Search Guard 使用 SSL 连接到远程 Elasticsearch 集群

【问题标题】:Search Guard connect to remote Elasticsearch cluster using SSLSearch Guard 使用 SSL 连接到远程 Elasticsearch 集群
【发布时间】:2019-03-29 09:14:03
【问题描述】:

使用this 指南创建 SSL 证书

我正在尝试连接到远程 Elasticsearch 集群。两个集群都使用 SSL 证书(由同一个 CA 签名),有可能吗?

本地集群:

cluster.name: client1
searchguard.enterprise_modules_enabled: false


node.name: ekl.test.com
node.master: true
node.data: true
node.ingest: true


network.host: 0.0.0.0

#http.host: 0.0.0.0
network.publish_host: ["ekl1.test1.com","ekl.test.com"]



http.port: 9200


discovery.zen.ping.unicast.hosts: ["ekl.test.com", "ekl2.test2.com"]


discovery.zen.minimum_master_nodes: 1

xpack.security.enabled: false


searchguard.ssl.transport.pemcert_filepath: '/etc/elasticsearch/ssl/node1.pem'
searchguard.ssl.transport.pemkey_filepath: 'ssl/node1.key'
searchguard.ssl.transport.pemtrustedcas_filepath: '/etc/elasticsearch/ssl/root-ca.pem'
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: '/etc/elasticsearch/ssl/node1_http.pem'
searchguard.ssl.http.pemkey_filepath: '/etc/elasticsearch/ssl/node1_http.key'
searchguard.ssl.http.pemtrustedcas_filepath: '/etc/elasticsearch/ssl/root-ca.pem'
searchguard.nodes_dn:
- CN=ekl.test.com,OU=Ops,O=BugBear BG\, Ltd.,DC=BugBear,DC=com
- CN=ekl1.test1.com,OU=Ops,O=BugBear BG\, Ltd.,DC=BugBear,DC=com
searchguard.authcz.admin_dn:
- CN=admin.test.com,OU=Ops,O=BugBear Com\, Inc.,DC=example,DC=com

远程集群:

cluster.name: client2
searchguard.enterprise_modules_enabled: false


node.name: ekl1.test.com
node.master: false
node.data: true
node.ingest: false


network.host: 0.0.0.0

#http.host: 0.0.0.0
network.publish_host: ["ekl.test.com","ekl1.test1.com"]



http.port: 9200


discovery.zen.ping.unicast.hosts: ["ekl6.test1.com", "ekl1.test1.com"]


discovery.zen.minimum_master_nodes: 1

xpack.security.enabled: false


searchguard.ssl.transport.pemcert_filepath: '/etc/elasticsearch/ssl/node2.pem'
searchguard.ssl.transport.pemkey_filepath: 'ssl/node2.key'
searchguard.ssl.transport.pemtrustedcas_filepath: '/etc/elasticsearch/ssl/root-ca.pem'
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: '/etc/elasticsearch/ssl/node2_http.pem'
searchguard.ssl.http.pemkey_filepath: '/etc/elasticsearch/ssl/node2_http.key'
searchguard.ssl.http.pemtrustedcas_filepath: '/etc/elasticsearch/ssl/root-ca.pem'
searchguard.nodes_dn:
- CN=ekl.test.com,OU=Ops,O=BugBear BG\, Ltd.,DC=BugBear,DC=com
- CN=ekl1.test1.com,OU=Ops,O=BugBear BG\, Ltd.,DC=BugBear,DC=com
searchguard.authcz.admin_dn:
- CN=admin.test.com,OU=Ops,O=BugBear Com\, Inc.,DC=example,DC=com
Certificates are self-signed

我可以从本地卷曲到远程集群。

 curl -vX GET "https://admin:Pass@ekl1.test1.com:9200"

我在 Kibana GUI 中添加了远程域:ekl1.test1.com:9200

并在 ES 日志中出现此错误:

RemoteClusterConnection] [4P1fXFO] 从外部集群>[client2] 获取节点失败 org.elasticsearch.transport.ConnectTransportException: [][172.31.37.123:9200] >handshake_timeout[30s]

【问题讨论】:

    标签: elasticsearch ssl-certificate elastic-stack


    【解决方案1】:

    通过在 Kibana 界面中指定端口 9300 而不是 9200 解决

    http.cors.enabled: true
http.cors.allow-origin: "*"

    【讨论】:

      猜你喜欢
      • 2019-02-19
      • 1970-01-01
      • 2015-09-02
      • 2018-07-01
      • 1970-01-01
      • 2017-04-15
      • 1970-01-01
      • 2022-11-21
      • 2017-10-19
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode