|
|
启动集群:
5 N0 n2 B. o/ d, H/ X8 S8 E# ~' F
前提:设置好系统配置和JVM堆内存
* t2 Z0 V3 j F/ M
]: a* j. [1 K1 t3 }! T创建elastic的数据和日志存放目录,如果是测试环境无所谓,如果是生成环境一定要单独设置数据和日志存放的路径,因为ES可能因为升级或其它原因把原有的数据清理或丢失等因素, A# g: N! ^1 T# v! n
" z- O0 | E$ Q1 N
( z9 f' k& T) Z6 L1 _5 M- J1 J' c2 Q( Q* T R
3 i6 m& [7 U* V& K7 C4 r
配置文件属组权限,并启动
$ x& }* H; @) _3 a: I( m9 q[root@it-elassearch elasticsearch]# chown -R es:es elastic-cluster1/
2 Z4 v5 _ b0 e6 z1 I& g0 E; ^[root@it-elassearch-2 elasticsearch]# chown -R es:es elastic-cluster2/
9 P7 N0 j; O4 ^. D$ d4 H p% F; m% e( F+ y' ?/ k# T, U
" {" l! P1 O4 q1 o
8 a6 s6 |) Q3 f7 S( K' o/ v如果添加鉴权配置请按照此处配置,不配置即可略过:$ a! t* z; u0 Q* R1 n* b
8 _; D1 F4 G: f. h" J1 y
( T/ c* y3 I: ?, M# u7 C生成密匙:8 p0 K: ~* F$ @1 L4 b" z! Y
[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-certutil ca& I' l2 E6 X( I) _" P1 B; D' j
This tool assists you in the generation of X.509 certificates and certificate) y9 c2 e- t$ P% b) R
signing requests for use with SSL/TLS in the Elastic stack.0 b' @/ c& j$ c) h1 s
F; L- o0 @" d$ n8 n) K9 F! B
# H/ a9 n% A/ }+ t2 o* GThe 'ca' mode generates a new 'certificate authority'. S0 o+ W' I9 {/ x" k
This will create a new X.509 certificate and private key that can be used2 O7 a! G3 C1 K* l
to sign certificate when running in 'cert' mode.& s& B# o& s( V( o0 n% U
, @4 H U6 m0 x. R! o+ V& [- ~* P8 F. d% d
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
- c' `) C' \5 t$ Z1 T8 D# \% ?) @of the certificate authority/ ?1 S0 Y4 u9 ^/ P+ A
( u/ n/ ^% p* R1 o
4 {0 O; @# j, q% N% Y$ pBy default the 'ca' mode produces a single PKCS#12 output file which holds:
, l9 c! ?4 x) G' ^1 |/ c4 z8 C * The CA certificate
9 W: J( {1 y- E9 ~2 m3 `5 q( ^8 N * The CA's private key
8 b! C$ M. P( h: Z' u* Z: p: y/ x. ?4 o
# j ^1 g9 y/ Q! |If you elect to generate PEM format certificates (the -pem option), then the output will( j) h N& j% l. x' x9 e
be a zip file containing individual files for the CA certificate and private key
6 W: m$ V9 n. Q* B0 l. m9 N$ v; Y$ p, J; u+ n' p
Please enter the desired output file [elastic-stack-ca.p12]: 【这里忽略,直接回车进入下面输入密码:】
% W, N- G% i0 X* k% a3 }Enter password for elastic-stack-ca.p12 : 【输入密码】* k! T: Y. P# [
# F2 I# w4 a& L+ V
$ S! }4 @& _$ V$ v$ H/ m+ W! h. }
/ `: }: {: J+ U9 P1 Y( i[es@it-elassearch elasticsearch-8.15.0]$ ll" x+ E9 p3 I: T K W, q7 C% a! ]
total 2268' \- A9 M1 Z: R2 d) C1 z% |4 K
......
5 i- W! a: j3 p9 a+ S3 p-rw------- 1 es es 2672 Oct 28 17:05 elastic-stack-ca.p12
" A& ^* W: K3 O/ F......
! y& N) E, t* ~- T; g3 t2 Y9 J, t. X, H i& n
# J% d, k; F9 \3 c
; {( P7 i4 _( E0 d, I0 f* B$ o, @# e8 g) x) Y y( r" x
+ g4 F$ m! R+ `: l: r9 i1 W: x. J5 Y+ s* V: I
[es@it-elassearch-2 elasticsearch-8.15.0]$ ./bin/elasticsearch-certutil ca
; r$ z' T" c& l' J' gThis tool assists you in the generation of X.509 certificates and certificate
8 s, w+ K% H# L1 s3 V+ s( |signing requests for use with SSL/TLS in the Elastic stack.
. I$ x6 T; X- S$ k: `- u* r5 @3 G; l" V( w
$ p7 F* F% G3 E3 K/ N! yThe 'ca' mode generates a new 'certificate authority'8 M# n3 F( l8 e
This will create a new X.509 certificate and private key that can be used
, v# l6 Q) \& U: a: gto sign certificate when running in 'cert' mode.
; F% d& R. L A M3 W: c- f! h# @ M
. s8 z: b! w, W4 F% Q& a! y
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
9 [$ F) E1 ~' G/ J1 g1 iof the certificate authority6 o z5 @" F8 {$ O; f" l
' |( Q6 e3 d% I4 _3 p6 Y0 i, R1 M9 H1 p9 q& Y2 K0 m9 {
By default the 'ca' mode produces a single PKCS#12 output file which holds:: D# }# r7 o& B+ M% ^
* The CA certificate
8 Y% ]% G) m% Q- T/ N2 K* i) ] z/ y * The CA's private key
" Q( p- T }7 A' `) ~. ?) l4 T5 t6 f
' ?. X$ }; B# k2 ?% {8 {) ^4 XIf you elect to generate PEM format certificates (the -pem option), then the output will
, F1 L [. n( j& E3 W& T+ G7 Zbe a zip file containing individual files for the CA certificate and private key
8 f: G# c* A$ z! _% @$ g3 X) O9 L& \$ `8 [& o2 E
- ?3 S7 t: @* fPlease enter the desired output file [elastic-stack-ca.p12]:1 i, K* A; H$ l
Enter password for elastic-stack-ca.p12 :
) j1 u2 C, l) N( V
& r% h3 S8 [# {, f, U/ d2 ]* _* `# C' A
生成密钥: H0 D9 [& w! Z! }
- p+ x9 ^& m O( P7 O5 {* ^8 g3 p& B
[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
- F1 X% `( D, e: V- O& EThis tool assists you in the generation of X.509 certificates and certificate
( `! o/ g! ]4 B$ l- w1 M1 Psigning requests for use with SSL/TLS in the Elastic stack.8 }& U- o4 t3 I/ x: z/ B
7 w/ w# q, |- T l, b1 v; D; T
The 'cert' mode generates X.509 certificate and private keys.* C" N) a; K$ N8 W7 v2 p
* By default, this generates a single certificate and key for use
1 i0 {6 T" @ Y" |8 `* a8 H on a single instance.' j3 `! I# ^0 U) R# b+ |+ N
* The '-multiple' option will prompt you to enter details for multiple
. {5 P% F; u- _ instances and will generate a certificate and key for each one6 E0 {9 y' P% }2 B; `# X# a
* The '-in' option allows for the certificate generation to be automated by describing
) F0 C% {) Z) q/ O7 i: |! P! z the details of each instance in a YAML file
" n- R& u; e9 g H
* Z$ @6 |- [* M * An instance is any piece of the Elastic Stack that requires an SSL certificate.
3 W. M% H, d, b+ X Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats: }- P% k# Q2 \" g$ \! l
may all require a certificate and private key.
% j8 ~! o$ g, I1 i6 q& J/ C! o * The minimum required value for each instance is a name. This can simply be the
! _7 J) i( a( m hostname, which will be used as the Common Name of the certificate. A full$ [0 d* h3 Z8 ?9 ^- O1 h
distinguished name may also be used.
5 H3 M# W8 F9 y7 v * A filename value may be required for each instance. This is necessary when the' X, Y1 v6 o B) `/ L
name would result in an invalid file or directory name. The name provided here, @0 H1 D) v' K
is used as the directory name (within the zip) and the prefix for the key and) `# x( w! U% @4 x! J1 n
certificate files. The filename is required if you are prompted and the name) ]% m5 h& h5 {8 j/ ]2 I7 l
is not displayed in the prompt.
2 R) W) o/ }4 u * IP addresses and DNS names are optional. Multiple values can be specified as a
/ T! l$ u3 x- [ comma separated string. If no IP addresses or DNS names are provided, you may
$ R3 b% r2 Y7 D7 x/ y: r0 m disable hostname verification in your SSL configuration.( K1 P) K" K$ ~& x2 l+ r
6 p( J; @, y7 _$ [# J+ w: A* X6 Q+ i4 n! _8 V6 o
* All certificates generated by this tool will be signed by a certificate authority (CA)6 R' h7 G4 n6 n, c
unless the --self-signed command line option is specified.( J7 a/ n# |' d8 i
The tool can automatically generate a new CA for you, or you can provide your own with- R1 j$ f3 M1 @! Y+ l& N( r. H) ]0 E
the --ca or --ca-cert command line options.5 g: C# R, |6 v: c, L
* h" B. C1 o1 y) `! X
- `1 M" ] ?3 k) ^' X
By default the 'cert' mode produces a single PKCS#12 output file which holds:
4 ]: V2 N6 x/ N* F9 l * The instance certificate
' \9 I( j% F& a1 M * The private key for the instance certificate0 m9 t- e/ t# W; m1 [8 X
* The CA certificate9 Z2 \# j) E3 ]; F7 Z* u! B
& H; {4 {* t5 K; j5 HIf you specify any of the following options:
. _& s4 ?9 O6 U! m, `9 D* c * -pem (PEM formatted output)
1 u/ h6 o$ f9 D * -multiple (generate multiple certificates)
) ~9 ~7 W) A' ` * -in (generate certificates from an input file)7 F. c. _ _8 w+ k' c
then the output will be be a zip file containing individual certificate/key files( ] r+ I; _- g8 H. r
* c, l% b* z5 pEnter password for CA (elastic-stack-ca.p12) : 【输入密码】
; S1 C6 O- e' ~; nPlease enter the desired output file [elastic-certificates.p12]: 【直接回车】! K) a8 I1 O* l. `1 w) G
Enter password for elastic-certificates.p12 : 【再次输入密码】9 ~5 `1 {5 F. l0 C) u6 L
8 P4 R- c) w" y. d8 F- q) ICertificates written to /data/elasticsearch/elastic-cluster1/elasticsearch-8.15.0/elastic-certificates.p12* Z$ K* K# ~8 W0 [ ?
5 i7 o! |7 P. y3 l4 i2 bThis file should be properly secured as it contains the private key for ( K8 u$ s' r# F( E4 n
your instance.
* i5 `2 N! H A( Z- GThis file is a self contained file and can be copied and used 'as is'$ Z1 r/ U1 w; U
For each Elastic product that you wish to configure, you should copy
. x8 d: k/ l; I. Ithis '.p12' file to the relevant configuration directory1 I+ `! ~. {9 i* Z. J
and then follow the SSL configuration instructions in the product guide.% `) o3 G$ p5 N, w
# u- i/ j o$ ~$ w VFor client applications, you may only need to copy the CA certificate and
! c* Z: V& F; m- C' f: _configure the client to trust this certificate.
& F7 H5 V6 r& ^# D5 r! b6 U$ v( e" h
# C x1 g# q0 A# ~4 J, m, [ _1 Q' c
. h$ Y* Z5 Z% ^( q[es@it-elassearch-2 elasticsearch-8.15.0]$ ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
0 e" d( ^# R7 y% b& q4 i) yThis tool assists you in the generation of X.509 certificates and certificate9 j! \: d% {7 _( E
signing requests for use with SSL/TLS in the Elastic stack.
( F4 t$ f$ ]6 Y: l6 O8 D# l% b5 B: g& n' B" o
The 'cert' mode generates X.509 certificate and private keys.
" ^) L. L$ }9 \! W1 C$ ~; A" z * By default, this generates a single certificate and key for use2 y; M6 h* }7 @% F5 j' X
on a single instance.' {+ \7 u) S* h/ b9 {) C q2 X
* The '-multiple' option will prompt you to enter details for multiple; h6 b9 ~' Y! D" G( `$ Q( \0 n
instances and will generate a certificate and key for each one* _) Y* g& t% ^, n1 W- H, Z
* The '-in' option allows for the certificate generation to be automated by describing
: P6 z" l2 n+ ~$ x" \ the details of each instance in a YAML file) O" @4 N" K6 r" |! E; }$ p
. k8 m8 x$ E( ^( f i1 _) }0 { * An instance is any piece of the Elastic Stack that requires an SSL certificate.4 T& [' D Y; @" R; A/ g
Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
9 f0 T( P' B" W L3 Y. Z' s may all require a certificate and private key.
, [7 ~8 y" B) m * The minimum required value for each instance is a name. This can simply be the
: Z& i( J6 R. J* Z5 s! \ hostname, which will be used as the Common Name of the certificate. A full
0 }! i1 N' |- C0 [; {6 \ s distinguished name may also be used.
2 z0 a) q9 O0 a" ? * A filename value may be required for each instance. This is necessary when the
7 _: r8 s& S1 L5 e6 u- n name would result in an invalid file or directory name. The name provided here/ G- U& s5 D% `; E- Y4 _: g5 X8 J
is used as the directory name (within the zip) and the prefix for the key and
$ w$ q* n) u8 v- t/ G; d certificate files. The filename is required if you are prompted and the name
1 w$ b9 N8 G5 Z, G" j. ] is not displayed in the prompt.
- L' Q! h7 \& w' U * IP addresses and DNS names are optional. Multiple values can be specified as a
; |. D! T3 k0 N( X# k1 }( n comma separated string. If no IP addresses or DNS names are provided, you may
7 y9 Z9 T- i' w J disable hostname verification in your SSL configuration.8 z4 N. s7 n# M% k9 [; y
1 A& [! j2 T8 f3 G" r& }, Y" H$ F# O3 d( Y/ g. X* r% R
* All certificates generated by this tool will be signed by a certificate authority (CA)
4 D/ ~. w; X% b: q unless the --self-signed command line option is specified.
. O: V: S% N$ [$ I The tool can automatically generate a new CA for you, or you can provide your own with' A# J4 G1 ?- x6 m# w
the --ca or --ca-cert command line options.8 g; p( ^3 \9 \: Z ~ M
" o4 }1 X& M; [* t) O9 p
& @5 `! R0 `+ p+ D! v5 ^" Q, ]By default the 'cert' mode produces a single PKCS#12 output file which holds:0 O9 ^8 H- f+ e/ x0 Y/ M. u$ k
* The instance certificate% ]: P' ^( b5 J+ B! c
* The private key for the instance certificate% K1 d4 e* c9 x" U+ i! A
* The CA certificate
9 R0 J1 t/ v. R$ x, n6 H& d9 I# Y5 @2 W& X1 _) a- _3 r" Y
If you specify any of the following options:+ D. f- n9 O+ t, x; t' |8 w' X
* -pem (PEM formatted output)& O) B9 {% F! g9 G% C
* -multiple (generate multiple certificates)
! P. M8 Y3 |( T) O, B& k * -in (generate certificates from an input file)
/ o+ n1 v' t0 i( i. |4 O4 zthen the output will be be a zip file containing individual certificate/key files
0 l* T N% `5 s
6 ?+ _: e1 a. f0 R) a/ wEnter password for CA (elastic-stack-ca.p12) : 【输入密码】4 s/ \* Q' H3 O2 H! |
Please enter the desired output file [elastic-certificates.p12]: 【直接回车】
. F2 C6 q) q4 f5 s. j2 _Enter password for elastic-certificates.p12 : 【输入密码】: W' T" A0 D7 `# i% C. x
) {: D L! b$ d5 @% `( `9 E
Certificates written to /data/elasticsearch/elastic-cluster2/elasticsearch-8.15.0/elastic-certificates.p12
& g8 ?( g! i+ N% Y. ]: v" I5 f$ y* r- J3 ~
This file should be properly secured as it contains the private key for
+ z- k$ w6 v1 Y; Y) l. yyour instance.
# Q$ Z. W8 n; i+ \2 f- G/ YThis file is a self contained file and can be copied and used 'as is'
. t3 J7 I! k8 ^+ y0 h5 K3 w6 @For each Elastic product that you wish to configure, you should copy
4 ]* s; _4 @/ t) X% ^this '.p12' file to the relevant configuration directory6 g3 x& g. s7 G a( j
and then follow the SSL configuration instructions in the product guide.$ I3 w3 }0 d9 @, ?0 N0 G( W# m
, g2 D: A2 `+ R2 u, Q8 i/ Y2 E, eFor client applications, you may only need to copy the CA certificate and
" k& P0 ]6 n' v4 q# ?! Q1 |) Iconfigure the client to trust this certificate.) B* B! g7 S! G! J1 L
0 p7 ~4 W8 x/ s+ [& s1 N0 d9 ~
4 E& C6 G9 [ q/ f##将凭证迁移到指定的目录:: H/ N3 ?% Q0 i/ Y
创建目录:1 e, b1 a* g( D) T- z& B
mkdir -p ./config/certificates/& Q; j0 q) I T M
移动凭证到指定目录下:& U5 A/ {% \5 G: t: @2 U
mv elastic-certificates.p12 ./config/certificates/, ~1 O9 ]& T6 i; U
* D7 g! S, P+ u% v+ Z
赋于权限:
0 f: f3 a0 J; S) O) `6 W, _
; _& |. X7 c' ]; S0 {3 N, H1 e
' v# P L, U3 o, J) f5 ?! j: j) `[es@it-elassearch elasticsearch-8.15.0]$ rsync -azvP -e 'ssh -p 22' config/certificates/elastic-certificates.p12 es@172.24.110.126:/data/elasticsearch/elastic-cluster2/elasticsearch-8.15.0/config/certificates/elastic-certificates.p12
6 Z1 X3 q$ K0 \, u ^The authenticity of host '[172.24.110.126]:22 ([172.24.110.126]:22)' can't be established.
. S5 y; z/ B' G5 P: C) ]ECDSA key fingerprint is SHA256:Tvzi0ICzurMYEPySzerkOmwk/o7XHxmABVKRigofHzg.# V6 p- d d* m; [& z5 h
ECDSA key fingerprint is MD5:f0:92:26:fd:da:d3:e4:db:be:36:b1:fe:d6:2b:65:25.
& K$ I$ d2 E* P, n0 MAre you sure you want to continue connecting (yes/no)? yes
/ T0 R6 f' t w9 V [: dWarning: Permanently added '[172.24.110.126]:22' (ECDSA) to the list of known hosts.7 i& X0 Y2 p8 D# |
es@172.24.110.126's password:
|* Q C4 ]" |, rsending incremental file list
4 z4 B1 d" E! r9 |% r) Aelastic-certificates.p12
- z, K8 [0 j7 T4 Z( ~* ^ 3,596 100% 0.00kB/s 0:00:00 (xfr#1, to-chk=0/1)
& F+ Q& w& m! I5 D# ]$ z0 y1 W6 q$ Q$ {. ^7 y1 o
6 O$ Y$ V: b' H) e6 P" g
sent 3,631 bytes received 35 bytes 564.00 bytes/sec
1 @1 p" z' H% `0 Z# {% Ttotal size is 3,596 speedup is 0.987 `% {; I+ |% b& ^* b4 j5 Y
' z1 |* S& S. ^/ f4 {- w/ q4 t
修改配置文件(每台都需要添加)
( x$ L( B0 C6 I+ i* x, G+ G) G4 q9 }+ T
Q' n( @2 x) ?+ Yhttp.cors.enabled: true5 M& p' l" |) O ?
http.cors.allow-origin: "*"" z$ ~* e% P2 H2 I3 A: J8 }$ P. U
http.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length' f, g4 D, o1 q3 t* i% @" Q, _
* t% H& e7 @4 q, d: N E
# N2 W( }' H/ ~ m3 Jxpack.security.enabled: true
! O, k) L8 `; P7 r9 S r) ]! Zxpack.security.authc.accept_default_password: true
- g1 }5 R$ h; D$ Txpack.security.transport.ssl.enabled: true
9 D9 B) A! g- y9 ~( w3 J+ jxpack.security.transport.ssl.verification_mode: certificate
9 s1 F Q4 m0 M3 x; |) A+ [xpack.security.transport.ssl.keystore.path: ./config/certificates/elastic-certificates.p121 }" J9 H1 g2 U. X2 C4 \
xpack.security.transport.ssl.truststore.path: ./config/certificates/elastic-certificates.p12
3 I# M& K3 }) g1 f/ O2 y$ c% a$ N; X+ ~: I- X
. I* ~8 ]$ i# J; p) r在各个节点上添加密码:(每一台es都需要操作)
* x6 T0 d; O4 g! L9 s, @/ C: [8 O( [/ u8 _
( U% S+ `- z2 u: Z) y6 c
- M. g; m5 x6 s5 \. ?$ Q6 [% s+ _% f1 C% i
6 m% t8 d* g! U' ]9 K加权一样需要切换到es账号:
6 a- Q3 _/ h! ~( F( J( D# c \+ O2 @- I1 e
在各个节点上添加密码:
+ K. S: K, Q1 H' W1 V Z" o! _% ]" |) t# s3 |' g9 S& `0 ~% \
[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password4 |. ~6 {* p& k" x: y" g2 S
[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password- ?8 L! c# T5 q, j
Enter value for xpack.security.transport.ssl.keystore.secure_password:& S; p0 [# e0 n
# t- i0 L! t/ l, d
5 g2 ?" A- l$ W$ @" a" [[es@it-elassearch-2 elasticsearch-8.15.0]$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
( W1 V+ z, B0 F4 P8 e3 jEnter value for xpack.security.transport.ssl.keystore.secure_password:
: T8 e7 K3 F/ |" c# l输入密码:第一次输入密码
1 y" z' N- H( o: F G+ Y& P% I& P
[es@it-elassearch elasticsearch-8.15.0]$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password% j# a' u* l9 v7 D; V0 ~
Enter value for xpack.security.transport.ssl.truststore.secure_password:
4 {# A M, Z) s3 c' d$ l0 G" W& S
[es@it-elassearch-2 elasticsearch-8.15.0]$ ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
' K7 \( D8 t. F. N L, pEnter value for xpack.security.transport.ssl.truststore.secure_password:2 S n( P+ F6 l4 Z
$ F5 \1 C R" i; g& x! v/ z% `( r! Z7 z* \) ?
输入密码: 第二次输入上面的密码:
C1 a6 k0 p4 t5 R4 e
, s+ o! s# ~4 ~) b2 O1 x0 d
/ p( C6 @1 h9 W" f' T2 O6 Q
/ z5 B' A5 B& W5 A2 f1 z, n2 g7 F1 k; P3 Q1 Y4 W! p
接下来和没有做鉴权的一样,逐个启动集群:
7 ]: u f+ z1 L7 K: M' V& O% l7 ?8 d* b0 {
2 u# e g2 I: x, `) A3 x8 z9 s% i/ [" [) U
切换到其它用户,root用户不能启动ES:su es9 L9 x7 P9 V5 F! x9 f
0 R, [4 }$ b' R4 @) O5 v- \2 K" q1 P7 v9 D
3 n$ _+ N4 b1 kbin/elasticsearch -d
6 D) h" F( }# f) |" M( s0 G3 ][es@it-elassearch elasticsearch-8.15.0]$ bin/elasticsearch -d
6 j4 Z+ l1 b& R" k; H. z+ \
- G( z( ?- u. G+ Y0 q$ O
% o4 ~4 r. V" @" c9 n. | U3 c6 ?7 n" D$ E/ {! k% \6 B' R
$ R& x1 b( Y) @6 y; e' s
, F( s* K J. P3 Y: v" W |
|
发表于 2024-10-31 15:00:04