轉載自:
https://blog.csdn.net/UbuntuTouch/article/details/105527468
安全
APM Agents 訪問APM server若是不作安全的設置,那麼任何一個應用都有可能把數據傳輸到APM server中。
若是是惡意的軟件,那麼咱們可能獲得的數據是錯誤的。那麼怎麼保證咱們的安全傳輸呢?
答案是在傳輸的時候使用secret token。
服務器
Secret token 是什麼?
您能夠配置一個Secret token來受權對APM服務器的請求。 這樣能夠確保只有您的Agent才能將數據發送到您的APM服務器。
代理和APM服務器都必須配置相同的Secret toke,而且scecret token僅在與SSL/TLS結合使用時才提供安全性。
app
要使用Secret token 保護APM代理與APM服務器之間的通訊安全:elasticsearch
- 在APM服務器中啓用SSL/TLS
- 在Agent和服務器中設置Secret token
- 在APM agent中啓用HTTPS
生成證書
在Elasticsearch安裝的根目錄下打入以下的命令:ide
./bin/elasticsearch-certutil ca --pem
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA's private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Please enter the desired output file [elastic-stack-ca.zip]:
上面的命令將會生成一個名字叫作elastic-stack-ca.zip的文件。咱們接着使用以下的命令把上面的文件進行解壓:測試
unzip elastic-stack-ca.zip Archive: elastic-stack-ca.zip creating: ca/ inflating: ca/ca.crt inflating: ca/ca.key
在當前的目錄下生成了一個新的目錄ca,裏面含有兩個文件:ca.crt及ca.key。請注意這裏的ca.crt證書將在咱們一下的agent裏將會被用到。 接下來,咱們按照以下的命令來生成證書:ui
./bin/elasticsearch-certutil cert --ca-cert ./ca/ca.crt --ca-key ./ca/ca.key --pem --name localhost
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'cert' mode generates X.509 certificate and private keys.
* By default, this generates a single certificate and key for use
on a single instance.
* The '-multiple' option will prompt you to enter details for multiple
instances and will generate a certificate and key for each one
* The '-in' option allows for the certificate generation to be automated by describing
the details of each instance in a YAML file
* An instance is any piece of the Elastic Stack that requires an SSL certificate.
Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
may all require a certificate and private key.
* The minimum required value for each instance is a name. This can simply be the
hostname, which will be used as the Common Name of the certificate. A full
distinguished name may also be used.
* A filename value may be required for each instance. This is necessary when the
name would result in an invalid file or directory name. The name provided here
is used as the directory name (within the zip) and the prefix for the key and
certificate files. The filename is required if you are prompted and the name
is not displayed in the prompt.
* IP addresses and DNS names are optional. Multiple values can be specified as a
comma separated string. If no IP addresses or DNS names are provided, you may
disable hostname verification in your SSL configuration.
* All certificates generated by this tool will be signed by a certificate authority (CA).
* The tool can automatically generate a new CA for you, or you can provide your own with the
-ca or -ca-cert command line options.
By default the 'cert' mode produces a single PKCS#12 output file which holds:
* The instance certificate
* The private key for the instance certificate
* The CA certificate
If you specify any of the following options:
* -pem (PEM formatted output)
* -keep-ca-key (retain generated CA key)
* -multiple (generate multiple certificates)
* -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files
Please enter the desired output file [certificate-bundle.zip]:
Certificates written to /Users/liuxg/elastic3/elasticsearch-7.6.2/certificate-bundle.zip
This file should be properly secured as it contains the private key for
your instance.
After unzipping the file, there will be a directory for each instance.
Each instance has a certificate and private key.
For each Elastic product that you wish to configure, you should copy
the certificate, key, and CA certificate to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.
For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.
在上面的命令中,咱們生產一個綁定localhost的證書,也便是說這個證書只能在當前的localhost中進行使用。就像上面顯示的那樣,它在當前的目錄中生產一個叫作certificate-bundle.zip的文件。這文件含有咱們所須要的證書信息。咱們使用以下的命令來解壓縮這個文件:this
unzip certificate-bundle.zip Archive: certificate-bundle.zip creating: localhost/ inflating: localhost/localhost.crt inflating: localhost/localhost.key
它在localhost中生成了咱們想要的證書文件localhost.crt及localhoset.key。咱們把這兩個文件拷入到咱們的APM 服務器安裝的根目錄中。spa
另注:咱們能夠使用以下的命令把一個.crt的證書轉換爲一個.pem的證書:.net
openssl x509 -in mycert.crt -out mycert.pem -outform PEM
配置APM 服務器
爲咱們的APM服務器配置SSL/TLS
打開apm-server.yml文件,並把以下的配置加到該文件的最後面:
apm-server.ssl.enabled: true apm-server.secret_token: "123456" apm-server.ssl.key: "localhost.key" apm-server.ssl.certificate: "ca.crt"
經過上面的配置後,咱們從新啓動咱們的APM server:
./apm-server -e
測試APM agent
把以前生成的ca.crt證書拷入到該應用的根目錄中,而後再引用的配置中新增倆參數
serviceName: 'zipcode service',
secretToken: '1234561', # 修改
serverUrl: 'http://localhost:8200'
verifyServerCert: true, # 新增
serverCaCertFile: "ca.crt" # 新增,最好使用絕對路徑