SSL support: HTTPS interface

In Manticore 3.1.2 was added support for data encryption between your application or another client (curl, browser etc) and Manticore Search daemon. It’s important to have it enabled if you need to protect your data (queries, responses) from interception inside your local network and especially if you connect to Manticore Search over the internet. Setting it up requires using certificates. Below is just an example of how it can be done with self-signed certificates, there may be other options like purchasing certificates signed by a real CA.

In this tutorial, we will study how to use SSL in work with Manticore Search.

In case if you want to go through an interactive course, go here.

Manticore SSL supported

Certificates generation example

To generate CA key/certificate and server key/certificate you can do:

Generate CA private key:

root@https-5f6dbcf77c-45t2m:/# openssl genrsa 2048 > /var/lib/manticore/data/ca-key.pem 
Generating RSA private key, 2048 bit long modulus
...............................+++++
........+++++
e is 65537 (0x010001)

Generate self-signed CA (root) certificate from the private key (here we specify “CA” as it’s common name, you can remove -subj completely and fill in all the fields):

root@https-5f6dbcf77c-45t2m:/# openssl req -new -x509 -nodes -days 365 -k
key /var/lib/manticore/data/ca-key.pem -out /var/lib/manticore/data/ca-cert.pem -subj '/CN=CA'

Generate certificate request and server private key (we specify “127.0.0.1” as the common name as we will run the searchd on 127.0.0.1, you can remove -subj and specify whatever you want in a real life):

root@https-5f6dbcf77c-45t2m:/# openssl req -newkey rsa:2048 -days 365 -no
odes -keyout /var/lib/manticore/data/server-key.pem -out /var/lib/manticore/data/server-req.pem  -subj '/CN=127.0.0.1' 
Generating a RSA private key
..........................................+++++
.................+++++
writing new private key to '/var/lib/manticore/data/server-key.pem'
-----

Generate certificate from the request, CA key and root cert:

root@https-5f6dbcf77c-45t2m:/# openssl x509 -req -in /var/lib/manticore/data/server-req.pem -days 365 -CA /var/lib/manticore/data/ca-cert.pem -CA
Akey /var/lib/manticore/data/ca-key.pem -set_serial 01 -out /var/lib/manticore/data/server-cert.pem 
Signature ok
subject=CN = 127.0.0.1
Getting CA Private Key

Verify the server certificate with the CA certificate:

root@https-5f6dbcf77c-45t2m:/# openssl verify -CAfile /var/lib/manticore/data/ca-cert.pem /var/lib/manticore/data/server-cert.pem 
/var/lib/manticore/data/server-cert.pem: OK

Connecting to Manticore Search via https

Make sure your Manticore Search config includes the needed options:

root@https-5f6dbcf77c-45t2m:/# cat /var/lib/manticore/data/manticore.conf|egrep "ssl|https" 
listen = 9309:https
ssl_ca = /var/lib/manticore/data/ca-cert.pem
ssl_cert = /var/lib/manticore/data/server-cert.pem
ssl_key = /var/lib/manticore/data/server-key.pem

Run the Manticore Search daemon:

root@https-5f6dbcf77c-45t2m:/# searchd -c /var/lib/manticore/data/manticore.conf 
Manticore 3.1.2 47b6bc2c@190822 release
Copyright (c) 2001-2016, Andrew Aksyonoff
Copyright (c) 2008-2016, Sphinx Technologies Inc (http://sphinxsearch.com)
Copyright (c) 2017-2019, Manticore Software LTD (http://manticoresearch.com)

using config file '/var/lib/manticore/data/manticore.conf' (415 chars)...
listening on all interfaces, port=9309
listening on all interfaces, port=9308
precaching index 'rt'
precached 1 indexes in 0.004 sec

Verify that the secure connection works (you should see a JSON response):

root@https-5f6dbcf77c-45t2m:/# curl --cacert /var/lib/manticore/data/ca-cert.pem "https://127.0.0.1:9309/sql" -d "query=select * from rt where match('abc')"; 
{"took":4,"timed_out":false,"hits":{"total":0,"hits":[]}}

The CA certificate has to be provided as we used a self-signed certificate. If you don’t specify the proper CA certificate it will fail, e.g. let’s try to give it our server certificate instead of the CA certificate:

root@https-5f6dbcf77c-45t2m:/# curl --cacert /var/lib/manticore/data/server-cert.pem "https://127.0.0.1:9309/sql" -d "query=select * from rt where match('abc')"; 
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

You can also omit this completely by using curl -k option:

root@https-5f6dbcf77c-45t2m:/# curl -k "https://127.0.0.1:9309/sql" -d "q
query=select * from rt where match('abc')"; echo 
{"took":0,"timed_out":false,"hits":{"total":0,"hits":[]}}

but it’s less secure, however may make sense in some cases.

That’s it. Not that difficult.

 

Leave a Reply