Install Elasticsearch + Kibana 8.x with TLS/SSL
17.6 هزار بار بازدید -
2 سال پیش
-
IMPORTANT UPDATE - 2023-02-22!!!If you
IMPORTANT UPDATE - 2023-02-22!!!
If you use publicly signed SSL certificates for `xpack.security.transport.ssl` in elasticsearch.yml, like we did in our video (instead of the auto generated SSL certificates), make sure you use a firewall to white list only clients you trust. This statement applies to just your elasticsearch instances.
This is because `xpack.security.transport.ssl` is meant to encrypt traffic for node cluster communication. However, elasticsearch designed their transport security with the intention of using their own auto-generated self-signed certificates, NOT publicly signed certificates. Elasticsearch authenticates other nodes based on these autogenerated self-signed certificates. If you use publicly signed certificates (eg. Let's Encrypt, Verisign, Sectigo, etc...), then any other node in the world can join your cluster without any kind of authentication.
Hence, if you use publicly signed SSL certificates for `xpack.security.transport.ssl`, use a firewall to restrict access to authorized nodes. Cluster communication happens on port 9300 by default, but elastic will scan a range of other available ports above 9300 if 9300 fails.
The `xpack.security.transport.ssl` will not affect your other services like Kibana, APM integration, Beats Library etc...
As far as we know, you can continue to publicly signed certificates or auto-generated self signed certificates on `xpack.security.http.ssl`.
So in short, use a firewall!
We will be posting an updated video soon.
DISCLAIMER: These videos are intended to be educational and we can make mistakes on occasion. Please do your own due diligence when it comes to security. And if you learn anything we missed, share with us in the comments! We are all here to learn together!
------------
Install ElasticSearch and Kibana 8.x with TLS and SSL.
The yaml files used can be found here: https://github.com/evermight/elastics...
NOTE 1:
If you wish to add more nodes to form an Elasticsearch cluster, you can follow this video instead:
Setup Elasticsearch Cluster + Kibana 8.x
Our elasticsearch cluster tutorial covers many of the same steps as this video, but with some subtle and important differences.
NOTE 2: As of elasticsearch v.8.6.2, you may need to add the line `discovery.type: single-node` to your elasticsearch.yml file to get the elasticsearch instance up and running.
NOTE 3: If you don't have SSL certificates signed by a 3rd party, you can use Let's Encrypt to generate and sign some free certificates. Here a 10 min video showing you how to do this: Create Let's Encrypt SSL with Ubuntu
NOTE 4: It would be a good idea to also do the following your in installation for production usage:
- use a firewall to protect unnecessary ports
- change default port numbers for elastic and kibana (explained in video)
NOTE 5:
I discovered I can get rid of the TIMEOUT issues at 10:50 by adding these two lines at the end of my /etc/systemd/system/elasticsearch.service.d/override.conf
```
[Service]
LimitMEMLOCK=infinity
```
Then when I `systemctl daemon-reload && systemctl enable elasticsearch.service && systemctl start elasticsearch.service`, I no longer get the timeout issue.
#elasticsearch #kibana
Written Summary Here: https://elasticsearch.evermight.com/i...
If you use publicly signed SSL certificates for `xpack.security.transport.ssl` in elasticsearch.yml, like we did in our video (instead of the auto generated SSL certificates), make sure you use a firewall to white list only clients you trust. This statement applies to just your elasticsearch instances.
This is because `xpack.security.transport.ssl` is meant to encrypt traffic for node cluster communication. However, elasticsearch designed their transport security with the intention of using their own auto-generated self-signed certificates, NOT publicly signed certificates. Elasticsearch authenticates other nodes based on these autogenerated self-signed certificates. If you use publicly signed certificates (eg. Let's Encrypt, Verisign, Sectigo, etc...), then any other node in the world can join your cluster without any kind of authentication.
Hence, if you use publicly signed SSL certificates for `xpack.security.transport.ssl`, use a firewall to restrict access to authorized nodes. Cluster communication happens on port 9300 by default, but elastic will scan a range of other available ports above 9300 if 9300 fails.
The `xpack.security.transport.ssl` will not affect your other services like Kibana, APM integration, Beats Library etc...
As far as we know, you can continue to publicly signed certificates or auto-generated self signed certificates on `xpack.security.http.ssl`.
So in short, use a firewall!
We will be posting an updated video soon.
DISCLAIMER: These videos are intended to be educational and we can make mistakes on occasion. Please do your own due diligence when it comes to security. And if you learn anything we missed, share with us in the comments! We are all here to learn together!
------------
Install ElasticSearch and Kibana 8.x with TLS and SSL.
The yaml files used can be found here: https://github.com/evermight/elastics...
NOTE 1:
If you wish to add more nodes to form an Elasticsearch cluster, you can follow this video instead:
Setup Elasticsearch Cluster + Kibana 8.x
Our elasticsearch cluster tutorial covers many of the same steps as this video, but with some subtle and important differences.
NOTE 2: As of elasticsearch v.8.6.2, you may need to add the line `discovery.type: single-node` to your elasticsearch.yml file to get the elasticsearch instance up and running.
NOTE 3: If you don't have SSL certificates signed by a 3rd party, you can use Let's Encrypt to generate and sign some free certificates. Here a 10 min video showing you how to do this: Create Let's Encrypt SSL with Ubuntu
NOTE 4: It would be a good idea to also do the following your in installation for production usage:
- use a firewall to protect unnecessary ports
- change default port numbers for elastic and kibana (explained in video)
NOTE 5:
I discovered I can get rid of the TIMEOUT issues at 10:50 by adding these two lines at the end of my /etc/systemd/system/elasticsearch.service.d/override.conf
```
[Service]
LimitMEMLOCK=infinity
```
Then when I `systemctl daemon-reload && systemctl enable elasticsearch.service && systemctl start elasticsearch.service`, I no longer get the timeout issue.
#elasticsearch #kibana
Written Summary Here: https://elasticsearch.evermight.com/i...
2 سال پیش
در تاریخ 1401/07/16 منتشر شده
است.
17,686
بـار بازدید شده