SSL support: HTTPS interface
In Manticore 3.1.2 was added support for data encryption between your application or another client (curl, browser etc) and Manticore Search daemon. It's important to have it enabled if you need to protect your data (queries, repsponses) from interception inside your local network and especially if you connect to Manticore Search over the internet. Setting it up requires using certificates. Below is just an example of how it can be done with self-signed certificates, there may be other options like purchasing certificates signed by a real CA.
Certificates generation example
To generate CA key/certificate and server key/certificate you can do:
Generate CA private key:
openssl genrsa 2048 > /var/lib/manticore/data/ca-key.pem
Generate self-signed CA (root) certificate from the private key (here we specify "CA" as its common name, you can remove -subj completely and fill in all the fields):
openssl req -new -x509 -nodes -days 365 -key /var/lib/manticore/data/ca-key.pem -out /var/lib/manticore/data/ca-cert.pem -subj '/CN=CA'
Generate certificate request and server private key (we specify "127.0.0.1" as the common name as we will run the searchd on 127.0.0.1, you can remove -subj and specify whatever you want in real life):
openssl req -newkey rsa:2048 -days 365 -nodes -keyout /var/lib/manticore/data/server-key.pem -out /var/lib/manticore/data/server-req.pem -subj '/CN=127.0.0.1'
Generate certificate from the request, CA key and root cert:
openssl x509 -req -in /var/lib/manticore/data/server-req.pem -days 365 -CA /var/lib/manticore/data/ca-cert.pem -CAkey /var/lib/manticore/data/ca-key.pem -set_serial 01 -out /var/lib/manticore/data/server-cert.pem
Verify the server certificate with the CA certificate:
openssl verify -CAfile /var/lib/manticore/data/ca-cert.pem /var/lib/manticore/data/server-cert.pem
Connecting to Manticore Search via https
Check on which port HTTP interface can be used:
cat /var/lib/manticore/data/manticore.conf|egrep "listen"
Starting with 3.5.0 the api and http interface can work on same port.
If the listen port doesn't specify the interface, means it can accept secured HTTP connections.
Run the Manticore Search daemon:
searchd -c /var/lib/manticore/data/manticore.conf
Verify that the secure connection works (you should see a JSON response):
curl --cacert /var/lib/manticore/data/ca-cert.pem "https://127.0.0.1:9308/sql" -d "query=select * from rt where match('abc')";
The CA certificate has to be provided as we used a self-signed certificate. If you don't specify the proper CA certificate it will fail, e.g. let's try to give it our certificate request file instead of the CA certificate:
curl --cacert /var/lib/manticore/data/server-req.pem "https://127.0.0.1:9308/sql" -d "query=select * from rt where match('abc')";
You can also omit this completely by using curl -k option:
curl -k "https://127.0.0.1:9308/sql" -d "query=select * from rt where match('abc')";
but it's less secure, however may make sense in some cases.
That's it. Not that difficult.