变更HTTPS协议用户指南
更新时间:2023-10-30
概述
HTTPS(Hyper Text Transfer Protocol over Secure Socket Layer)是一种能够保障数据安全的HTTP通道,通过在HTTP协议的基础上增加传输层安全tls(Transport Layer Security)来保障数据传输的安全性。本文介绍如何使用HTTPS协议。
前提条件
- 创建百度云Elasticsearch(BES)集群。具体操作请参见创建集群。
- 变更访问百度云Elasticsearch(BES)集群的客户端代码。不变更会导致无法使用客户端程序访问集群。
以官方Elasticsearch的Rest Client访问方式为例,开启HTTPS后,HttpHost中需要修改http参数为https,或者加上https参数,例如new HttpHost("192.168.0.248", 8200, "https"));,同时配置ssl上下文,用于构造client。示例代码如下。
开启HTTPS协议前的示例代码:
import org.apache.http.HttpHost;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.CredentialsProvider;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.elasticsearch.client.Request;
import org.elasticsearch.client.Response;
import org.elasticsearch.client.RestClient;
public class EsRestClient {
public static void main(String[] args) throws Exception {
CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY,
new UsernamePasswordCredentials("username", "password"));
RestClient client= RestClient.builder(
new HttpHost("hostname", 8200, "http")).setRequestConfigCallback(
requestConfigBuilder -> requestConfigBuilder
.setSocketTimeout(30000))
.setHttpClientConfigCallback(httpClientBuilder ->
httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider))
.build();
Request request = new Request("GET", "/");
Response response = client.performRequest(request);
}
}开启HTTPS协议后的示例代码:
import org.apache.http.HttpHost;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.CredentialsProvider;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.elasticsearch.client.Request;
import org.elasticsearch.client.Response;
import org.elasticsearch.client.RestClient;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import java.security.cert.X509Certificate;
public class EsRestClient {
public static void main(String[] args) throws Exception {
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[]{new X509TrustManager() {
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) {}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) {}
@Override
public X509Certificate[] getAcceptedIssuers() {return new X509Certificate[0];}
}}, null);
CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY,
new UsernamePasswordCredentials("username", "password"));
RestClient client= RestClient.builder(
new HttpHost("hostname", 8200, "https")).setRequestConfigCallback(
requestConfigBuilder -> requestConfigBuilder
.setSocketTimeout(30000))
.setHttpClientConfigCallback(httpClientBuilder -> httpClientBuilder.setSSLContext(sslContext)
.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE)
.setDefaultCredentialsProvider(credentialsProvider))
.build();
Request request = new Request("GET", "/");
Response response = client.performRequest(request);
}
}操作步骤
- 登录百度云Elasticsearch(BES)控制台,选择地区,点击集群ID/名称,进入目标实例。
- 在集群详情页面的连接信息模块,打开使用HTTPS协议开关。
注:
- 请确认访问BES集群的代码已经修改,否则将无法用变更后的地址访问BES集群。
- 变更HTTPS协议前要保证运行的专有主节点数量大于总的专有主节点数量的一半。否则会造成选主失败,集群重启不成功。(如果没有专有主节点,就需要保证运行中的数据节点数量大于总的数据节点数量的一半)
- 启用和关闭HTTPS服务会中断服务,并且会触发集群全量重启,为保证您的业务不受影响,请确认后操作。
- 点击确定后,连接信息模块访问地址立刻变更,并跳转到操作历史页面。当进度条完成后可使用新地址访问BES集群。
- 协议变更过程中,集群重启、配置变更等操作不可进行。