Transport Security
Calyptia Core Agent provides integrated support for Transport Layer Security (TLS) and it predecessor Secure Sockets Layer (SSL) respectively. In this section we will refer as TLS only for both implementations.
Both input and output plugins that perform Network I/O can optionally enable TLS and configure the behavior. The following table describes the properties available:
tls
Enables or disables TLS support.
Off
tls.verify
If enabled, forces certificate validation.
On
tls.debug
Sets TLS debug verbosity level. Possible values: 0 (No debug), 1 (Error), 2 (State change), 3 (Informational), 4 (Verbose)
1
tls.ca_file
The absolute path to the TLS certificate from your certificate authority (CA).
tls.ca_path
The absolute path to scan for certificate files.
tls.crt_file
The absolute path to your certificate file.
tls.key_file
The absolute path to your private key file.
tls.key_passwd
The optional password for the file specified by tls.key_file.
tls.vhost
The hostname to use for the TLS Server Name Indication (SNI) extension.
tls.max_version
Specifies the maximum TLS version. In most environments, the supported values are TLSv1.3 and TLSv1.2. In CentOS version 7 and earlier, the supported values are TLSv1, TLSv1.1, and SSLv3.
tls.min_version
Specifies the minimum TLS version. In most environments, the supported values are TLSv1.3 and TLSv1.2. In CentOS version 7 and earlier, the supported values are TLSv1, TLSv1.1, and SSLv3.
The listed properties can be enabled in the configuration file, specifically on each output plugin section or directly through the command line.
Compatible plugins
The following input plugins offer TLS support:
The following output plugins offer TLS support:
In addition, the following filter offers limited TLS support:
Example: Enable TLS on HTTP input
By default HTTP input plugin uses plain TCP, enabling TLS from the command line can be done with:
./bin/fluent-bit -i http \
-p port=9999 \
-p tls=on \
-p tls.verify=off \
-p tls.crt_file=self_signed.crt \
-p tls.key_file=self_signed.key \
-o stdout \
-m '*'In the previous command line, the two properties tls and tls.verify where enabled for demonstration purposes (we strongly suggest always keep verification ON).
The same behavior can be accomplished using a configuration file:
[INPUT]
name http
port 9999
tls on
tls.verify off
tls.crt_file self_signed.crt
tls.key_file self_signed.key
[OUTPUT]
Name stdout
Match *Example: Enable TLS on HTTP output
By default HTTP output plugin uses plain TCP, enabling TLS from the command line can be done with:
$ fluent-bit -i cpu -t cpu -o http://192.168.2.3:80/something \
-p tls=on \
-p tls.verify=off \
-m '*'In the previous command line, the two properties tls and tls.verify where enabled for demonstration purposes (we strongly suggest always keep verification ON).
The same behavior can be accomplished using a configuration file:
[INPUT]
Name cpu
Tag cpu
[OUTPUT]
Name http
Match *
Host 192.168.2.3
Port 80
URI /something
tls On
tls.verify OffTips and tricks
Generate your own self signed certificates for testing purposes.
This will generate a 4096 bit RSA key pair and a certificate that is signed using SHA-256 with the expiration date set to 30 days in the future, test.host.net set as common name and since we opted out of DES the private key will be stored in plain text.
openssl req -x509 \
-newkey rsa:4096 \
-sha256 \
-nodes \
-keyout self_signed.key \
-out self_signed.crt \
-subj "/CN=test.host.net"Connect to virtual servers using TLS
Calyptia Core Agent supports TLS server name indication. If you are serving multiple hostnames on a single IP address (also known as virtual hosting), you can make use of tls.vhost to connect to a specific hostname.
[INPUT]
Name cpu
Tag cpu
[OUTPUT]
Name forward
Match *
Host 192.168.10.100
Port 24224
tls On
tls.verify On
tls.ca_file /etc/certs/fluent.crt
tls.vhost fluent.example.comLast updated