在 Manticore 3.1.2 中增加了支持在您的应用程序或其他客户端(curl、浏览器等)与 Manticore Search 守护进程之间进行数据加密的功能。如果您需要防止数据(查询、响应)在局域网内被截获,尤其是在通过互联网连接到 Manticore Search 时,启用该功能非常重要。配置该功能需要使用证书。下面仅提供一个使用自签名证书进行设置的示例,您也可以选择其他方式,如购买由真实 CA 签名的证书。
在本教程中,我们将学习如何在 Manticore Search 中使用 SSL。
如果您想参加一个互动课程,请点击 这里 .
证书生成示例
要生成 CA 密钥/证书和服务器密钥/证书,您可以执行以下命令:
生成 CA 私钥:
root@https-5f6dbcf77c-45t2m:/# openssl genrsa 2048 > /var/lib/manticore/data/ca-key.pem
Generating RSA private key, 2048 bit long modulus
...............................+++++
........+++++
e is 65537 (0x010001)
从私钥生成自签名 CA (root) 证书(这里我们指定 “CA” 作为通用名称,您也可以完全去掉 -subj 并填写所有字段):
root@https-5f6dbcf77c-45t2m:/# openssl req -new -x509 -nodes -days 365 -k
key /var/lib/manticore/data/ca-key.pem -out /var/lib/manticore/data/ca-cert.pem -subj '/CN=CA'
生成证书请求和服务器私钥(我们指定 “127.0.0.1” 作为通用名称,因为我们将在 127.0.0.1 上运行 searchd,实际使用中您可以去掉 -subj 并根据需要填写):
root@https-5f6dbcf77c-45t2m:/# openssl req -newkey rsa:2048 -days 365 -no
odes -keyout /var/lib/manticore/data/server-key.pem -out /var/lib/manticore/data/server-req.pem -subj '/CN=127.0.0.1'
Generating a RSA private key
..........................................+++++
.................+++++
writing new private key to '/var/lib/manticore/data/server-key.pem'
--
---
利用证书请求、CA 密钥和根证书生成证书:
root@https-5f6dbcf77c-45t2m:/# openssl x509 -req -in /var/lib/manticore/data/server-req.pem -days 365 -CA /var/lib/manticore/data/ca-cert.pem -CA
Akey /var/lib/manticore/data/ca-key.pem -set_serial 01 -out /var/lib/manticore/data/server-cert.pem
Signature ok
subject=CN = 127.0.0.1
Getting CA Private Key
使用 CA 证书验证服务器证书:
root@https-5f6dbcf77c-45t2m:/# openssl verify -CAfile /var/lib/manticore/data/ca-cert.pem /var/lib/manticore/data/server-cert.pem
/var/lib/manticore/data/server-cert.pem: OK
通过 HTTPS 连接到 Manticore Search
确保您的 Manticore Search 配置包含所需的选项:
root@https-5f6dbcf77c-45t2m:/# cat /var/lib/manticore/data/manticore.conf|egrep "ssl|https"
listen = 9309:https
ssl_ca = /var/lib/manticore/data/ca-cert.pem
ssl_cert = /var/lib/manticore/data/server-cert.pem
ssl_key = /var/lib/manticore/data/server-key.pem
启动 Manticore Search 守护进程:
root@https-5f6dbcf77c-45t2m:/# searchd -c /var/lib/manticore/data/manticore.conf
Manticore 3.1.2 47b6bc2c@190822 release
Copyright (c) 2001-2016, Andrew Aksyonoff
Copyright (c) 2008-2016, Sphinx Technologies Inc (http://sphinxsearch.com)
Copyright (c) 2017-2019, Manticore Software LTD (http://manticoresearch.com)
using config file '/var/lib/manticore/data/manticore.conf' (415 chars)...
listening on all interfaces, port=9309
listening on all interfaces, port=9308
precaching index 'rt'
precached 1 indexes in 0.004 sec
验证安全连接是否正常工作(您应该看到 JSON 响应):
root@https-5f6dbcf77c-45t2m:/# curl --cacert /var/lib/manticore/data/ca-cert.pem "https://127.0.0.1:9309/sql" -d "query=select * from rt where match('abc')";
{"took":4,"timed_out":false,"hits":{"total":0,"hits":[]}}
由于我们使用了自签名证书,因此必须提供 CA 证书。如果您没有指定正确的 CA 证书,将会失败,例如,我们试着使用服务器证书代替 CA 证书:
root@https-5f6dbcf77c-45t2m:/# curl --cacert /var/lib/manticore/data/server-cert.pem "https://127.0.0.1:9309/sql" -d "query=select * from rt where match('abc')";
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
您也可以完全省略此项,直接使用 curl -k 选项:
root@https-5f6dbcf77c-45t2m:/# curl -k "https://127.0.0.1:9309/sql" -d "q
query=select * from rt where match('abc')"; echo
{"took":0,"timed_out":false,"hits":{"total":0,"hits":[]}}
不过这样做安全性较低,但在某些情况下可能是合理的.
就这么简单. Not that difficult.