介绍

Elasticsearch 程序中提供 elasticsearch-certutil 命令来简化生成证书的过程。

该命令共有 3 种模式:

  • CA 模式:用于生成一个新的证书颁发机构
  • CERT 模式:用于生成 X.509 证书和私钥
  • CSR 模式:用于生成证书签名请求,该请求指向受信任的证书颁发机构以获取签名的证书。签名证书必须为 PEM 或 PKCS#12 格式,才能与 Elasticsearch 安全功能一起使用

生成证书

certutil 官方文档

如果集群部署,想为每个 node 都配置 SSL,就改 instance.ymlextra_hosts

参考:https://www.elastic.co/cn/blog/configuring-ssl-tls-and-https-to-secure-elasticsearch-kibana-beats-and-logstash

注意:证书位置必须写绝对路径

新建 instance.yml 以创建各容器的自签名证书

1
2
3
4
5
6
7
8
9
# name会对应到生成证书文件的路径名称
# dns可以多个,对应其匹配域名
instances:
  - name: 'es-node1'
    dns: ['node1.elastic.com']
  - name: 'logstash'
    dns: ['node1.logstash.com']
  - name: 'kibana'
    dns: ['kibana.com']

拷贝到 ES 容器

1
docker cp instance.yml elasticsearch:/usr/share/elasticsearch/

进入 ES 容器,执行如下命令

例如:生成 10 年的证书

1
bin/elasticsearch-certutil cert ca --days 3650 --pem --in instance.yml --out certs.zip

从容器拷贝到宿主机上

1
docker cp elasticsearch:/usr/share/elasticsearch/certs.zip /opt/elk/ssl

解压

1
unzip certs.zip -d ./certs

复制 CA 证书

会解压出四个文件夹,将 ca 文件夹下的 ca.crt 文件复制到另外四个目录下:

1
2
3
4
cd certs/
cp ca.crt es-node1/
cp ca.crt logstash/
cp ca.crt kibana/

docker-compose.yml 调整

ES 配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
elasticsearch:
  ...
  privileged: true
  ...
  volumes:
    ...
    # 修改此处路径映射
    # 宿主机路径:容器路径
    - /opt/elk/ssl/certs/es-node1:/usr/share/elasticsearch/config/certs
  ...
  extra_hosts:
    # 配置ip映射
    - "kibana.com:10.104.8.126"
    - "node1.logstash.com:10.104.8.126"
    - "node1.elastic.com:127.0.0.1"
    - "es-node1:127.0.0.1"

Kibana 配置

1
2
3
4
5
6
7
8
9
10
11
12
kibana:
  ...
  volumes:
    # 修改此处路径映射
    # 宿主机路径:容器路径
    - /opt/elk/ssl/certs/kibana:/usr/share/kibana/config/certs
  extra_hosts:
    # 配置ip映射
    - "kibana.com:127.0.0.1"
    - "node1.logstash.com:10.104.8.126"
    - "node1.elastic.com:10.104.8.126"
    - "es-node1:10.104.8.126"

Logstash 配置

1
2
3
4
5
6
7
8
9
10
11
12
logstash:
  ...
  volumes:
    # 修改此处路径映射
    # 宿主机路径:容器路径
    - /opt/elk/ssl/certs/logstash:/usr/share/logstash/config/certs
  extra_hosts:
    # 配置ip映射
    - "kibana.com:10.104.8.126"
    - "node1.logstash.com:127.0.0.1"
    - "node1.elastic.com:10.104.8.126"
    - "es-node1:10.104.8.126"

配置文件调整

kibana.yml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
server.name: "kibana"
server.host: "0.0.0.0"
server.ssl.enabled: true
# 证书,compose.yml配置中去看
server.ssl.certificate: /usr/share/kibana/config/certs/kibana.crt
# 证书,compose.yml配置中去看
server.ssl.key: /usr/share/kibana/config/certs/kibana.key
# 证书,compose.yml配置中去看
elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/config/certs/ca.crt"]
# 这里有仨值,直接谷歌这个key看下解释
# elasticsearch.ssl.verificationMode: none
elasticsearch.hosts: ["https://node1.elastic.com:9200"]
elasticsearch.username: kibana_system
elasticsearch.password: xxx
# 如果不写,每次回无法看到上次产出报的问题
xpack.reporting.encryptionKey: fd7c75cf-6abd-4704-a614-10a8679d64e7
# 下面这俩告警的
monitoring.ui.enabled: true
monitoring.ui.container.logstash.enabled: true
# 这是一个关于沙盒相关的(具体会影响啥不太清楚,我只是为了关掉warning)
xpack.reporting.capture.browser.chromium.disableSandbox: false
# 外网访问地址
server.publicBaseUrl: https://xxx:5601
# 告警相关
xpack.encryptedSavedObjects.encryptionKey: 554d5cab-b336-eb0a-e128-6c5012dcc330
# 中文
i18n.locale: "zh-CN"

elasticsearch.yml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# 集群名称
cluster.name: elasticsearch-cluster
# 节点名称
node.name: es-node1
# 绑定host,0.0.0.0代表当前节点的ip(这里别改,就全员就行)
network.host: 0.0.0.0
# 设置其它节点和该节点交互的ip地址,如果不设置它会自动判断,值必须是个真实的ip地址(本机ip)
network.publish_host: node1.elastic.com
# 设置对外服务的http端口,默认为9200
http.port: 9200
# 设置节点间交互的tcp端口,默认是9300
transport.tcp.port: 9300
# 是否支持跨域,默认为false
http.cors.enabled: true
# 当设置允许跨域,默认为*,表示支持所有域名,如果我们只是允许某些网站能访问,那么可以使用正则表达式。比如只允许本地地址。 /https?:\/\/localhost(:[0-9]+)?/
http.cors.allow-origin: "*"
discovery.type: single-node
# 表示这个节点是否可以充当主节点
node.master: true
# 是否充当数据节点
node.data: true
# 所有主从节点ip:port(这里得改)
discovery.seed_hosts: ["node1.elastic.com"]
# 这里配了,然后不配discovery.type: single-node就会以集群方式启动
# cluster.initial_master_nodes: ["es-node1"]
# 这个参数决定了在选主过程中需要 有多少个节点通信  预防脑裂
discovery.zen.minimum_master_nodes: 1
# 跨域允许设置的头信息,默认为X-Requested-With,Content-Type,Content-Lengt
http.cors.allow-headers: Authorization
# 锁内存,提前占用内存
bootstrap.memory_lock: true
# 这条配置表示开启xpack认证机制
xpack.security.enabled: true
# 下面这些都跟证书有关
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.key: /usr/share/elasticsearch/config/certs/es-node1.key
xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/certs/es-node1.crt
xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/certs/ca.crt
xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/certs/es-node1.key
xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/certs/es-node1.crt
xpack.security.transport.ssl.certificate_authorities: /usr/share/elasticsearch/config/certs/ca.crt
# 这里有仨值,直接谷歌这个key看下解释
# xpack.security.transport.ssl.verification_mode: none

Logstash Pipeline 配置

路径:/usr/share/logstash/pipeline/conf.d/*.conf

注意:针对 Beats 输入插件,需要将 logstash.key 转换为 PKCS8 格式:

1
openssl pkcs8 -in logstash.key -topk8 -nocrypt -out logstash.pkcs8.key
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
input {
  beats {
    port => 5044
    ssl => true
    ssl_key => '/usr/share/logstash/config/certs/logstash.pkcs8.key'
    ssl_certificate => '/usr/share/logstash/config/certs/logstash.crt'
  }
}
......
output {
  elasticsearch {
    hosts => ["https://node1.elastic.com:9200"]
    index => "%{env}-xxx-%{indexDay}"
    cacert => '/usr/share/logstash/config/certs/ca.crt'
    # ssl_certificate_verification => false
    user => "elastic"
    password => "xxx"
  }
}

logstash.yml

将 Logstash 监控数据传送到安全集群:

1
2
3
4
5
6
7
8
node.name: logstash
path.config: /usr/share/logstash/pipeline/conf.d/*.conf
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: xxx
xpack.monitoring.elasticsearch.hosts: ["https://node1.elastic.com:9200"]
xpack.monitoring.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/certs/ca.crt
#xpack.monitoring.elasticsearch.ssl.verification_mode: none

filebeat.yml

ca.crt 复制到 Filebeat 所在服务器

1
2
3
4
5
6
# ------------------------------ Logstash Output -------------------------------
output.logstash:
  # logstash服务ip (经测试,这里写ip和dns都可)
  hosts: ["ip或dns"]
  ssl.certificate_authorities:
    - /etc/filebeat/ssl/ca.crt