Using HTTPS to Connect to a ClickHouse Secure Cluster
HTTPS is a secure version of HTTP. It protects data transmission by adding an SSL/TLS encryption layer between HTTP and TCP. You can connect to a ClickHouse cluster using HTTPS.
Constraints
- Disabling HTTPS will pose risks to enterprise services.
- The HTTPS option is enabled during cluster creation and cannot be disabled later.
- If the HTTPS option is not enabled during cluster creation, it cannot be enabled later.
- The cluster restarts after the secure channels are enabled on the cluster details page.
- The secure and non-secure channels cannot be disabled after being enabled concurrently.
Enabling the Secure Channel
- Log in to the CloudTable console.
- Select a region in the upper left corner.
- On the Cluster Management page, click Buy Cluster in the upper right corner. The Buy Cluster page is displayed.
- Check whether Security Channel is toggled on (default).
Additionally, you can toggle Enable Secure and Non-secure Channels on the cluster details page post-creation. This enables both secure and non-secure channels.Figure 1 Secure channel
- Set the parameters and click Next.
- Confirm the cluster information and click Submit. After the cluster is created, go to its details page to view its security channel status.
Downloading the Security Certificate and Connecting to a ClickHouse Secure Cluster
- After a ClickHouse secure cluster is created, click the cluster name and click Details.
- On the cluster details page and click Download certificates on the right of Channel Status in the cluster information area.
- Use the SSH login tool to remotely log in to the Linux ECS through the EIP.
For details, see Logging In to a Linux ECS Using an SSH Password in the Elastic Cloud Server User Guide.
- Customize the certificate path by updating the certificate storage path in the following configuration file. Save the file to the root directory.
- <caConfig>/etc/ssl/certificate.crt</caConfig> indicates the path where certificates are stored.
- The certificate can be downloaded only once per minute.
<config> <secure>true</secure> <openSSL> <client> <caConfig>/etc/ssl/certificate.crt</caConfig> </client> </openSSL> </config>
- Connect to the ClickHouse secure cluster.
Run the curl command to connect to the cluster.
echo 'select 1' | curl -H 'X-ClickHouse-User: user' -H 'X-ClickHouse-Key: password' --cacert /clickhouse/client/client/bin/certificate.crt 'https://host:port/?' --data-binary @-
Table 1 Parameter description Parameter
Description
select 1
Executed SQL statement
user
Username for connecting to the cluster
password
Password created during cluster creation
/clickhouse/client/client/bin/certificate.crt
Path for storing the certificate
host, port
host indicates the private IP address, and port indicates the HTTPS port.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot