# Security Fluent Bit provides integrated support for *Transport Layer Security* (TLS) and it predecessor *Secure Sockets Layer* (SSL) respectively. In this section we will refer as TLS only for both implementations. Each output plugin that requires to perform Network I/O can optionally enable TLS and configure the behavior. The following table describes the properties available: | Property | Description | Default | | --------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------- | | tls | enable or disable TLS support | Off | | tls.verify | force certificate validation | On | | tls.debug | Set TLS debug verbosity level. It accept the following values: 0 (No debug), 1 (Error), 2 (State change), 3 (Informational) and 4 Verbose | 1 | | tls.ca\_file | absolute path to CA certificate file | | | tls.ca\_path | absolute path to scan for certificate files | | | tls.crt\_file | absolute path to Certificate file | | | tls.key\_file | absolute path to private Key file | | | tls.key\_passwd | optional password for tls.key\_file file | | | tls.vhost | hostname to be used for TLS SNI extension | | The listed properties can be enabled in the configuration file, specifically on each output plugin section or directly through the command line. The following **output** plugins can take advantage of the TLS feature: * [Amazon CloudWatch](https://docs.fluentbit.io/manual/1.6/pipeline/outputs/cloudwatch) * [Amazon Kinesis Data Firehose](https://docs.fluentbit.io/manual/1.6/pipeline/outputs/firehose) * [Amazon S3](https://docs.fluentbit.io/manual/1.6/pipeline/outputs/s3) * [Azure](https://docs.fluentbit.io/manual/1.6/pipeline/outputs/azure) * [BigQuery](https://docs.fluentbit.io/manual/1.6/pipeline/outputs/bigquery) * [Datadog](https://docs.fluentbit.io/manual/1.6/pipeline/outputs/datadog) * [Elasticsearch](https://docs.fluentbit.io/manual/1.6/pipeline/outputs/elasticsearch) * [Forward](https://docs.fluentbit.io/manual/1.6/administration/security) * [GELF](https://docs.fluentbit.io/manual/1.6/pipeline/outputs/gelf) * [HTTP](https://docs.fluentbit.io/manual/1.6/pipeline/outputs/http) * [InfluxDB](https://docs.fluentbit.io/manual/1.6/pipeline/outputs/influxdb) * [Kafka REST Proxy](https://docs.fluentbit.io/manual/1.6/pipeline/outputs/kafka-rest-proxy) * Slack * [Splunk](https://docs.fluentbit.io/manual/1.6/pipeline/outputs/splunk) * [Stackdriver](https://docs.fluentbit.io/manual/1.6/pipeline/outputs/stackdriver) * [TCP & TLS](https://docs.fluentbit.io/manual/1.6/pipeline/outputs/tcp-and-tls) * [Treasure Data](https://docs.fluentbit.io/manual/1.6/pipeline/outputs/treasure-data) In addition, other plugins implements a sub-set of TLS support, meaning, with restricted configuration: * [Kubernetes Filter](https://docs.fluentbit.io/manual/1.6/pipeline/filters/kubernetes) ## Example: enable TLS on HTTP output By default HTTP output plugin uses plain TCP, enabling TLS from the command line can be done with: ``` $ fluent-bit -i cpu -t cpu -o http://192.168.2.3:80/something \ -p tls=on \ -p tls.verify=off \ -m '*' ``` In the command line above, the two properties *tls* and *tls.verify* where enabled for demonstration purposes (we strongly suggest always keep verification ON). The same behavior can be accomplished using a configuration file: ``` [INPUT] Name cpu Tag cpu [OUTPUT] Name http Match * Host 192.168.2.3 Port 80 URI /something tls On tls.verify Off ``` ## Tips and Tricks ### Connect to virtual servers using TLS Fluent Bit supports [TLS server name indication](https://en.wikipedia.org/wiki/Server_Name_Indication). If you are serving multiple hostnames on a single IP address (a.k.a. virtual hosting), you can make use of `tls.vhost` to connect to a specific hostname. ``` [INPUT] Name cpu Tag cpu [OUTPUT] Name forward Match * Host 192.168.10.100 Port 24224 tls On tls.verify On tls.ca_file /etc/certs/fluent.crt tls.vhost fluent.example.com ```