elasticsearch配置https

sh脚本

#!/bin/bash
echo "=== 配置HTTP和HTTPS双端口访问 ==="
#如果https不能访问
#sudo apt install --only-upgrade curl openssl libcurl4 -y
# 1. 检查当前curl和OpenSSL版本
echo "1. 检查工具版本："
curl --version | head -2
openssl version

# 2. 备份当前配置
echo -e "\n2. 备份当前配置..."
sudo cp /etc/elasticsearch/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml.backup_$(date +%Y%m%d_%H%M%S)

# 3. 重新生成完整的证书链
echo -e "\n3. 重新生成完整证书链..."
cd /usr/share/elasticsearch

# 清理旧证书
sudo rm -f /tmp/new-ca.p12 /etc/elasticsearch/http-full.p12 2>/dev/null

# 生成新的CA
sudo ./bin/elasticsearch-certutil ca --out /tmp/new-ca.p12 --pass "" --days 3650 --silent

# 生成包含完整链的证书
sudo ./bin/elasticsearch-certutil cert \
    --ca /tmp/new-ca.p12 \
    --ca-pass "" \
    --out /etc/elasticsearch/http-full.p12 \
    --pass "Elastic@123" \
    --dns localhost \
    --dns 127.0.0.1 \
    --dns $(hostname) \
    --dns $(hostname -f 2>/dev/null || echo localhost) \
    --ip 127.0.0.1 \
    --ip ::1 \
    --ip 0.0.0.0 \
    --name "es-node" \
    --silent

# 复制并设置权限
sudo cp /etc/elasticsearch/http-full.p12 /etc/elasticsearch/http.p12
sudo chown elasticsearch:elasticsearch /etc/elasticsearch/http.p12
sudo chmod 640 /etc/elasticsearch/http.p12

# 4. 配置HTTP和HTTPS双端口
echo -e "\n4. 配置HTTP和HTTPS双端口..."
sudo tee /etc/elasticsearch/elasticsearch.yml << 'EOF'
cluster.name: my-application
node.name: node-1
path.data: /data/es1,/data/es2
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node

# 安全配置 - 启用认证
xpack.security.enabled: true

# 同时启用HTTP和HTTPS
# HTTP端口：9200（未加密，但有认证）
# HTTPS端口：9200（加密+认证）
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /etc/elasticsearch/http.p12
xpack.security.http.ssl.keystore.type: PKCS12
xpack.security.http.ssl.keystore.password: "Elastic@123"
xpack.security.http.ssl.verification_mode: certificate

# 明确指定支持的协议
xpack.security.http.ssl.supported_protocols: ["TLSv1.2", "TLSv1.3"]

# 优化配置
bootstrap.memory_lock: false
cluster.routing.allocation.disk.threshold_enabled: false
indices.id_field_data.enabled: true
EOF

# 5. 创建JVM选项优化SSL
echo -e "\n5. 优化JVM SSL配置..."
sudo tee /etc/elasticsearch/jvm.options.d/ssl-options << 'EOF'
# SSL/TLS优化
-Djdk.tls.client.protocols=TLSv1.2,TLSv1.3
-Djdk.tls.server.protocols=TLSv1.2,TLSv1.3
-Dhttps.protocols=TLSv1.2,TLSv1.3

# 内存优化
-XX:+UseG1GC
-XX:G1ReservePercent=25
-XX:InitiatingHeapOccupancyPercent=30

# 错误处理
-XX:+HeapDumpOnOutOfMemoryError
-XX:+ExitOnOutOfMemoryError
EOF

# 6. 重启服务
echo -e "\n6. 重启服务..."
sudo systemctl daemon-reload
sudo systemctl restart elasticsearch

echo "等待20秒启动时间..."
sleep 20

# 7. 测试HTTP和HTTPS连接
echo -e "\n7. 测试HTTP和HTTPS连接："

echo "测试1: HTTP连接（应该成功）"
curl -s -u elastic:qKvR98F7HWKhcsGfepB4 http://localhost:9200 2>&1 | head -5

echo -e "\n测试2: HTTPS连接（应该成功）"
curl -k -u elastic:qKvR98F7HWKhcsGfepB4 https://localhost:9200 2>&1 | head -5

echo -e "\n测试3: 集群健康状态（HTTP）"
curl -s -u elastic:qKvR98F7HWKhcsGfepB4 http://localhost:9200/_cluster/health?pretty

echo -e "\n测试4: 集群健康状态（HTTPS）"
curl -k -u elastic:qKvR98F7HWKhcsGfepB4 https://localhost:9200/_cluster/health?pretty

# 8. 检查端口监听
echo -e "\n8. 端口监听状态："
sudo netstat -tlnp | grep :9200 || sudo ss -tlnp | grep :9200

# 9. 验证证书
echo -e "\n9. 验证证书："
if [ -f /etc/elasticsearch/http.p12 ]; then
    echo "证书文件状态："
    ls -la /etc/elasticsearch/http.p12
    
    echo -e "\n证书详情："
    sudo /usr/share/elasticsearch/jdk/bin/keytool -list \
        -keystore /etc/elasticsearch/http.p12 \
        -storepass "Elastic@123" \
        -v 2>&1 | grep -A2 "Alias name:" || echo "证书验证失败"
fi

# 10. 服务状态
echo -e "\n10. 服务状态："
sudo systemctl status elasticsearch --no-pager | head -15

# 11. 提供使用示例
echo -e "\n11. 使用示例："
cat << 'EOF'

=== 连接方式 ===

1. HTTP连接（未加密，但有认证）：
   curl -u elastic:qKvR98F7HWKhcsGfepB4 http://localhost:9200

2. HTTPS连接（加密+认证）：
   curl -k -u elastic:qKvR98F7HWKhcsGfepB4 https://localhost:9200



5. Kibana配置：
   elasticsearch.hosts: ["http://localhost:9200"]  # 或 https://localhost:9200
   elasticsearch.username: "elastic"
   elasticsearch.password: "qKvR98F7HWKhcsGfepB4"
   elasticsearch.ssl.verificationMode: "none"  # 如果使用HTTPS

=== 安全建议 ===
1. 生产环境建议只使用HTTPS
2. 可以使用防火墙限制HTTP访问
3. 定期更新密码
4. 监控访问日志
EOF

echo -e "\n=== 配置完成 ==="
echo "✅ Elasticsearch 已配置为同时支持HTTP和HTTPS"
echo "🔓 HTTP: http://localhost:9200 (未加密)"
echo "🔒 HTTPS: https://localhost:9200 (加密)"
echo "🔐 认证: 用户名=elastic, 密码=qKvR98F7HWKhcsGfepB4"
echo "📊 两种方式都需要认证"