elasticsearch8.9.1部署及配置基本安全性以及安全的 HTTPS 流量

一、安装

1、官网下载elasticsearch8.9.1安装包，上传至服务器并解压
官网地址

https://www.elastic.co/cn/downloads/elasticsearch

解压

tar -zxvf elasticsearch-8.9.1-linux-x86_64.tar.gz -C./

2、修改elasticsearch配置文件elasticsearch.yml(支持ipv4以及ipv6双栈)，文件权限修改成非root的应用程序账号

cluster.name: elk-application-test
node.name: master-1
node.roles:[ master ]path:data:/data/es/data
  logs:/data/es/logs
bootstrap.memory_lock:true
network.host:"ipv4,ipv6"
http.port:9200
transport.port:9300
http.cors.enabled:true
##保证ipv6能通设置成ipv6也行
discovery.seed_hosts:["ipv4:9300"]
cluster.initial_master_nodes:["master-1"]
cluster.routing.allocation.same_shard.host:true
transport.compress:true
xpack.security.enabled:true
xpack.security.transport.ssl.enabled:true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path:./certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path:./certs/elastic-certificates.p12

二、Elasticsearch 设置基本安全性

1、进入elasticsearch根目录

bin/elasticsearch-certutil ca

注：1、输出文件名称（默认）2、CA密码设置（可留空直接回车，生产环境建议设置）
2、使用elastic-stack-ca.p12为集群中的节点生成证书和私钥

./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

注：1、输入CA密码
2、输入生成证书的名称（直接回车使用默认名称elastic-certificates.p12）
3、设置证书密码
3、将密码存储在 Elasticsearch 密钥库中（这里设置了CA以及elastic-certificates.p12密码，不设置密码的跳过此步骤）：

./elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

./elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

注：1、2：输入密码
4、设置内置账号密码(必须要有至少一个数据节点才能设置成功，即至少一个主节点和一个数据节点)

./elasticsearch-setup-passwords interactive

逐一输入密码回车即可

查看集群情况

curl -u elastic:密码 "ipv4:9200/_cat/health?v"

三、加密 HTTP 客户端通信

1、停止elasticsearch集群，如果启动了kibana也将kibana停止
2、在任何单个节点上，从安装 Elasticsearch 的目录中，运行 Elasticsearch 用于生成证书签名请求 （CSR） 的 HTTP 证书工具。

./bin/elasticsearch-certutil http

# 提示是否生成CSR
## Elasticsearch HTTP Certificate Utility

The 'http' command guides you through the process of generating certificates
for use on the HTTP(Rest)interfacefor Elasticsearch.......
If you choose not to generate a CSR,this tool will generate a newcertificatefor you. That certificate will be signed by a CA under your control. This is a
quick and easy way to secure your cluster withTLS, but you will need to
configure all your clients to trust that custom CA.

Generate a CSR?[y/N]N

# 提示是否使用已存在的CA证书
## Do you have an existing Certificate Authority(CA) key-pair that you wish to use to sign your certificate?

If you have an existing CA certificate and key, then you can use that CA to
sign your newhttp certificate. This allows you to use the same CA across
multiple Elasticsearch clusters which can make it easier to configure clients,
and may be easier for you to manage.

If you do not have an existing CA, one will be generated for you.

Use an existing CA?[y/N]y

# 提示需要输入ca证书的位置
## What is the path to your CA?

Please enter the full pathname to the Certificate Authority that you wish to
use for signing your newhttp certificate. This can be inPKCS#12(.p12),JKS(.jks) or PEM(.crt,.key,.pem) format.CAPath:输入elastic-stack-ca.p12的绝对路径

# 提示需要输入ca证书的保护密码
Reading a PKCS12 keystore requires a password.
It is possible for the keystore's password to be blank,in which case you can simply press <ENTER> at the prompt
Password for elastic-stack-ca.p12:ca的密码，有则输入没有则回车

You may enter the validity period inyears(e.g. 3Y),months(e.g. 18M), or days(e.g. 90D)

For how long should your certificate be valid?[5y] 5y

However,if you do not have a common domain name, and you expect to add
additional nodes to your cluster in the future, then you should generate a
certificate per node so that you can more easily generate newcertificates when
you provision newnodes.

Generate a certificate per node?[y/N]n

# 系统提示需要输入主机名
## What is the name of node #1?

## Which hostnames will be used to connect to your nodes?

These hostnames will be added as"DNS" names in the "Subject Alternative Name"(SAN) field in your certificate.

You should list every hostname and variant that people will use to connect to
your cluster over http.
Do not list IP addresses here, you will be asked to enter them later.

If you wish to use a wildcard certificate(for example *.es.example.com) you
can enter that here.

Enter all the hostnames that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.
输入主机名回车，可输入多个，换行区分，两次回车输入完毕

##确认主机名信息
Is this correct [Y/n]y

# 提示输入节点IP地址
## Which IP addresses will be used to connect to es00?

If your clients will ever connect to your nodes by numeric IP address, then you
can list these as valid IP"Subject Alternative Name"(SAN) fields in your
certificate.

If you do not have fixed IP addresses, or not wish to support direct IP access
to your cluster then you can just press <ENTER> to skip this step.

Enter all the IP addresses that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.
输入ip回车，可输入多个，换行区分，两次回车输入完毕

##确认ip信息
Is this correct [Y/n]y

# 提示是否还需要修改其中任何选项
## Other certificate options

The generated certificate will have the following additional configuration
values. These values have been selected based on a combination of the
information you have provided above and secure defaults. You should not need to
change these values unless you have specific requirements.

Key Name: 主机名
Subject DN:CN=主机名
Key Size:2048

Do you wish to change any of these options?[y/N]n

# 提示需要输入ssl证书密码
## What password do you want for your privatekey(s)?

Your privatekey(s) will be stored in a PKCS#12 keystore file named "http.p12".
This type of keystore is always password protected, but it is possible to use a
blank password.

If you wish to use a blank password, simply press <enter> at the prompt below.
Provide a password for the "http.p12"file:[<ENTER>for none]
输入密码回车
# 确认密码
Repeat password to confirm:

# 提示生成的压缩包的位置及名称
## Where should we save the generated files?A number of files will be generated including your privatekey(s),publiccertificate(s), and sample configuration options for Elastic Stack products.

These files will be included in a single zip archive.

What filename should be used for the output zip file?[/usr/share/elasticsearch/elasticsearch-ssl-http.zip]
# 使用默认
回车

# 将证书解压
$ unzip elasticsearch-ssl-http.zip 

生成两个文件夹elasticsearch和kibana，将elasticsearch证书复制到config里面
编辑该elasticsearch.yml文件以启用 HTTPS 安全并指定安全证书的位置http.p12。

xpack.security.http.ssl.enabled:true
xpack.security.http.ssl.keystore.path: http.p12

将私钥密码添加到 Elasticsearch 的安全设置中

/bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

输入http.p12密码(配置了的节点都需要将密码存入安全设置中)
验证方式
通过https访问，如

curl -u elastic:密码 https://ip:9200/_cat/nodes/?v;

四、为 Kibana 加密 HTTP 客户端通信

cp  kibana/elasticsearch-ca.pem  ../kibana/config/

修改kibana.yml并添加以下行以指定 HTTP 层的安全证书的位置。

elasticsearch.hosts:["https://ip1:9200","https://ip2:9200","https://ip3:9200"]
elasticsearch.ssl.certificateAuthorities: kibana绝对路径/config/elasticsearch-ca.pem

修改权限，启动即可

五、加密浏览器和 Kibana 之间的流量