在生产环境中,如果你没有配置 HTTPS 连接,某些 Elasticsearch 功能(比如令牌和 API 密钥)将被禁用,该安全层确保所有进出集群的通信都是安全的,HTTPS 配置建立在“传输层TLS安全配置之上” ,所以它要求你的集群已经配置了传输层安全配置。
生成证书
使用 elasticsearch-certutil 工具来生成证书
生成根证书
./bin/elasticsearch-certutil ca
生成节点证书
./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
生成http客户端通信证书
./bin/elasticsearch-certutil http
#获得压缩好的http证书文件elasticsearch-ssl-http.zip
unzip elasticsearch-ssl-http.zip
配置docker-compose.yml
version: '2.4'
services:
# ElasticSearch容器相关定义内容,做收集流的数据库
elasticsearch:
# 镜像名称
image: elastic/elasticsearch:7.8.1
privileged: true
environment: # ES设置,这里并没有做集群
- discovery.type=single-node
- node.name=netdevops_es
- cluster.name=netdevops_es_cluster
- network.host=0.0.0.0
- bootstrap.memory_lock=true
- xpack.security.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.security.transport.ssl.client_authentication=required
- xpack.security.transport.ssl.keystore.path=elastic-certificates.p12
- xpack.security.transport.ssl.truststore.path=elastic-certificates.p12
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.keystore.path=http.p12
- xpack.security.http.ssl.truststore.path=http.p12
- xpack.security.http.ssl.verification_mode=certificate
- "ES_JAVA_OPTS=-Xms4g -Xmx6g" # 资源控制,这里给了4g内存,可以根据自己的设备性能进行调整
volumes:
- /data/certs/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
- /data/certs/elasticsearch/http.p12:/usr/share/elasticsearch/config/http.p12
- /data/elastiflow/elasticsearch/data:/usr/share/elasticsearch/data # 数据持久化
- /etc/timezone:/etc/timezone:ro # 调整容器内的时间
- /etc/localtime:/etc/localtime:ro
network_mode: "host" # 设置连接的网络
ports: # 端口映射
- "9200:9200"
- "9300:9300"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
restart: always
# 定义kibana容器,做最终的图形化界面呈现
kibana:
image: elastic/kibana:7.8.1
privileged: true
environment:
- SERVER_NAME=netdevops_kibana
- ELASTICSEARCH_HOSTS="https://localhost:9200"
- PATH_DATA=/usr/share/kibana/data
- NODE_OPTIONS="--max_old_space_size=4096"
- I18N_LOCALE="zh-CN" #kibana中文界面
- ELASTICSEARCH_USERNAME=kibana_system
- ELASTICSEARCH_PASSWORD="changeme"
- XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY="fhjskloppd678ehkdfdlliverpoolfcr"
- ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/elasticsearch-ca.pem
#注意这里,如果是full,会校验主机名,如果在生成证书的时候没有设置主机名,这里改成certificate
- ELASTICSEARCH_SSL_VERIFICATIONMODE=certificate
volumes:
- /data/certs/kibana/elasticsearch-ca.pem:/usr/share/kibana/config/elasticsearch-ca.pem
- /data/elastiflow/kibana/data:/usr/share/kibana/data # 数据持久化
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
network_mode: "host"
ports:
- "5601:5601"
ulimits:
memlock:
soft: -1
hard: -1
depends_on:
- "elasticsearch"
restart: always
# 通过elastiflow做netflow流量收集
elastiflow-logstash:
# 镜像名称
image: robcowart/elastiflow-logstash:4.0.1
container_name: elastiflow-logstash
volumes: # 同步时间
- /data/certs/kibana/elasticsearch-ca.pem:/etc/logstash/elasticsearch-ca.pem
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
depends_on:
- elasticsearch
network_mode: "host"
ports:
- "2055:2055/udp"
- "6343:6343/udp"
- "4739:4739/udp"
environment:
# JVM Heap size - this MUST be at least 3GB (4GB preferred)
LS_JAVA_OPTS: '-Xms4g -Xmx6g' # 调整内存
# ElastiFlow global configuration
ELASTIFLOW_ES_SSL_ENABLE: true
ELASTIFLOW_AGENT_ID: elastiflow
ELASTIFLOW_GEOIP_CACHE_SIZE: 16384
ELASTIFLOW_GEOIP_LOOKUP: 'true'
ELASTIFLOW_ASN_LOOKUP: 'true'
ELASTIFLOW_OUI_LOOKUP: 'false'
ELASTIFLOW_POPULATE_LOGS: 'true'
ELASTIFLOW_KEEP_ORIG_DATA: 'true'
ELASTIFLOW_DEFAULT_APPID_SRCTYPE: '__UNKNOWN'
# 定义数据的地址和端口
ELASTIFLOW_ES_HOST: 'https://localhost:9200'
ELASTIFLOW_ES_USER: 'elastic'
ELASTIFLOW_ES_PASSWD: 'changme'
#支持的三种流收集
ELASTIFLOW_NETFLOW_IPV4_PORT: 2055
ELASTIFLOW_NETFLOW_UDP_WORKERS: 2
ELASTIFLOW_NETFLOW_UDP_QUEUE_SIZE: 4096
ELASTIFLOW_NETFLOW_UDP_RCV_BUFF: 33554432
ELASTIFLOW_SFLOW_IPV4_PORT: 6343
ELASTIFLOW_SFLOW_UDP_WORKERS: 2
ELASTIFLOW_SFLOW_UDP_QUEUE_SIZE: 4096
ELASTIFLOW_SFLOW_UDP_RCV_BUFF: 33554432
ELASTIFLOW_IPFIX_UDP_IPV4_PORT: 4739
ELASTIFLOW_IPFIX_UDP_WORKERS: 2
ELASTIFLOW_IPFIX_UDP_QUEUE_SIZE: 4096
ELASTIFLOW_IPFIX_UDP_RCV_BUFF: 33554432
ulimits:
memlock:
soft: -1
hard: -1
restart: always
文章来源:https://www.cnaaa.net,转载请注明出处:https://www.cnaaa.net/archives/6144