Elastic APM, APM service configuration secure access, accessToken mode under TSL/SSL

Elastic APM , APM service to configure security access, TSL/SSL in accessToken mode

How to configure accessToken access, official document address

Customize a string in apm-server in the configuration file apm-server.yaml of apm-server.auth.secret_token , such as:
`apm-server.auth.secret_token ：123456xxx
`

Then configure in your client Agent: Node.js Example: source Github address

var apm = require('elastic-apm-node').start({
    // Override service name from package.json
    // Allowed characters: a-z, A-Z, 0-9, -, _, and space
    serviceName: 'zipcode service',
  
    // Use if APM Server requires a token
    secretToken: '123456xxx',    //留意这里
  
    // Set custom APM Server URL (default: http://localhost:8200)
    serverUrl: 'https://localhost:8200',
  })

Then restart apm-server , restart the client, log in to kibana , and you can see the instance in the APM agent not configured for secretToken access, an error will be reported.

The above process is to apm-server without SSL/TSL , which will bring a security problem. The credentials http request, so it needs to be configured as the https service. This is the officially recommended practice.

The official website SSL/TSL configures the document address which is in English and is not detailed. Recommend a more detailed tutorial, address

Most of the operations in this tutorial are correct, but there are also some errors, such as the following code:

var apm = require('elastic-apm-node').start({
    // Override service name from package.json
    // Allowed characters: a-z, A-Z, 0-9, -, _, and space
    serviceName: 'zipcode service',
  
    // Use if APM Server requires a token
    secretToken: '1234561',
  
    //配置好 ca 以后 , 已经是https服务器了
    // Set custom APM Server URL (default: http://localhost:8200)
    serverUrl: 'http://localhost:8200'     //这里是错误的
    serverUrl: 'https://localhost:8200'     //这样才是正确的
 
    verifyServerCert: true,
    serverCaCertFile: "ca.crt"
  })

If you don’t correct it, just follow the code in the tutorial, apm-server will report APM Server transport error (400): Unexpected APM Server response\nClient sent an HTTP request to an HTTPS server.\n" , which means that the client sends an HTTP request to the HTTPS server.

In addition, in the tutorial:

另注：我们可以使用如下的命令把一个.crt 的证书转换为一个 .pem 的证书：

openssl x509 -in mycert.crt -out mycert.pem -outform PEM

这是对于我们的配置也是不影响的，可以不用看，本人看教程的时候就被影响了。

PS: there is a need to pay attention to the point, when generating a certificate course inside pass name is localhost , generated certificate is localhost.crt and localhost.key here and your last visit https address ( https://localhost:8200 ) corresponding to change the other is not enough, As for the principle of https , I won’t go into details here.

The tutorial uses Mac operate. I windows under 061a9e39fea3f7, which is linux , but it is not operated under 061a9e39fea3f8.

PS: Agent connection apm-server time, if error, the error message prompts are very clear, something goes wrong the first time thought to see an error message here ( Agent the error message, there apm-server error information)

sincerely thank the original tutorial, the original tutorial is very well written, very detailed, but there is a little error, the reason for writing a new article is because I really don’t like CSDN , so I didn’t leave a message CSDN So the supplement is written here. If there are any errors, please correct me!