这是一个创建于 869 天前的主题,其中的信息可能已经有所发展或是发生改变。
使用 docker 启动了 elasticsearch 8.0 ,因为这个版本的 es 是使用 https 请求的,所以 curl 测试的时候要带上自签证书
curl --cacert http_ca.crt -u elastic:elastic123 https://127.0.0.1:9200
想暴露一部分接口给公网访问,就用 nginx 反代,nginx 的域名已经使用了 acme 签发的证书,前面我还在想 nginx 怎么配置 localtion /es/ 那部分的证书,大概参考了这个文档:
https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/
但实际上,反代之后,请求 https://reverse.com/es/ 的域名,location /es/ {} 下不用配置 elasticsearch 自签的证书都可以,这个是什么原理?
location /es/ {
proxy_pass https://127.0.0.1:9200/;
include proxy.conf;
}
本地不带证书请求会错误
curl -u elastic:elastic123 https://127.0.0.1:9200
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
请求反代的域名直接可以
curl -u elastic:elastic123 https://reverse.com/es/
{
"name" : "xx",
"cluster_name" : "docker-cluster",
"cluster_uuid" : "xx",
"version" : {
"number" : "8.2.3",
"build_flavor" : "default",
"build_type" : "docker",
"build_hash" : "xx",
"build_date" : "xx",
"build_snapshot" : false,
"lucene_version" : "9.1.0",
"minimum_wire_compatibility_version" : "7.17.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "You Know, for Search"
}
2 条回复 • 2022-06-29 23:28:12 +08:00
 |
1
LinePro 2022-06-29 19:06:47 +08:00
https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_verify
因为 proxy_ssl_verify 的默认值是 off |
 |
2
olofbrother OP @LinePro 正解,明白了,感谢
|
Select Language