Elasticsearch 的安全认证可以有两种方式实现,第一种是使用xpack的安全认证功能,另外一种是借助Nginx来实现安全认证,下面对两种方式做简要介绍。
使用Elasticsearch自带的安全认证功能
elasticsearch.yml增加安全认证的配置,示例如下:
cluster.name: my-application node.name: node-1 path.data: /data/elasticsearch/path/to/data path.logs: /data/elasticsearch/path/to/logs network.host: 0.0.0.0 http.port: 9200 discovery.zen.ping.unicast.hosts: ["172.31.6.21"] # 开启安全认证 http.cors.enabled: true http.cors.allow-origin: "*" http.cors.allow-headers: Authorization xpack.security.enabled: true xpack.security.transport.ssl.enabled: true
使用Nginx实现Elasticsearch的安全认证
创建用于基本身份验证的nginx帐户
htpasswd -c /etc/nginx/htpasswd.users kibanauser
按下 Enter 键后,系统会提示我们输入并验证用户密码
$ htpasswd -c /etc/nginx/htpasswd.users kibanauser New password: Re-type new password: Adding password for user kibanauser
修改nginx.conf配置
upstream elasticsearch { server 127.0.0.1:9200; keepalive 15; } upstream kibana { server 127.0.0.1:5601; keepalive 15; } server { listen 8881; location / { auth_basic "Restricted Access"; auth_basic_user_file /etc/nginx/htpasswd.users; proxy_pass http://elasticsearch; proxy_redirect off; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Connection "Keep-Alive"; proxy_set_header Proxy-Connection "Keep-Alive"; } } server { listen 8882; location / { auth_basic "Restricted Access"; auth_basic_user_file /etc/nginx/htpasswd.users; proxy_pass http://kibana; proxy_redirect off; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Connection "Keep-Alive"; proxy_set_header Proxy-Connection "Keep-Alive"; } }
重启Nginx服务,验证即可
参考文档
https://elasticstack.blog.csdn.net/article/details/112213364