В Manticore 3.1.2 была добавлена поддержка шифрования данных между вашим приложением или другим клиентом (curl, браузер и т.д.) и демоном Manticore Search. Важно включить её, если вам нужно защитить ваши данные (запросы, ответы) от перехвата в локальной сети и особенно если вы подключаетесь к Manticore Search через интернет. Настройка требует использования сертификатов. Ниже приведён лишь пример того, как это можно сделать с самоподписанными сертификатами; существуют и другие варианты, например покупка сертификатов, подписанных реальным УЦ.
Настройка требует использования сертификатов. Ниже приведён лишь пример того, как это можно сделать с самоподписанными сертификатами, могут быть и другие варианты, такие как покупка сертификатов, подписанных реальным УЦ.
In this tutorial, we will study how to use SSL in work with Manticore Search.
In this tutorial, we will study how to use SSL in work with Manticore Search.
In case if you want to go through an interactive course, go
here
.
In case if you want to go through an interactive course, go here .
Certificates generation example
----------------------------
To generate CA key/certificate and server key/certificate you can do:
Generate CA private key:
root@https-5f6dbcf77c-45t2m:/# openssl genrsa 2048 > /var/lib/manticore/data/ca-key.pem
Generating RSA private key, 2048 bit long modulus
...............................+++++
........+++++
e is 65537 (0x010001)
Generate self-signed CA (root) certificate from the private key (here we specify "CA" as it's common name, you can remove -subj completely and fill in all the fields):
root@https-5f6dbcf77c-45t2m:/# openssl req -new -x509 -nodes -days 365 -k
key /var/lib/manticore/data/ca-key.pem -out /var/lib/manticore/data/ca-cert.pem -subj '/CN=CA'
Generate certificate request and server private key (we specify "127.0.0.1" as the common name as we will run the searchd on 127.0.0.1, you can remove -subj and specify whatever you want in a real life):
root@https-5f6dbcf77c-45t2m:/# openssl req -newkey rsa:2048 -days 365 -no
odes -keyout /var/lib/manticore/data/server-key.pem -out /var/lib/manticore/data/server-req.pem -subj '/CN=127.0.0.1'
Generating a RSA private key
..........................................+++++
---
.................+++++
writing new private key to '/var/lib/manticore/data/server-key.pem'
--
Generate certificate from the request, CA key and root cert:
root@https-5f6dbcf77c-45t2m:/# openssl x509 -req -in /var/lib/manticore/data/server-req.pem -days 365 -CA /var/lib/manticore/data/ca-cert.pem -CA
Akey /var/lib/manticore/data/ca-key.pem -set_serial 01 -out /var/lib/manticore/data/server-cert.pem
Signature ok
subject=CN = 127.0.0.1
Getting CA Private Key
Verify the server certificate with the CA certificate:
root@https-5f6dbcf77c-45t2m:/# openssl verify -CAfile /var/lib/manticore/data/ca-cert.pem /var/lib/manticore/data/server-cert.pem
/var/lib/manticore/data/server-cert.pem: OK
Connecting to Manticore Search via https
-------------------------------------
Make sure your Manticore Search config includes the needed options:
root@https-5f6dbcf77c-45t2m:/# cat /var/lib/manticore/data/manticore.conf|egrep "ssl|https"
listen = 9309:https
ssl_ca = /var/lib/manticore/data/ca-cert.pem
ssl_cert = /var/lib/manticore/data/server-cert.pem
ssl_key = /var/lib/manticore/data/server-key.pem
Run the Manticore Search daemon:
root@https-5f6dbcf77c-45t2m:/# searchd -c /var/lib/manticore/data/manticore.conf
Manticore 3.1.2 47b6bc2c@190822 release
Copyright (c) 2001-2016, Andrew Aksyonoff
Copyright (c) 2008-2016, Sphinx Technologies Inc (http://sphinxsearch.com)
Copyright (c) 2017-2019, Manticore Software LTD (http://manticoresearch.com)
using config file '/var/lib/manticore/data/manticore.conf' (415 chars)...
listening on all interfaces, port=9309
listening on all interfaces, port=9308
precaching index 'rt'
precached 1 indexes in 0.004 sec
Verify that the secure connection works (you should see a JSON response):
root@https-5f6dbcf77c-45t2m:/# curl --cacert /var/lib/manticore/data/ca-cert.pem "https://127.0.0.1:9309/sql" -d "query=select * from rt where match('abc')";
{"took":4,"timed_out":false,"hits":{"total":0,"hits":[]}}
The CA certificate has to be provided as we used a self-signed certificate. If you don't specify the proper CA certificate it will fail, e.g. let's try to give it our server certificate instead of the CA certificate:
root@https-5f6dbcf77c-45t2m:/# curl --cacert /var/lib/manticore/data/server-cert.pem "https://127.0.0.1:9309/sql" -d "query=select * from rt where match('abc')";
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
You can also omit this completely by using curl -k option:
but it's less secure, however may make sense in some cases.
That's it. Not that difficult.