在Manticore 3.1.2版本中新增了对应用程序或其他客户端(curl、浏览器等)与Manticore Search守护进程之间数据加密的支持。如果您需要保护本地网络内的数据(查询、响应)免受拦截,尤其是通过互联网连接到Manticore Search时,启用此功能非常重要。设置此功能需要使用证书。以下仅是使用自签名证书进行配置的示例,还有其他选项,例如购买由真实CA签发的证书。
在本教程中,我们将学习如何在与Manticore Search的交互中使用SSL。
如果您想通过交互式课程学习,请前往 此处 。
证书生成示例
要生成CA密钥/证书和服务器密钥/证书,可以执行以下操作:
生成CA私钥:
root@https-5f6dbcf77c-45t2m:/# openssl genrsa 2048 > /var/lib/manticore/data/ca-key.pem
Generating RSA private key, 2048 bit long modulus
...............................+++++
........+++++
e is 65537 (0x010001)
从私钥生成自签名CA(根)证书(此处我们指定"CA"作为通用名称,您可以完全删除-subj并填写所有字段):
root@https-5f6dbcf77c-45t2m:/# openssl req -new -x509 -nodes -days 365 -k
key /var/lib/manticore/data/ca-key.pem -out /var/lib/manticore/data/ca-cert.pem -subj '/CN=CA'
生成证书请求和服务器私钥(我们指定"127.0.0.1"作为通用名称,因为我们将在127.0.0.1上运行searchd,您可以在实际使用中删除-subj并指定任何内容):
root@https-5f6dbcf77c-45t2m:/# openssl req -newkey rsa:2048 -days 365 -no
odes -keyout /var/lib/manticore/data/server-key.pem -out /var/lib/manticore/data/server-req.pem -subj '/CN=127.0.0.1'
Generating a RSA private key
..........................................+++++
.................+++++
writing new private key to '/var/lib/manticore/data/server-key.pem'
--
---
从请求、CA密钥和根证书生成证书:
root@https-5f6dbcf77c-45t2m:/# openssl x509 -req -in /var/lib/manticore/data/server-req.pem -days 365 -CA /var/lib/manticore/data/ca-cert.pem -CA
Akey /var/lib/manticore/data/ca-key.pem -set_serial 01 -out /var/lib/manticore/data/server-cert.pem
Signature ok
subject=CN = 127.0.0.1
Getting CA Private Key
使用CA证书验证服务器证书:
root@https-5f6dbcf77c-45t2m:/# openssl verify -CAfile /var/lib/manticore/data/ca-cert.pem /var/lib/manticore/data/server-cert.pem
/var/lib/manticore/data/server-cert.pem: OK
通过https连接到Manticore Search
确保您的Manticore Search配置包含所需的选项:
root@https-5f6dbcf77c-45t2m:/# cat /var/lib/manticore/data/manticore.conf|egrep "ssl|https"
listen = 9309:https
ssl_ca = /var/lib/manticore/data/ca-cert.pem
ssl_cert = /var/lib/manticore/data/server-cert.pem
ssl_key = /var/lib/manticore/data/server-key.pem
运行Manticore Search守护进程:
root@https-5f6dbcf77c-45t2m:/# searchd -c /var/lib/manticore/data/manticore.conf
Manticore 3.1.2 47b6bc2c@190822 release
Copyright (c) 2001-2016, Andrew Aksyonoff
Copyright (c) 2008-2016, Sphinx Technologies Inc (http://sphinxsearch.com)
Copyright (c) 2017-2019, Manticore Software LTD (http://manticoresearch.com)
using config file '/var/lib/manticore/data/manticore.conf' (415 chars)...
listening on all interfaces, port=9309
listening on all interfaces, port=9308
precaching index 'rt'
precached 1 indexes in 0.004 sec
验证安全连接是否正常工作(您应该看到JSON响应):
root@https-5f6dbcf77c-45t2m:/# curl --cacert /var/lib/manticore/data/ca-cert.pem "https://127.0.0.1:9309/sql" -d "query=select * from rt where match('abc')";
{"took":4,"timed_out":false,"hits":{"total":0,"hits":[]}}
由于我们使用了自签名证书,必须提供CA证书。如果您未指定正确的CA证书,将会失败,例如,让我们尝试使用服务器证书而不是CA证书:
root@https-5f6dbcf77c-45t2m:/# curl --cacert /var/lib/manticore/data/server-cert.pem "https://127.0.0.1:9309/sql" -d "query=select * from rt where match('abc')";
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
您也可以通过使用curl -k选项完全省略此步骤:
root@https-5f6dbcf77c-45t2m:/# curl -k "https://127.0.0.1:9309/sql" -d "q
query=select * from rt where match('abc')"; echo
{"took":0,"timed_out":false,"hits":{"total":0,"hits":[]}}
但这安全性较低,但在某些情况下可能有意义。
就是这样。并不困难。