Added certs folder containing helper scripts for creating SSL .key, .crt and truststore.jks files. Changed logstash and kibana configuration to make use of SSL. No longer exposing elasticsearch on localhost. Updated readme.

2016-01-13 09:07:20 +01:00 · 2016-01-13 09:07:20 +01:00 · 03ebac1b33
parent 0ce815ebe8
commit 03ebac1b33
7 changed files with 35 additions and 8 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,3 @@
+domain.crt
+domain.key
+*.jks
--- a/README.md
+++ b/README.md
@ -1,4 +1,15 @@
-# Docker ELK stack
+
+# SSL-ifyed Docker ELK stack
+
+- Added `certs/` folder with helper scripts for creating self-signed certs.
+- Configured docker-compose, logstash and kibana to use SSL.
+- No longer exposing Elasticsearch ports on localhost.
+
+Things to think about
+
+- [Logstash is finicky about IP SAN](https://github.com/elastic/logstash-forwarder#important-tlsssl-certificate-notes).
+
+## Docker ELK stack

 [![Join the chat at https://gitter.im/deviantony/fig-elk](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/deviantony/fig-elk?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)

--- a/certs/create-self-signed-keys.sh
+++ b/certs/create-self-signed-keys.sh
@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+openssl req \
+  -newkey rsa:2048 -nodes -keyout domain.key \
+  -x509 -sha256 -days 365 -out domain.crt
--- a/certs/import-cert-to-truststore.sh
+++ b/certs/import-cert-to-truststore.sh
@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+keytool -import -alias selfsigned -file domain.crt -keystore truststore.jks
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,14 +1,12 @@
 elasticsearch:
  image: elasticsearch:latest
  command: elasticsearch -Des.network.host=0.0.0.0
-  ports:
-    - "9200:9200"
-    - "9300:9300"
 logstash:
  image: logstash:latest
  command: logstash -f /etc/logstash/conf.d/logstash.conf
  volumes:
    - ./logstash/config:/etc/logstash/conf.d
+    - ./certs:/etc/certs
  ports:
    - "5000:5000"
  links:
@ -17,6 +15,7 @@ kibana:
  build: kibana/
  volumes:
    - ./kibana/config/kibana.yml:/opt/kibana/config/kibana.yml
+    - ./certs:/etc/certs
  ports:
    - "5601:5601"
  links:
--- a/kibana/config/kibana.yml
+++ b/kibana/config/kibana.yml
@ -53,8 +53,8 @@ shard_timeout: 0
 verify_ssl: true

 # SSL for outgoing requests from the Kibana Server (PEM formatted)
-# ssl_key_file: /path/to/your/server.key
-# ssl_cert_file: /path/to/your/server.crt
+ssl_key_file: /etc/certs/domain.key
+ssl_cert_file: /etc/certs/domain.crt

 # Set the path to where you would like the process id file to be created.
 # pid_file: /var/run/kibana.pid
--- a/logstash/config/logstash.conf
+++ b/logstash/config/logstash.conf
@ -1,11 +1,18 @@
 input {
 	tcp {
 		port => 5000
+		codec => json_lines
+		ssl_key => "/etc/certs/domain.key"
+		ssl_cert => "/etc/certs/domain.crt"
+		ssl_enable => true
+
+		# FIXME turn certificate validation
+		# if client certificate does not have a correct IP SAN value
+		# source: https://github.com/elastic/logstash-forwarder#important-tlsssl-certificate-notes
+		ssl_verify => false 
 	}
 }

-## Add your filters here
-
 output {
 	elasticsearch {
 		hosts => "elasticsearch:9200"