介绍

Elasticsearch 程序中提供elasticsearch-certutil命令来简化生成证书的过程。

该命令共有 3 种模式：

CA 模式，用于生成一个新的证书颁发机构。
CERT 模式，用于生成 X.509 证书和私钥。
CSR 模式，用于生成证书签名请求，该请求指向受信任的证书颁发机构以获取签名的证书。签名证书必须为 PEM 或 PKCS#12 格式，才能与 Elasticsearch 安全功能一起使用。

生成证书

certutil官方文档

如果集群部署, 想为每个node都配置ssl, 就改instance.yml和extra_hosts

参考: https://www.elastic.co/cn/blog/configuring-ssl-tls-and-https-to-secure-elasticsearch-kibana-beats-and-logstash

证书位置必须写绝对路径

新建instance.yml以创建各容器的自签名证书

# name会对应到生成证书文件的路径名称
# dns可以多个，对应其匹配域名
instances:
  - name: 'es-node1'
    dns: ['node1.elastic.com']
  - name: 'logstash'
    dns: ['node1.logstash.com']
  - name: 'kibana'
    dns: ['kibana.com']

拷贝到es容器

1	docker cp instance.yml elasticsearch:/usr/share/elasticsearch/

进入es容器, 执行如下命令
eg: 生成10年的证书

1	bin/elasticsearch-certutil cert ca --days 3650 --pem --in instance.yml --out certs.zip

从容器拷贝到宿主机上

1	docker cp elasticsearch:/usr/share/elasticsearch/certs.zip /opt/elk/ssl

解压
1
unzip certs.zip -d ./certs
会解压出四个文件夹, 将ca文件夹下的ca.crt文件copy到另外四个目录下
1
2
3
4
cd certs/
cp ca.crt es-node1/
cp ca.crt logstash/
cp ca.crt kibana/

docker-compose.yml调整

elasticsearch:
  ...
  privileged: true
  ...
  volumes:
    ...
    # 修改此处路径映射
    # 宿主机路径：容器路径
    - /opt/elk/ssl/certs/es-node1:/usr/share/elasticsearch/config/certs
  ...
  extra_hosts:
    # 配置ip映射
    - "kibana.com:10.104.8.126"
    - "node1.logstash.com:10.104.8.126"
    - "node1.elastic.com:127.0.0.1"
    - "es-node1:127.0.0.1"

kibana

kibana:
  ...
  volumes:
    # 修改此处路径映射
    # 宿主机路径：容器路径
    - /opt/elk/ssl/certs/kibana:/usr/share/kibana/config/certs
  extra_hosts:
    # 配置ip映射
    - "kibana.com:127.0.0.1"
    - "node1.logstash.com:10.104.8.126"
    - "node1.elastic.com:10.104.8.126"
    - "es-node1:10.104.8.126"

logstash

logstash:
  ...
  volumes:
    # 修改此处路径映射
    # 宿主机路径：容器路径
    - /opt/elk/ssl/certs/logstash:/usr/share/logstash/config/certs
  extra_hosts:
    # 配置ip映射
    - "kibana.com:10.104.8.126"
    - "node1.logstash.com:127.0.0.1"
    - "node1.elastic.com:10.104.8.126"
    - "es-node1:10.104.8.126"

conf(conf配置文件)

kibana.yml

server.name: "kibana"
server.host: "0.0.0.0"
server.ssl.enabled: true
# 证书,compose.yml配置中去看
server.ssl.certificate: /usr/share/kibana/config/certs/kibana.crt
# 证书,compose.yml配置中去看
server.ssl.key: /usr/share/kibana/config/certs/kibana.key
# 证书,compose.yml配置中去看
elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/config/certs/ca.crt"]
# 这里有仨值,直接谷歌这个key看下解释
# elasticsearch.ssl.verificationMode: none
elasticsearch.hosts: ["https://node1.elastic.com:9200"]
elasticsearch.username: kibana_system
elasticsearch.password: xxx
# 如果不写,每次回无法看到上次产出报的问题
xpack.reporting.encryptionKey: fd7c75cf-6abd-4704-a614-10a8679d64e7
# 下面这俩告警的
monitoring.ui.enabled: true
monitoring.ui.container.logstash.enabled: true
# 这是一个关于沙盒相关的(具体会影响啥不太清楚,我只是为了关掉warning)
xpack.reporting.capture.browser.chromium.disableSandbox: false
# 外网访问地址
server.publicBaseUrl: https://xxx:5601
# 告警相关
xpack.encryptedSavedObjects.encryptionKey: 554d5cab-b336-eb0a-e128-6c5012dcc330
# 中文
i18n.locale: "zh-CN"

elasticsearch.yml

# 集群名称
cluster.name: elasticsearch-cluster
# 节点名称
node.name: es-node1
# 绑定host，0.0.0.0代表当前节点的ip(这里别改,就全员就行)
network.host: 0.0.0.0
# 设置其它节点和该节点交互的ip地址，如果不设置它会自动判断，值必须是个真实的ip地址(本机ip)
network.publish_host: node1.elastic.com
# 设置对外服务的http端口，默认为9200
http.port: 9200
# 设置节点间交互的tcp端口，默认是9300
transport.tcp.port: 9300
# 是否支持跨域，默认为false
http.cors.enabled: true
# 当设置允许跨域，默认为*,表示支持所有域名，如果我们只是允许某些网站能访问，那么可以使用正则表达式。比如只允许本地地址。 /https?:\/\/localhost(:[0-9]+)?/
http.cors.allow-origin: "*"
discovery.type: single-node
# 表示这个节点是否可以充当主节点
node.master: true
# 是否充当数据节点
node.data: true
# 所有主从节点ip:port(这里得改)
discovery.seed_hosts: ["node1.elastic.com"]
# 这里配了,然后不配discovery.type: single-node就会以集群方式启动
# cluster.initial_master_nodes: ["es-node1"]
# 这个参数决定了在选主过程中需要 有多少个节点通信  预防脑裂
discovery.zen.minimum_master_nodes: 1
# 跨域允许设置的头信息，默认为X-Requested-With,Content-Type,Content-Lengt
http.cors.allow-headers: Authorization
#锁内存，提前占用内存
bootstrap.memory_lock: true
# 这条配置表示开启xpack认证机制
xpack.security.enabled: true
# 下面这些都跟证书有关
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.key: /usr/share/elasticsearch/config/certs/es-node1.key
xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/certs/es-node1.crt
xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/certs/ca.crt
xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/certs/es-node1.key
xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/certs/es-node1.crt
xpack.security.transport.ssl.certificate_authorities: /usr/share/elasticsearch/config/certs/ca.crt
# 这里有仨值,直接谷歌这个key看下解释
# xpack.security.transport.ssl.verification_mode: none

/usr/share/logstash/pipeline/conf.d/*.conf

针对 Beats 输入插件，需要将 logstash.key 转换为 PKCS8 格式
1
openssl pkcs8 -in logstash.key -topk8 -nocrypt -out logstash.pkcs8.key

beats {
    port => 5044
    ssl => true
    ssl_key => '/usr/share/logstash/config/certs/logstash.pkcs8.key'
    ssl_certificate => '/usr/share/logstash/config/certs/logstash.crt'
  }
......
output {
    elasticsearch {
      hosts => ["https://node1.elastic.com:9200"]
      index => "%{env}-xxx-%{indexDay}"
      cacert => '/usr/share/logstash/config/certs/ca.crt'
      # ssl_certificate_verification => false
      user => "elastic"
      password => "xxx"
    }
}

logstash.yml

# 将 Logstash监控 数据传送到安全集群
node.name: logstash
path.config: /usr/share/logstash/pipeline/conf.d/*.conf
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: xxx
xpack.monitoring.elasticsearch.hosts: ["https://node1.elastic.com:9200"]
xpack.monitoring.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/certs/ca.crt
#xpack.monitoring.elasticsearch.ssl.verification_mode: none

filebeat.yml

将ca.crt复制到filebeat所在服务器

# ------------------------------ Logstash Output -------------------------------
output.logstash:
# logstash服务ip
  hosts: ["经测试,这里写ip和dns都可"]
  ssl.certificate_authorities:
    - /etc/filebeat/ssl/ca.crt