Hi
I'm forcing in my environment setup on nginx for Elasticsearch:
-what I have a problem with the correct configuration for connect NGINX over TLS to my nodes
below You can find my configuration,maybe You can point me out what's wrong
in this part, I'm using also crt and key per node so there I need to
break it down into groups/location
Do You have some examples config with TLS?
location /upstream {
proxy_pass https://elasticsearch_servers;
proxy_ssl_certificate /etc/ssl/certs/coordination_1.crt;
proxy_ssl_certificate_key /etc/ssl/certs/coordination_1.key;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_trusted_certificate /etc/ssl/certs/ca.crt;
nginx.conf
events {
worker_connections 4096; ## Default: 1024
}
http {
#...
upstream elasticsearch_servers {
zone elasticsearch_servers 64K;
server 10.242.130.225:9201;
server 10.242.130.226:9238;
server 10.242.130.227:9219;
}
server {
listen 9200;
server_name 10.242.130.225;
#...
location /upstream {
proxy_pass https://elasticsearch_servers;
proxy_ssl_certificate /etc/ssl/certs/coordination_1.crt;
proxy_ssl_certificate_key /etc/ssl/certs/coordination_1.key;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_trusted_certificate /etc/ssl/certs/ca.crt;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
}
}
server {
listen 9201 ssl;
server_name 10.242.130.225;
ssl_certificate /etc/ssl/certs/coordination_1.crt;
ssl_certificate_key /etc/ssl/certs/coordination_1.key;
ssl_client_certificate /etc/ssl/certs/ca.crt;
ssl_verify_client optional;
location /yourapp {
proxy_pass https://10.242.130.225;
#...
}
}
server {
listen 9238 ssl;
server_name 10.242.130.226;
ssl_certificate /etc/ssl/certs/coordination_2.crt;
ssl_certificate_key /etc/ssl/certs/coordination_2.key;
ssl_client_certificate /etc/ssl/certs/ca.crt;
ssl_verify_client optional;
location /yourapp {
proxy_pass https://10.242.130.225;
#...
}
}
server {
listen 9219 ssl;
server_name 10.242.130.227;
ssl_certificate /etc/ssl/certs/coordination_3.crt;
ssl_certificate_key /etc/ssl/certs/coordination_3.key;
ssl_client_certificate /etc/ssl/certs/ca.crt;
ssl_verify_client optional;
location /yourapp {
proxy_pass https://10.242.130.225;
#...
}
}
}
and docker-compose file:
version: "3.3"
services:
nginx_load_balancer:
image: nginx
volumes:
- /home/elasticsearch/kickstart_elk_cluster/nginx_1.conf:/etc/nginx/nginx.conf
- /home/elasticsearch/certificates/es_coordination_3/es_coordination_3.crt:/etc/ssl/certs/coordination_3.crt
- /home/elasticsearch/certificates/es_coordination_3/es_coordination_3.key:/etc/ssl/certs/coordination_3.key
- /home/elasticsearch/certificates/es_coordination_2/es_coordination_2.crt:/etc/ssl/certs/coordination_2.crt
- /home/elasticsearch/certificates/es_coordination_2/es_coordination_2.key:/etc/ssl/certs/coordination_2.key
- /home/elasticsearch/certificates/es_coordination_1/es_coordination_1.crt:/etc/ssl/certs/coordination_1.crt
- /home/elasticsearch/certificates/es_coordination_1/es_coordination_1.key:/etc/ssl/certs/coordination_1.key
- /home/elasticsearch/certificates/ca/ca.crt:/etc/ssl/certs/ca.crt
ports:
- "9200:80"