在 Manticore 3.1.2 中添加了应用程序或其他客户端(curl、浏览器等)与 Manticore Search 守护进程之间的数据加密支持。如果您需要保护您的数据(查询、响应)不被本地网络内部的拦截,尤其是在通过互联网连接到 Manticore Search 时,启用此功能非常重要。设置它需要使用证书。下面只是一个如何使用自签名证书的示例,可能还有其他选项,例如购买由真实 CA 签名的证书。
在本教程中,我们将学习如何在与 Manticore Search 的工作中使用 SSL。
如果您想参加互动课程,请点击 这里 。
证书生成示例
要生成 CA 密钥/证书和服务器密钥/证书,您可以执行以下操作:
生成 CA 私钥:
root@https-5f6dbcf77c-45t2m:/# openssl genrsa 2048 > /var/lib/manticore/data/ca-key.pem
Generating RSA private key, 2048 bit long modulus
...............................+++++
........+++++
e is 65537 (0x010001)
从私钥生成自签名 CA(根)证书(在这里我们指定“CA”作为它的通用名称,您可以完全删除 -subj 并填写所有字段):
root@https-5f6dbcf77c-45t2m:/# openssl req -new -x509 -nodes -days 365 -k
key /var/lib/manticore/data/ca-key.pem -out /var/lib/manticore/data/ca-cert.pem -subj '/CN=CA'
生成证书请求和服务器私钥(我们指定“127.0.0.1”作为通用名称,因为我们将在 127.0.0.1 上运行 searchd,您可以删除 -subj 并在实际生活中指定您想要的内容):
root@https-5f6dbcf77c-45t2m:/# openssl req -newkey rsa:2048 -days 365 -no
odes -keyout /var/lib/manticore/data/server-key.pem -out /var/lib/manticore/data/server-req.pem -subj '/CN=127.0.0.1'
Generating a RSA private key
..........................................+++++
.................+++++
writing new private key to '/var/lib/manticore/data/server-key.pem'
--
---
从请求、CA 密钥和根证书生成证书:
root@https-5f6dbcf77c-45t2m:/# openssl x509 -req -in /var/lib/manticore/data/server-req.pem -days 365 -CA /var/lib/manticore/data/ca-cert.pem -CA
Akey /var/lib/manticore/data/ca-key.pem -set_serial 01 -out /var/lib/manticore/data/server-cert.pem
Signature ok
subject=CN = 127.0.0.1
Getting CA Private Key
使用 CA 证书验证服务器证书:
root@https-5f6dbcf77c-45t2m:/# openssl verify -CAfile /var/lib/manticore/data/ca-cert.pem /var/lib/manticore/data/server-cert.pem
/var/lib/manticore/data/server-cert.pem: OK
通过 https 连接到 Manticore Search
确保您的 Manticore Search 配置包含所需的选项:
root@https-5f6dbcf77c-45t2m:/# cat /var/lib/manticore/data/manticore.conf|egrep "ssl|https"
listen = 9309:https
ssl_ca = /var/lib/manticore/data/ca-cert.pem
ssl_cert = /var/lib/manticore/data/server-cert.pem
ssl_key = /var/lib/manticore/data/server-key.pem
运行 Manticore Search 守护进程:
root@https-5f6dbcf77c-45t2m:/# searchd -c /var/lib/manticore/data/manticore.conf
Manticore 3.1.2 47b6bc2c@190822 release
Copyright (c) 2001-2016, Andrew Aksyonoff
Copyright (c) 2008-2016, Sphinx Technologies Inc (http://sphinxsearch.com)
Copyright (c) 2017-2019, Manticore Software LTD (http://manticoresearch.com)
using config file '/var/lib/manticore/data/manticore.conf' (415 chars)...
listening on all interfaces, port=9309
listening on all interfaces, port=9308
precaching index 'rt'
precached 1 indexes in 0.004 sec
验证安全连接是否正常工作(您应该看到 JSON 响应):
root@https-5f6dbcf77c-45t2m:/# curl --cacert /var/lib/manticore/data/ca-cert.pem "https://127.0.0.1:9309/sql" -d "query=select * from rt where match('abc')";
{"took":4,"timed_out":false,"hits":{"total":0,"hits":[]}}
必须提供 CA 证书,因为我们使用了自签名证书。如果您不指定正确的 CA 证书,它将失败,例如,让我们尝试给它我们的服务器证书而不是 CA 证书:
root@https-5f6dbcf77c-45t2m:/# curl --cacert /var/lib/manticore/data/server-cert.pem "https://127.0.0.1:9309/sql" -d "query=select * from rt where match('abc')";
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
您还可以通过使用 curl -k 选项完全省略此项:
root@https-5f6dbcf77c-45t2m:/# curl -k "https://127.0.0.1:9309/sql" -d "q
query=select * from rt where match('abc')"; echo
{"took":0,"timed_out":false,"hits":{"total":0,"hits":[]}}
但这不太安全,然而在某些情况下可能是有意义的。
就这样。并不难。