Elasticsearch 的安全认证可以有两种方式实现,第一种是使用xpack的安全认证功能,另外一种是借助Nginx来实现安全认证,下面对两种方式做简要介绍。
使用Elasticsearch自带的安全认证功能
elasticsearch.yml增加安全认证的配置,示例如下:
cluster.name: my-application
node.name: node-1
path.data: /data/elasticsearch/path/to/data
path.logs: /data/elasticsearch/path/to/logs
network.host: 0.0.0.0
http.port: 9200
discovery.zen.ping.unicast.hosts: ["172.31.6.21"]
# 开启安全认证
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
使用Nginx实现Elasticsearch的安全认证
创建用于基本身份验证的nginx帐户
htpasswd -c /etc/nginx/htpasswd.users kibanauser
按下 Enter 键后,系统会提示我们输入并验证用户密码
$ htpasswd -c /etc/nginx/htpasswd.users kibanauser
New password:
Re-type new password:
Adding password for user kibanauser
修改nginx.conf配置
upstream elasticsearch {
server 127.0.0.1:9200;
keepalive 15;
}
upstream kibana {
server 127.0.0.1:5601;
keepalive 15;
}
server {
listen 8881;
location / {
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/htpasswd.users;
proxy_pass http://elasticsearch;
proxy_redirect off;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Proxy-Connection "Keep-Alive";
}
}
server {
listen 8882;
location / {
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/htpasswd.users;
proxy_pass http://kibana;
proxy_redirect off;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Proxy-Connection "Keep-Alive";
}
}
重启Nginx服务,验证即可
参考文档
https://elasticstack.blog.csdn.net/article/details/112213364