无法共享所以一直是1个集群分为2节点和1节点的状态。


##解决方法:
创建本地超级账户,然后使用api接口本地超级账户重置elastic账户的密码
(1) 停止elasticsearch服务
(2) 确保你的配置文件中支持本地账户认证支持,如果你使用的是xpack的默认配置则无需做特殊修改;如果你配置了其他认证方式则需要确保配置本地认证方式在ES_HOME/config/elasticsearch.yml中;
(3) 使用命令ES_HOME/bin/x-pack/users创建一个基于本地问价认证的超级管理员
elasticsearch-7.8.0/bin/x-pack-security-env useradd zhangxin -p 123456 -r superuser  //elasticsearch # 7.x版本
bin/x-pack/users useradd zhangxin -p 123456 -r superuser  //elasticsearch  # 6.x版本
(4) 启动elasticsearch服务
(5) 通过api重置elastic超级管理员的密码
curl -u my_admin -XPUT 'http://localhost:9200/_xpack/security/user/elastic/_password?pretty' -H 'Content-Type: application/json' -d '{"password" : "new_password"}'
例子:
curl -u zhangxin -XPUT 'http://localhost:9200/_xpack/security/user/elastic/_password?pretty' -H 'Content-Type: application/json' -d '{"password" : "1234567"}'
(6) 校验下密码是否重置成功
curl -u elastic 'http://localhost:9200/_xpack/security/_authenticate?pretty'


# 然后删除data目录重启elasticsearch发现集群状态正常了,也能连通了
##再通过
[zx@db04 ~]$ cd elasticsearch-7.9.0/bin/
[zx@db04 bin]$ ./elasticsearch-setup-passwords interactive
以上两个命令去设置密码

#注意 es 6 和 es 7版本不同之处


极客公园 , 版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权
转载请注明原文链接:ELK加密访问
喜欢 (0)
[17551054905]
分享 (0)

您必须 登录 才能发表评论!