Securing Elasticsearch
Elasticsearch allows encryption of communication with TLS with their X-pack module. This module is available out of the box with ES version 7.7 (shipping with Squirro 3.1.0 release).
SSL certificate
For this the certificate files can be put into /etc/elasticsearch/certs
as:
servername.key
servername.crt
ca.crt
They are then referenced in /etc/elasticsearch/elasticsearch.yml
by adding the following lines:
xpack.ssl.key: certs/servername.key xpack.ssl.certificate: certs/servername.crt xpack.ssl.certificate_authorities: certs/ca.crt xpack.security.transport.ssl.enabled: true xpack.security.http.ssl.enabled: true
Full documentation is available in the Elasticsearch manual at Encrypting Communications.
Access to Elasticsearch is passed through Nginx as well. To use HTTPS, the configuration needs to be adjusted in /etc/nginx/conf.d/00-default.conf
to access https://elastic
instead of http://elastic
. This can be achieved with the following command on the shell:
$> sed -i'' -e 's@http://elastic@https://elastic@' /etc/nginx/conf.d/00-default.conf $> nginx -t $> service nginx reload
To change the connection pattern in Elastisearch you must edit /etc/squirro/common.ini and change th following line:
es_index_servers = http://127.0.0.1:81/ext/elastic To: es_index_servers = https://127.0.0.1:81/ext/elastic
All the relevant service accessing Elasticsearch must be restarted after this configuration. It’s best to use squirro_restart
utility to restart all services
Password
A password can be defined to access Elasticsearch. For this the following line needs to be added to /etc/elasticsearch/elasticsearch.yml
:
xpack.security.enabled: true
Then restart Elasticsearch
systemctl restart elasticsearch
The password can then be defined by calling the command:
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
After you set your password, you are required to add this parameter to Squirro. You must edit the /etc/squirro/common.ini
file and add the following lines (under the [index] section):
es_auth_user = elastic # or the user you selected es_auth_password = YOUR_PASSWORD
NB: you can also generate a random password by calling:
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto -b
Restart all the Squirro services
squirrro_restart
Important: on ES version < 7.7.1 you must first install x-pack and then the commands change as follow:
/usr/share/elasticsearch/bin/bin/x-pack/elasticsearch-setup-passwords auto -b /usr/share/elasticsearch/bin/x-pack/setup-passwords interactive
Cluster references:
https://www.elastic.co/guide/en/elasticsearch/reference/7.8/configuring-tls.html#tls-transport
Securing MariaDB
SSL can be enabled for MariaDB connections by setting the following configuration value in /etc/squirro/common.ini
:
[db] ssl=true ssl_ca=<PATH_TO_SSL_CERTIFICATE>
The [db]
section will already exist in the config file, thus the full section will then look something like this:
[db] mysql_transaction_isolation=READ COMMITTED ssl=true