elasticsearch-secure/install.sh

raw link view readme
1 setsebool -P httpd_can_network_connect 1
2 semanage port -a -t http_port_t -p tcp 9200
3
4 yum install firewalld -y
5 systemctl start firewalld
6 systemctl enable firewalld
7 firewall-cmd --permanent --zone=public --add-interface=eth0
8 firewall-cmd --permanent --add-service=http --zone=public
9 firewall-cmd --reload
10
11 yum install java-1.8.0-openjdk.x86_64 -y
12
13 rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
14
15 cat > /etc/yum.repos.d/elasticsearch.repo << EOF
16 [elasticsearch-5.x]
17 name=Elasticsearch repository for 5.x packages
18 baseurl=https://artifacts.elastic.co/packages/5.x/yum
19 gpgcheck=1
20 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
21 enabled=1
22 autorefresh=1
23 type=rpm-md
24 EOF
25
26 yum install elasticsearch -y
27
28 cat > /etc/elasticsearch/elasticsearch.yml << EOF
29 cluster.name: my-search-cluster
30 node.name: search01
31 network.host: 127.0.0.1
32 EOF
33
34 systemctl start elasticsearch
35 systemctl enable elasticsearch
36
37 yum install httpd-tools -y
38
39 htpasswd -b -c /srv/elastic-password dbetz mypassword
40 semanage fcontext -at httpd_sys_content_t "/srv(/.*)?"
41
42 openssl req -nodes -new -x509 -keyout /srv/es.key -out /srv/es.crt << EOF
43
44
45
46
47
48
49
50
51
52 EOF
53
54 cat > /srv/dhparam.pem <<\EOF
55 -----BEGIN DH PARAMETERS-----
56 MIIBCAKCAQEAiUOr3waTs41R0De+e7aqfWUexnfdyXxbntDgkwKvVlDLRVzuM/P/
57 TRppta7SNj+whJXTKeLgitNFfnRChuvlj0/I7ROCxNSPwi6nKtAYd+PJWI1kqsSB
58 yjisRJIJbihnSxy1Hy81Q51VUdy9AYSsN1SnJuWixiONjEAQPB+0Sf8HmoL42RZn
59 gMaPCJOBd/VWkElDZ+RQ0WLfz0K7cuv6KqEIWFoLkCkCofBvdqofFJ4YeNQehgbj
60 4I1N3ldeM9L8fVYY1lhdCtPiJJrmItx35sJKrNs/Hv1Ow0xmnAnVaAYpyBHkamDj
61 bVPcG+tO5ibhw/kY5g/jUvSFATg9qvTBKwIBAg==
62 -----END DH PARAMETERS-----
63 EOF
64
65 restorecon -R /srv
66
67 cat > /etc/yum.repos.d/nginx.repo << EOF
68 [nginx]
69 name=nginx repo
70 baseurl=http://nginx.org/packages/mainline/centos/\$releasever/\$basearch/
71 gpgcheck=0
72 enabled=1
73 EOF
74
75 yum install nginx -y
76
77 export PUBLIC_IP=$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/')
78
79 mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.disabled
80 cat > /etc/nginx/conf.d/elasticsearch.conf << EOF
81 upstream elastic {
82 server 127.0.0.1:9200;
83 }
84 server {
85 #listen $PUBLIC_IP:80;
86 # uncomment stuff to switch to https (and comment above line)
87 listen $PUBLIC_IP:443 ssl http2;
88
89 #server_name azurelab.domain.net;
90
91 ssl on;
92 ssl_certificate /srv/es.crt;
93 ssl_certificate_key /srv/es.key;
94 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
95 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
96 ssl_prefer_server_ciphers on;
97 ssl_dhparam /srv/dhparam.pem;
98 add_header Strict-Transport-Security max-age=15552000;
99
100 location ~ /_count {
101 proxy_pass http://elastic;
102 proxy_http_version 1.1;
103 proxy_set_header Connection "Keep-Alive";
104 proxy_set_header Proxy-Connection "Keep-Alive";
105 }
106
107 location ~ /_search {
108 proxy_pass http://elastic;
109 proxy_http_version 1.1;
110 proxy_set_header Connection "Keep-Alive";
111 proxy_set_header Proxy-Connection "Keep-Alive";
112 }
113
114 location ~ /_ {
115 limit_except OPTIONS {
116 auth_basic "Restricted Access";
117 auth_basic_user_file /srv/elastic-password;
118 }
119
120 proxy_pass http://elastic;
121 proxy_http_version 1.1;
122 proxy_set_header Connection "Keep-Alive";
123 proxy_set_header Proxy-Connection "Keep-Alive";
124 }
125
126 location / {
127 limit_except GET HEAD {
128 auth_basic "Restricted Access";
129 auth_basic_user_file /srv/elastic-password;
130 }
131
132 proxy_pass http://elastic;
133 proxy_http_version 1.1;
134 proxy_set_header Connection "Keep-Alive";
135 proxy_set_header Proxy-Connection "Keep-Alive";
136 }
137 }
138 EOF
139
140 systemctl start nginx
141 systemctl enable nginx
142
143 wget https://linux.azure.david.betz.space/raw/elasticsearch-secure/setup_data_generation.sh -O /root/setup_data_generation.sh
144 chmod +x /root/setup_data_generation.sh
145