Elasticsearch 开启安全认证

Elasticsearch 的安全认证可以有两种方式实现，第一种是使用xpack的安全认证功能，另外一种是借助Nginx来实现安全认证，下面对两种方式做简要介绍。

使用Elasticsearch自带的安全认证功能

elasticsearch.yml增加安全认证的配置，示例如下：

cluster.name: my-application
node.name: node-1
path.data: /data/elasticsearch/path/to/data
path.logs: /data/elasticsearch/path/to/logs
network.host: 0.0.0.0
http.port: 9200
discovery.zen.ping.unicast.hosts: ["172.31.6.21"]
 
 
# 开启安全认证
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

 

使用Nginx实现Elasticsearch的安全认证

创建用于基本身份验证的nginx帐户

htpasswd -c /etc/nginx/htpasswd.users kibanauser

按下 Enter 键后，系统会提示我们输入并验证用户密码

$ htpasswd -c /etc/nginx/htpasswd.users kibanauser
New password: 
Re-type new password: 
Adding password for user kibanauser

修改nginx.conf配置

upstream elasticsearch {
    server 127.0.0.1:9200;
    keepalive 15;
  }
 
  upstream kibana {
    server 127.0.0.1:5601;
    keepalive 15;
  }
 
  server {
    listen 8881;
 
    location / {
      auth_basic "Restricted Access";
      auth_basic_user_file /etc/nginx/htpasswd.users;
 
 
      proxy_pass http://elasticsearch;
      proxy_redirect off;
      proxy_buffering off;
 
      proxy_http_version 1.1;
      proxy_set_header Connection "Keep-Alive";
      proxy_set_header Proxy-Connection "Keep-Alive";
    }
 
  }
 
  server {
    listen 8882;
 
    location / {
      auth_basic "Restricted Access";
      auth_basic_user_file /etc/nginx/htpasswd.users;
 
      proxy_pass http://kibana;
      proxy_redirect off;
      proxy_buffering off;
 
      proxy_http_version 1.1;
      proxy_set_header Connection "Keep-Alive";
      proxy_set_header Proxy-Connection "Keep-Alive";
    }
  }

重启Nginx服务，验证即可

 

参考文档

https://elasticstack.blog.csdn.net/article/details/112213364