翻译进度
4
分块数量
2
参与人数

安全相关

这是一篇协同翻译的文章,你可以点击『我来翻译』按钮来参与翻译。

安全

Elasticsearch-PHP 客户端提供两种安全模式:HTTP 认证和 SSL 加密。

HTTP 认证

如果你的 Elasticsearch 服务是通过 HTTP 来认证的,那么你需要给 ES-PHP 提供证书,那样在服务端的请求才会被验证。 在实例化客户端时,认证证书作为主机序列的一部分提供:

$hosts = [
    'http://user:pass@localhost:9200',       // HTTP Basic Authentication
    'http://user2:pass2@other-host.com:9200' // Different credentials on different host
];

$client = ClientBuilder::create()
                    ->setHosts($hosts)
                    ->build();

每个主机提供证书,允许他们有自己的一套证书。 发送到群集的所有请求都将使用相应的证书,具体取决于与之通信的节点。

purple_ling 翻译于 6天前

SSL Encryption

Configuring SSL is a little more complex. You need to identify if your certificate has been signed by a public Certificate Authority (CA), or if it is a self-signed certificate.

Note: A note on libcurl version. If you believe the client is configured to correctly use SSL, but it simply is not working, check your libcurl version. On certain platforms, various features may or may not be available depending on version number of libcurl. For example, the --cacert option was not added to the OSX version of libcurl until version 7.37.1. The --cacert option is equivalent to PHP's CURLOPT_CAINFO constant, meaning that custom certificate paths will not work on lower versions.
If you are encountering problems, update your libcurl version and/or check the curl changelog.

Public CA Certificates

If your certificate has been signed by a public Certificate Authority and your server has up-to-date root certificates, you only need to use https in the host path. The client will automatically verify SSL certificates:

$hosts = [
    'https://localhost:9200' (1)
];

$client = ClientBuilder::create()
                    ->setHosts($hosts)
                    ->build();
  1. Note that https is used, not http

If your server has out-dated root certificates, you may need to use a certificate bundle. For PHP clients, the best way is to use composer/ca-bundle. Once installed, you need to tell the client to use your certificates instead of the system-wide bundle. To do this, specify the path to verify:

$hosts = ['https://localhost:9200'];
$caBundle = \Composer\CaBundle\CaBundle::getBundledCaBundlePath();

$client = ClientBuilder::create()
                    ->setHosts($hosts)
                    ->setSSLVerification($caBundle)
                    ->build();

自签名证书

自签名证书是一种没有被公共的 CA 签名的证书。他们通过你自己的组织进行签名。当你可以确保你的根证书安全的前提下,自签名证书可以作为内部目的来使用。但是当自签名证书被暴露给大众的时候我们就不能使用了,因为这样中间人很容易去攻击。

如果你要使用自签名证书,那么你需要提供证书给客户端。这与指定新根包的语法相同,但你应该指向你的证书:

$hosts = ['https://localhost:9200'];
$myCert = 'path/to/cacert.pem';

$client = ClientBuilder::create()
                    ->setHosts($hosts)
                    ->setSSLVerification($myCert)
                    ->build();
purple_ling 翻译于 6天前

使用认证和 SSL

同时使用 HTTP 认证和 SSL 也是有可能的。在 URI 中指定  https , 根据需要配置 SSL 配置项和认证证书。例如,下面的代码段将会使用到基础的 HTTP 验证和自签名证书:

$hosts = ['https://user:pass@localhost:9200'];
$myCert = 'path/to/cacert.pem';

$client = ClientBuilder::create()
                    ->setHosts($hosts)
                    ->setSSLVerification($myCert)
                    ->build();
purple_ling 翻译于 6天前

本文章首发在 Laravel China 社区
本文中的所有译文仅用于学习和交流目的,转载请务必注明文章译者、出处、和本文链接
我们的翻译工作遵照 CC 协议,如果我们的工作有侵犯到您的权益,请及时联系我们。

参与译者:2
讨论数量: 0
发起讨论


暂无话题~