kafka配置公网SSL
2025/11/7大约 8 分钟
kafka配置公网SSL
配置生成
1.生成服务端证书
mkdir ssl && cd ssl
"1. 生成CA证书..."
openssl req -new -x509 -keyout ca-key -out ca-cert -days 36500 \
-subj "/C=cn/ST=beijing/L=beijing/O=test/OU=test/CN=abplicb.top" \
-passout pass:guang123
"2. 生成服务端密钥对..."
keytool -keystore server.keystore.jks -alias kafka-server -validity 36500 -genkey \
-keyalg RSA -dname "CN=abplicb.top,OU=test,O=test,L=beijing,S=beijing,C=cn" \
-ext "SAN=DNS:abplicb.top" -storepass guang123 -keypass guang123
"3. 生成CSR..."
keytool -keystore server.keystore.jks -alias kafka-server -certreq -file server.csr -storepass guang123
"4. 创建SAN扩展文件..."
echo "subjectAltName=DNS:abplicb.top" > san.ext
"5. 签署CSR..."
openssl x509 -req -CA ca-cert -CAkey ca-key -in server.csr -out server.crt \
-days 36500 -CAcreateserial -passin pass:guang123 -extfile san.ext
"6. 导入证书..."
keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert -storepass guang123 -noprompt
keytool -keystore server.keystore.jks -alias kafka-server -import -file server.crt -storepass guang123 -noprompt
2.生成客户端证书
1.生成客户端密钥对
#此处CN和SAN的值的作用仅为标识客户端信息,不影响客户端访问的结果
keytool -keystore client.keystore.jks -alias kafka-client -validity 36500 -genkey \
-keyalg RSA -dname "CN=test1-kafka-client,OU=test,O=test,L=beijing,S=beijing,C=cn" \
-ext "SAN=DNS:test1-kafka-client" -storepass guang123 -keypass guang123
2.生成客户端请求文件
keytool -keystore client.keystore.jks -alias kafka-client -certreq -file client.csr -storepass guang123
3.签名客户端证书
openssl x509 -req -CA ca-cert -CAkey ca-key -in client.csr -out client.crt -days 36500 -CAcreateserial -passin pass:guang123
4.导入CA和签名证书
keytool -keystore client.keystore.jks -alias CARoot -import -file ca-cert -storepass guang123 -noprompt
keytool -keystore client.keystore.jks -alias kafka-client -import -file client.crt -storepass guang123 -noprompt
3.信任库配置
#将 CA 证书(ca-cert)分别导入到两个不同的信任库(truststore)中
keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert -storepass guang123 -noprompt
keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert -storepass guang123 -noprompt
4.验证证书
echo '8.134.74.20 abplicb.top' >> /etc/hosts #确保域名可以被解析,如果kafka配置中使用了域名,则域名需指向本机地址
openssl x509 -in server.crt -text -noout| grep -A 1 "Subject Alternative Name" #检查证书SAN内容
openssl x509 -in server.crt -text -noout | grep 'Subject:' #检查证书CN内容
keytool -list -v -keystore server.keystore.jks -storepass guang123 # 查看指定密钥库(Keystore)的详细内容,包括证书、私钥和信任链信息。
openssl s_client -debug -connect abplicb.top:9093 -tls1_2 #查看SSL握手信息
#查看详细SSL握手信息#将JKS格式的私钥导出为PKCS12格式的私钥
keytool -importkeystore -srckeystore client.keystore.jks -destkeystore client.p12 -deststoretype PKCS12 -srcstorepass guang123 -deststorepass guang123
openssl pkcs12 -in client.p12 -nocerts -nodes -passin pass:guang123 #通过OpenSSL查看私钥内容
openssl s_client -connect abplicb.top:9093 \
-servername abplicb.top:9093 \
-cert client.crt \
-key <(openssl pkcs12 -in client.p12 -nocerts -nodes -passin pass:guang123) \
-CAfile ca-cert \
-tls1_2 -state -debugkafka配置server.properties
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This configuration file is intended for use in ZK-based mode, where Apache ZooKeeper is required.
# See kafka.server.KafkaConfig for additional details and defaults
#
############################# Server Basics #############################
# The id of the broker. This must be set to a unique integer for each broker.
broker.id=0
############################# Socket Server Settings #############################
# The address the socket server listens on. If not configured, the host name will be equal to the value of
# java.net.InetAddress.getCanonicalHostName(), with PLAINTEXT listener name, and port 9092.
# FORMAT:
# listeners = listener_name://host_name:port
# EXAMPLE:
# listeners = PLAINTEXT://your.host.name:9092
listeners=INTERNAL://172.16.217.107:9092,EXTERNAL://0.0.0.0:9093
# Listener name, hostname and port the broker will advertise to clients.
# If not set, it uses the value for "listeners".
advertised.listeners=INTERNAL://172.16.217.107:9092,EXTERNAL://abplicb.top:9093
listener.security.protocol.map=INTERNAL:PLAINTEXT,EXTERNAL:SSL
inter.broker.listener.name=INTERNAL
ssl.keystore.location=/usr/kafka/kafka_2.13-3.6.1/ssl/server.keystore.jks
ssl.keystore.password=guang123
ssl.key.password=guang123
ssl.truststore.location=/usr/kafka/kafka_2.13-3.6.1/ssl/server.truststore.jks
ssl.truststore.password=guang123
# 添加这些SSL配置
ssl.enabled.protocols=TLSv1.2,TLSv1.3
ssl.protocol=TLS
ssl.keystore.type=JKS
ssl.truststore.type=JKS
ssl.endpoint.identification.algorithm=
ssl.client.auth=none
# Maps listener names to security protocols, the default is for them to be the same. See the config documentation for more details
#listener.security.protocol.map=PLAINTEXT:PLAINTEXT,SSL:SSL,SASL_PLAINTEXT:SASL_PLAINTEXT,SASL_SSL:SASL_SSL
# The number of threads that the server uses for receiving requests from the network and sending responses to the network
num.network.threads=3
# The number of threads that the server uses for processing requests, which may include disk I/O
num.io.threads=8
# The send buffer (SO_SNDBUF) used by the socket server
socket.send.buffer.bytes=102400
# The receive buffer (SO_RCVBUF) used by the socket server
socket.receive.buffer.bytes=102400
# The maximum size of a request that the socket server will accept (protection against OOM)
socket.request.max.bytes=104857600
############################# Log Basics #############################
# A comma separated list of directories under which to store log files
log.dirs=/tmp/kafka-logs
# The default number of log partitions per topic. More partitions allow greater
# parallelism for consumption, but this will also result in more files across
# the brokers.
num.partitions=1
# The number of threads per data directory to be used for log recovery at startup and flushing at shutdown.
# This value is recommended to be increased for installations with data dirs located in RAID array.
num.recovery.threads.per.data.dir=1
############################# Internal Topic Settings #############################
# The replication factor for the group metadata internal topics "__consumer_offsets" and "__transaction_state"
# For anything other than development testing, a value greater than 1 is recommended to ensure availability such as 3.
offsets.topic.replication.factor=1
transaction.state.log.replication.factor=1
transaction.state.log.min.isr=1
############################# Log Flush Policy #############################
# Messages are immediately written to the filesystem but by default we only fsync() to sync
# the OS cache lazily. The following configurations control the flush of data to disk.
# There are a few important trade-offs here:
# 1. Durability: Unflushed data may be lost if you are not using replication.
# 2. Latency: Very large flush intervals may lead to latency spikes when the flush does occur as there will be a lot of data to flush.
# 3. Throughput: The flush is generally the most expensive operation, and a small flush interval may lead to excessive seeks.
# The settings below allow one to configure the flush policy to flush data after a period of time or
# every N messages (or both). This can be done globally and overridden on a per-topic basis.
# The number of messages to accept before forcing a flush of data to disk
#log.flush.interval.messages=10000
# The maximum amount of time a message can sit in a log before we force a flush
#log.flush.interval.ms=1000
############################# Log Retention Policy #############################
# The following configurations control the disposal of log segments. The policy can
# be set to delete segments after a period of time, or after a given size has accumulated.
# A segment will be deleted whenever *either* of these criteria are met. Deletion always happens
# from the end of the log.
# The minimum age of a log file to be eligible for deletion due to age
log.retention.hours=168
# A size-based retention policy for logs. Segments are pruned from the log unless the remaining
# segments drop below log.retention.bytes. Functions independently of log.retention.hours.
#log.retention.bytes=1073741824
# The maximum size of a log segment file. When this size is reached a new log segment will be created.
#log.segment.bytes=1073741824
# The interval at which log segments are checked to see if they can be deleted according
# to the retention policies
log.retention.check.interval.ms=300000
############################# Zookeeper #############################
# Zookeeper connection string (see zookeeper docs for details).
# This is a comma separated host:port pairs, each corresponding to a zk
# server. e.g. "127.0.0.1:3000,127.0.0.1:3001,127.0.0.1:3002".
# You can also append an optional chroot string to the urls to specify the
# root directory for all kafka znodes.
zookeeper.connect=localhost:2181
# Timeout in ms for connecting to zookeeper
zookeeper.connection.timeout.ms=18000
############################# Group Coordinator Settings #############################
# The following configuration specifies the time, in milliseconds, that the GroupCoordinator will delay the initial consumer rebalance.
# The rebalance will be further delayed by the value of group.initial.rebalance.delay.ms as new members join the group, up to a maximum of max.poll.interval.ms.
# The default value for this is 3 seconds.
# We override this to 0 here as it makes for a better out-of-the-box experience for development and testing.
# However, in production environments the default value of 3 seconds is more suitable as this will help to avoid unnecessary, and potentially expensive, rebalances during application startup.
group.initial.rebalance.delay.ms=0kafka新建client-ssl.properties
bootstrap.servers=abplicb.top:9093
security.protocol=SSL
ssl.keystore.location=/usr/kafka/kafka_2.13-3.6.1/ssl/client.keystore.jks
ssl.keystore.password=guang123
ssl.truststore.location=/usr/kafka/kafka_2.13-3.6.1/ssl/client.truststore.jks
ssl.truststore.password=guang123测试
查看topic
/usr/kafka/kafka_2.13-3.6.1/bin/kafka-topics.sh --bootstrap-server abplicb.top:9093 --list --command-config /usr/kafka/kafka_2.13-3.6.1/config/client-ssl.properties生产
/usr/kafka/kafka_2.13-3.6.1/bin/kafka-console-producer.sh --broker-list abplicb.top:9093 --topic test --producer.config /usr/kafka/kafka_2.13-3.6.1/config/client-ssl.properties监听
/usr/kafka/kafka_2.13-3.6.1/bin/kafka-console-consumer.sh --bootstrap-server abplicb.top:9093 --topic test --consumer.config /usr/kafka/kafka_2.13-3.6.1/config/client-ssl.propertiesspringboot使用ssl连接kafka
spring:
kafka:
bootstrap-servers: abplicb.top:9093 #172.16.217.107:9092 #,192.168.0.102:9093,192.168.0.102:9094
# Kafka 配置项,对应 KafkaProperties 配置类
properties:
security.protocol: SSL # 使用SSL安全协议[citation:3][citation:10]
ssl.truststore.location: /root/ssl/client.truststore.jks # 信任库文件的绝对路径[citation:6]
ssl.truststore.password: guang123 # 信任库密码[citation:1]
# 如果需要客户端认证(双向SSL),还需配置以下项:
ssl.keystore.location: /root/ssl/client.keystore.jks # 密钥库文件的绝对路径
ssl.keystore.password: guang123 # 密钥库密码[citation:1]
ssl.key.password: guang123 # 私钥密码[citation:2]
ssl.endpoint.identification.algorithm: "" # 测试环境可禁用主机名验证[citation:7]
producer:
# 写入失败时,重试次数。当leader节点失效,一个repli节点会替代成为leader节点,此时可能出现写入失败,
# 当retris为0时,produce不会重复。retirs重发,此时repli节点完全成为leader节点,不会产生消息丢失。
retries: 0
#procedure要求leader在考虑完成请求之前收到的确认数,用于控制发送记录在服务端的持久化,其值可以为如下:
#acks = 0 如果设置为零,则生产者将不会等待来自服务器的任何确认,该记录将立即添加到套接字缓冲区并视为已发送。在这种情况下,无法保证服务器已收到记录,并且重试配置将不会生效(因为客户端通常不会知道任何故障),为每条记录返回的偏移量始终设置为-1。
#acks = 1 这意味着leader会将记录写入其本地日志,但无需等待所有副本服务器的完全确认即可做出回应,在这种情况下,如果leader在确认记录后立即失败,但在将数据复制到所有的副本服务器之前,则记录将会丢失。
#acks = all 这意味着leader将等待完整的同步副本集以确认记录,这保证了只要至少一个同步副本服务器仍然存活,记录就不会丢失,这是最强有力的保证,这相当于acks = -1的设置。
#可以设置的值为:all, -1, 0, 1
acks: 1
# 定消息key和消息体的编解码方式-序列化
#key-serializer: org.apache.kafka.common.serialization.StringSerializer
#value-serializer: org.apache.kafka.common.serialization.StringSerializer
#value-serializer: com.enzoism.springboot.kafka.model.UserSerializer
consumer:
group-id: testGroup
# smallest和largest才有效,如果smallest重新0开始读取,如果是largest从logfile的offset读取。一般情况下我们都是设置smallest
auto-offset-reset: earliest
# 设置自动提交offset
enable-auto-commit: true
# 如果'enable.auto.commit'为true,则消费者偏移自动提交给Kafka的频率(以毫秒为单位),默认值为5000。
auto-commit-interval: 100
max-poll-records: 5
# 定消息key和消息体的编解码方式-反序列话
#key-deserializer: org.apache.kafka.common.serialization.StringDeserializer
#value-deserializer: org.apache.kafka.common.serialization.StringDeserializer
#value-deserializer: com.enzoism.springboot.kafka.model.UserDeserializer