Elasticsearch NEST HttpClientHandler证书

时间:2017-03-30 18:07:21

标签: ssl elasticsearch .net-core nest

我正在尝试将Elasticsearch NEST与.NET Core和我们的Elasticsearch实例一起使用。我们通过SSL连接,它有一个通配符证书,我们需要以编程方式接受。我试图弄清楚如何将HttpClientHandler挂钩到NEST接受它。似乎没有关于如何按照他们的指示https://www.elastic.co/guide/en/elasticsearch/client/net-api/current/connecting.html#configuring-ssl执行此操作的良好文档。

如果可能,我正在寻找一个例子。提前谢谢!

2 个答案:

答案 0 :(得分:0)

我想出来了。我需要创建HttpConnection并覆盖CreateHttpClientHandler方法。这是一个示例,无论证书是什么,都返回true。 

public class ConnectionWithCert : HttpConnection
{
    protected override HttpClientHandler CreateHttpClientHandler(RequestData requestData)
    {
        var handler = base.CreateHttpClientHandler(requestData);
        handler.ServerCertificateCustomValidationCallback = ValidateCertificate;
        return handler;
    }

    private bool ValidateCertificate(HttpRequestMessage message, X509Certificate2 certificate, X509Chain chain, SslPolicyErrors errors)
    {
        return true;
    }
}

一个人想要检查证书以确保它是他们期望的。

然后,我在ConnectionSettings

中添加了此连接 
var connectionSettings = new ConnectionSettings(connnectionPool, new ConnectionWithCert());

可能想要做一些依赖注入,但我想我会分享解决方案以防万一其他人想知道他们需要做什么。

答案 1 :(得分:0)

这让我有点想知道,所以我想我会把它发布在这里。我们使用反向代理,我们使用cert进行身份验证,将请求发送到443 SSL端口(在azure中负载平衡到三个客户端节点),然后将其转发到本地客户端节点以分散到数据节点。证书是自签名的,并且位于我们api的服务器上的本地存储(当前用户>个人)中。指纹在我们的web.config中。

public class ConnectionWithCert : Elasticsearch.Net.HttpConnection
{
    protected override HttpWebRequest CreateHttpWebRequest(RequestData requestData)
    {
        var handler = base.CreateHttpWebRequest(requestData);

        string certThumbprint = System.Configuration.ConfigurationManager.AppSettings["ElasticsearchCertificateThumbprint"];
        X509Certificate2 certificate =
            GetCertificateByThumbprint(certThumbprint);

        handler.ClientCertificates.Add(certificate);
        return handler;
    }

    /// <summary>
    /// Get the certificate using the certificate thumbprint
    /// </summary>
    /// <param name="certificateThumbprint">Thumbprint of certificate</param>
    /// <returns>Certificate object</returns>
    public static X509Certificate2 GetCertificateByThumbprint(string certificateThumbprint)
    {
        Ensure.ArgumentNotEmpty(certificateThumbprint, nameof(certificateThumbprint));

        // Open the certificate store
        X509Store certificateStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
        certificateStore.Open(OpenFlags.ReadOnly);

        // Get the certificates
        var matchingCertificates = certificateStore.Certificates.Find(X509FindType.FindByThumbprint, certificateThumbprint, false);
        if (matchingCertificates.Count == 0)
        {
            // No certificate found
            return null;
        }
        else
        {
            // Return first certificate
            return matchingCertificates[0];
        }
    }
}

有了这个,我可以在我的帮助类中的connectionSettings上设置它:

    public ElasticSearchHelper(string elasticSearchUrl, OcvElasticSearchDataProvider dataProvider, int elasticSearchConflictRetryCount)
    {
        // Parameters
        this.elasticSearchConflictRetryCount = elasticSearchConflictRetryCount;
        this.dataProvider = dataProvider;

        // Create the ElasticSearch client and configure
        var node = new Uri(elasticSearchUrl);

        var pool = new SingleNodeConnectionPool(node);
        var settings = new ConnectionSettings(pool, new ConnectionWithCert());

        this.client = new ElasticClient(settings);
    }

现在通过我的帮助程序执行的所有操作都附加了客户端证书,并通过我的反向代理授予访问权限。

相关问题
最新问题