SearchGuard證書配置

參考: https://www.jianshu.com/p/cc71e7793f6f

TLS工具安裝
- 下載TLS工具 https://repo1.maven.org/maven2/com/floragunn/search-guard-tlstool/1.5/
- 解壓unzip search-guard-tlstool-1.6.zip tlstool-1.6

TLS生成證書配置
- 複製<tlstool directory>/config/example.yml 並修改成<tlstool-1.6>/config/tlsconfig.yml(名字隨意)
- yibai 是公司名稱
- ca: 根證書配置
- node: 節點證書配置
- clients: 客戶端證書配置

###
### Self-generated certificate authority
###
#
# If you want to create a new certificate authority, you must specify its parameters here.
# You can skip this section if you only want to create CSRs
#
ca:
  root:
      # The distinguished name of this CA. You must specify a distinguished name.   
     dn: CN=root.ca.yibai.com,OU=CA,O=yibai Com\, Inc.,DC=yibai,DC=com

      # The size of the generated key in bits
     keysize: 2048

      # The validity of the generated certificate in days from now
     validityDays: 3650
     
      # Password for private key
      #   Possible values:
      #   - auto: automatically generated password, returned in config output; 
      #   - none: unencrypted private key; 
      #   - other values: other values are used directly as password   
     pkPassword: auto
     
      # The name of the generated files can be changed here
     file: root-ca.pem
     
   # If you want to use an intermediate certificate as signing certificate,
   # please specify its parameters here. This is optional. If you remove this section,
   # the root certificate will be used for signing.         
  intermediate:
      # The distinguished name of this CA. You must specify a distinguished name.
     dn: CN=signing.ca.yibai.com,OU=CA,O=yibai Com\, Inc.,DC=yibai,DC=com
  
      # The size of the generated key in bits   
     keysize: 2048
     
      # The validity of the generated certificate in days from now      
     validityDays: 3650
 
     pkPassword: auto
           
      # If you have a certificate revocation list, you can specify its distribution points here      
     crlDistributionPoints: URI:https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl

###
### Default values and global settings
###
defaults:

      # The validity of the generated certificate in days from now
     validityDays: 3650
     
      # Password for private key
      #   Possible values:
      #   - auto: automatically generated password, returned in config output; 
      #   - none: unencrypted private key; 
      #   - other values: other values are used directly as password   
     pkPassword: auto      
     
      # Specifies to recognize legitimate nodes by the distinguished names
      # of the certificates. This can be a list of DNs, which can contain wildcards.
      # Furthermore, it is possible to specify regular expressions by
      # enclosing the DN in //.
      # Specification of this is optional. The tool will always include
      # the DNs of the nodes specified in the nodes section.            
      #nodesDn:
      #- "CN=*.yibai.com,OU=Ops,O=yibai Com\\, Inc.,DC=yibai,DC=com"
      # - 'CN=node.other.com,OU=SSL,O=Test,L=Test,C=DE'
      # - 'CN=*.yibai.com,OU=SSL,O=Test,L=Test,C=DE'
      # - 'CN=elk-devcluster*'
      # - '/CN=.*regex/'

      # If you want to use OIDs to mark legitimate node certificates,
      # the OID can be included in the certificates by specifying the following
      # attribute
     
      # nodeOid: "1.2.3.4.5.5"

      # The length of auto generated passwords            
     generatedPasswordLength: 12
     
      # Set this to true in order to generate config and certificates for
      # the HTTP interface of nodes
     httpsEnabled: true
     
      # Set this to true in order to re-use the node transport certificates
      # for the HTTP interfaces. Only recognized if httpsEnabled is true
     
      # reuseTransportCertificatesForHttp: false
     
      # Set this to true to enable hostname verification
      #verifyHostnames: false
     
      # Set this to true to resolve hostnames
      #resolveHostnames: false
     
     
###
### Nodes
###
#
# Specify the nodes of your ES cluster here
#      
nodes:
 - name: node1
   dn: CN=node1.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
   dns: node1.yibai.com
   ip: 192.168.71.246
 - name: node2
   dn: CN=node2.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
   dns:
     - node2.yibai.com
     - es2.yibai.com
   ip:
     - 10.0.2.1
     - 192.168.2.1
 - name: node3
   dn: CN=node3.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
   dns: node3.yibai.com

###
### Clients
###
#
# Specify the clients that shall access your ES cluster with certificate authentication here
#
# At least one client must be an admin user (i.e., a super-user). Admin users can
# be specified with the attribute admin: true    
#        
clients:
 - name: spock
   dn: CN=spock.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
 - name: kirk
   dn: CN=kirk.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
   admin: true

TLS生成證書

<tlstool directory>/tools/sgtlstool.sh -c ../config/tlsconfig.yml -ca -crt

複製證書到ES

# 複製節點證書到es配置目錄
cp <tlstool directory>/tools/out/<nodename>.pem <ES directory>/config/
cp <tlstool directory>/tools/out/<nodename>.key <ES directory>/config/
cp <tlstool directory>/tools/out/<nodename>_http.pem <ES directory>/config/
cp <tlstool directory>/tools/out/<nodename>_http.key <ES directory>/config/
# 複製根證書到es配置目錄
cp <tlstool directory>/tools/out/root-ca.pem <ES directory>/config/
# 複製客戶端證書到es配置目錄
cp <tlstool directory>/tools/out/spock.pem <ES directory>/config/
cp <tlstool directory>/tools/out/spock.key <ES directory>/config/

修改<ES directory>/config/elasticsearch.yml 複製 <tlstool directory>/tools/outnode3_elasticsearch_config_snippet.yml裏面配置信息覆蓋<ES directory>/config/elasticsearch.yml相同的配置最終的配置如下:

# 集羣名稱
cluster.name: ebuy-cloud-cluster

# 節點名
node.name: node-1

# 數據存儲路徑
path.data: /data/es_data

# 日誌打印路徑
path.logs: /data/es_logs

# Set the bind address to a specific IP (IPv4 or IPv6):
network.host: 0.0.0.0

# Set a custom port for HTTP:
http.port: 9200

# 節點內存配置
# Lock the memory on startup:
bootstrap.memory_lock: false
bootstrap.system_call_filter: false
# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
discovery.zen.minimum_master_nodes: 1

# For more information, consult the zen discovery module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true

# 開啓tcp端口
transport.tcp.compress: true
transport.tcp.port: 9300

# 跨域配置
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type
http.cors.allow-credentials: true

######## Start Search Guard Demo Configuration ########
# WARNING: revise all the lines below before you go into production

# 關閉xpack安全認證
xpack.security.enabled: false
#xpack.monitoring.enabled: false

# TLS設置
searchguard.ssl.transport.pemcert_filepath: node1.pem
searchguard.ssl.transport.pemkey_filepath: node1.key
searchguard.ssl.transport.pemkey_password: 7EJJ2hYcJFJQ
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: node1_http.pem
searchguard.ssl.http.pemkey_filepath: node1_http.key
searchguard.ssl.http.pemkey_password: 6eIWAxh4kgHs
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.nodes_dn:
- CN=node1.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
- CN=node2.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
- CN=node3.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
searchguard.authcz.admin_dn:
 - CN=spock.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com
# - CN=kirk.yibai.com,OU=Ops,O=yibai Com\, Inc.,DC=yibai,DC=com

# 允許演示證書和自動初始化 生產環境上改爲false
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true

# 客戶端認證
searchguard.ssl.http.clientauth_mode: OPTIONAL

# 啓用審計日誌記錄並將生成的審計跟蹤直接存儲在Elasticsearch中
searchguard.audit.type: internal_elasticsearch

# 允許快照/恢復
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true

# 可以訪問REST的角色
searchguard.restapi.roles_enabled: ["sg_all_access"]

cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3

######## End Search Guard Demo Configuration ########

TLS用戶廣播在<tlstool directory>/tools/out/client-certificates.readme裏面取到對應客戶端帳號密碼啓動es cd <ES directory>/plugins/search-guard-6/tools 運行命令:

./sgadmin.sh -cd ../sgconfig/ -icl -nhnv \
  -cacert ../../../config/root-ca.pem \
  -cert ../../../config/spock.pem \
  -key ../../../config/spock.key \
  -keypass 3QgfFoYd8Ken

SearchGuard證書配置

linux安裝cuda和cudnn

模擬手機設備：使用 Playwright 實現移動端自動化測試

Mellanox網卡開啓SR-IOV

測試人員都是畫畫大神，讓我看看誰還不會用代碼圖？

Object.values()對象遍歷

我拍了拍Redis，被移出了羣聊···

網絡現代化通向雲原生應用的高速公路

面試官：說說你對序列化的理解

我宣佈，這是我找到的史上AI最全論文體系！

SearchGuard證書配置

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結