ssl分步骤
1、准备工作
配置hosts
192.168.1.234 node01 192.168.1.233 node02 192.168.1.240 node03
instances.yml文件内容
instances: - name: "node01" dns: ['node01'] - name: "node02" dns: ['node02'] - name: "node03" dns: ['node03'] - name: 'kibana' dns: ['node01']
存储路径
/home/elastic/elasticsearch-7.5.1
生成证书
cd /home/elastic/elasticsearch-7.5.1 bin/elasticsearch-certutil cert ca --pem --in instance.yml --out /root/certs.zip #解压后目录结构 Archive: certs.zip creating: ca/ inflating: ca/ca.crt creating: node01/ inflating: node01/node01.crt inflating: node01/node01.key creating: node02/ inflating: node02/node02.crt inflating: node02/node02.key creating: node03/ inflating: node03/node03.crt inflating: node03/node03.key creating: kibana/ inflating: kibana/kibana.crt inflating: kibana/kibana.key
2、访问es集群设置
es1
cluster.name: es-itcast-cluster
node.name: node01
node.master: true
node.data: true
network.host: 192.168.1.234
discovery.seed_hosts: ["192.168.1.234","192.168.1.233","192.168.1.240"]
cluster.initial_master_nodes: ["node01","node02","node03"]
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
http.port: 9200
transport.port: 9300
#配置集群密码
xpack.security.enabled: true
#用HTTPS方式访问es
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /home/elastic/elasticsearch-7.5.1/config/certs/node01.key
xpack.security.http.ssl.certificate: /home/elastic/elasticsearch-7.5.1/config/certs/node01.crt
xpack.security.http.ssl.certificate_authorities: /home/elastic/elasticsearch-7.5.1/config/certs/ca.crt
#集群内部通信
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /home/elastic/elasticsearch-7.5.1/config/certs/node01.key
xpack.security.transport.ssl.certificate: /home/elastic/elasticsearch-7.5.1/config/certs/node01.crt
xpack.security.transport.ssl.certificate_authorities: ["/home/elastic/elasticsearch-7.5.1/config/certs/ca.crt"]
es2
cluster.name: es-itcast-cluster
node.name: node02
node.master: true
node.data: true
network.host: 192.168.1.233
discovery.seed_hosts: ["192.168.1.234","192.168.1.233","192.168.1.240"]
cluster.initial_master_nodes: ["node01","node02","node03"]
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
http.port: 9200
transport.port: 9300
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /home/elastic/elasticsearch-7.5.1/config/certs/node02.key
xpack.security.http.ssl.certificate: /home/elastic/elasticsearch-7.5.1/config/certs/node02.crt
xpack.security.http.ssl.certificate_authorities: /home/elastic/elasticsearch-7.5.1/config/certs/ca.crt
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /home/elastic/elasticsearch-7.5.1/config/certs/node02.key
xpack.security.transport.ssl.certificate: /home/elastic/elasticsearch-7.5.1/config/certs/node02.crt
xpack.security.transport.ssl.certificate_authorities: ["/home/elastic/elasticsearch-7.5.1/config/certs/ca.crt"]
es3
cluster.name: es-itcast-cluster
node.name: node03
node.master: true
node.data: true
network.host: 192.168.1.240
discovery.seed_hosts: ["192.168.1.234","192.168.1.233","192.168.1.240"]
cluster.initial_master_nodes: ["node01","node02","node03"]
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
http.port: 9200
transport.port: 9300
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /home/elastic/elasticsearch-7.5.1/config/certs/node03.key
xpack.security.http.ssl.certificate: /home/elastic/elasticsearch-7.5.1/config/certs/node03.crt
xpack.security.http.ssl.certificate_authorities: /home/elastic/elasticsearch-7.5.1/config/certs/ca.crt
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /home/elastic/elasticsearch-7.5.1/config/certs/node03.key
xpack.security.transport.ssl.certificate: /home/elastic/elasticsearch-7.5.1/config/certs/node03.crt
xpack.security.transport.ssl.certificate_authorities: ["/home/elastic/elasticsearch-7.5.1/config/certs/ca.crt"
3、kibana访问es集群设置
server.port: 5601 server.host: "192.168.1.234"
#kibana访问es集群 elasticsearch.hosts: ["https://192.168.1.234:9200","https://192.168.1.233:9200","https://192.168.1.240:9200"] elasticsearch.username: "kibana" elasticsearch.password: "4CG0LMkw4Gjkh8c5SPsS" i18n.locale: "zh-CN" #用HTTPS方式访问kibana server.ssl.enabled: true server.ssl.certificate: /home/kibana/kibana-7.5.1/config/certs/kibana.crt server.ssl.key: /home/kibana/kibana-7.5.1/config/certs/kibana.key #kibana访问es集群 elasticsearch.ssl.verificationMode: certificate elasticsearch.ssl.certificateAuthorities: ["/home/kibana/kibana-7.5.1/config/certs/ca.crt"]