1

The public azure-diagnostics-tools repository includes what appears to be a fantastic option for anyone who wants to quickly set up scalable and highly-available ElasticSearch+Logstash+Kibana log analytics system via its ES-MultiNode Service Fabric deployment example.

The only aspect missing from that template is the HTTPS configuration necessary to actually authenticate connections to the Kibana system and probably to expose secure endpoints to send events into storage (although that could happen other ways too e.g. reading out of a blob on an interval - I am primarily concerned at this moment with securing how users connect to the Kibana system and making sure there are no other open ways inbound into the cluster from the external network).

From my preliminary reading, it seems like what I want to do is set up the TLS in the nginx proxy configuration for the ES cluster node, but this is my first time using this combination of tools and I am not sure what else I might need to know. Has somebody done this? I expect it will be something akin to the steps here for getting the certificates to the VMs but probably involves other steps to configure these particular services.

Community
  • 1
  • 1
user483679
  • 665
  • 1
  • 7
  • 21
  • You should configure the most current TLS version (TLS 1.3?), not SSL which is an outdated version. The people who implemented the SSL standard have implemented TLS and as of TLS 1.2 no longer recommend supporting backwards compatibility with SSL. Though that is what a highly tecnical standard suggests, the vast majority still use it, which means any practical implementation of browsers need to still support it. Making the browser technically in violation of TLS. Your continued use of SSL perpetuates this problem. Dissreguard if you simply mean latest version of TLS. – marshal craft Jan 13 '17 at 19:10
  • From the server side it is perfectly practical as well to deny SSL connections as common web browsers such as chrome fully support TLS version 1.2 at least. – marshal craft Jan 13 '17 at 19:12
  • Thank you re: SSL vs TLS. I did use it informally to mean TLS, but I'll update the comment because I don't want to be part of the problem! – user483679 Jan 13 '17 at 19:14
  • No need, it's just legacy terminology not really a real issue, I read nginx uses TLS 1.1-1.2 by default. My fault for not being familiar with server implementations nginx calls it ssl too. – marshal craft Jan 13 '17 at 19:19
  • 1
    if you want native ssl/tls support for elasticsearch maybe this is an option: https://github.com/floragunncom/search-guard-ssl – Search Guard Jan 17 '17 at 16:48

0 Answers0