# Transport Security Fluent Bit provides integrated support for *Transport Layer Security* (TLS) and it predecessor *Secure Sockets Layer* (SSL) respectively. In this section we will refer as TLS only for both implementations. Both input and output plugins that perform Network I/O can optionally enable TLS and configure the behavior. The following table describes the properties available: | Property | Description | Default | | --------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------- | | tls | enable or disable TLS support | Off | | tls.verify | force certificate validation | On | | tls.debug | Set TLS debug verbosity level. It accept the following values: 0 (No debug), 1 (Error), 2 (State change), 3 (Informational) and 4 Verbose | 1 | | tls.ca\_file | absolute path to CA certificate file | | | tls.ca\_path | absolute path to scan for certificate files | | | tls.crt\_file | absolute path to Certificate file | | | tls.key\_file | absolute path to private Key file | | | tls.key\_passwd | optional password for tls.key\_file file | | | tls.vhost | hostname to be used for TLS SNI extension | | *Note : in order to use TLS on input plugins the user is expected to provide both a certificate and private key* The listed properties can be enabled in the configuration file, specifically on each output plugin section or directly through the command line. The following **output** plugins can take advantage of the TLS feature: * [Amazon S3](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/s3) * [Apache SkyWalking](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/skywalking) * [Azure](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/azure) * [Azure Blob](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/azure_blob) * [Azure Data Explorer (Kusto)](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/azure_kusto) * [Azure Logs Ingestion API](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/azure_logs_ingestion) * [BigQuery](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/bigquery) * [Datadog](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/datadog) * [Elasticsearch](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/elasticsearch) * [Forward](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/forward) * [GELF](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/gelf) * [Google Chronicle](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/chronicle) * [HTTP](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/http) * [InfluxDB](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/influxdb) * [Kafka REST Proxy](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/kafka-rest-proxy) * [LogDNA](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/logdna) * [Loki](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/loki) * [New Relic](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/new-relic) * [OpenSearch](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/opensearch) * [OpenTelemetry](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/opentelemetry) * [Oracle Cloud Infrastructure Logging Analytics](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/oci-logging-analytics) * [Prometheus Remote Write](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/prometheus-remote-write) * [Slack](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/slack) * [Splunk](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/splunk) * [Stackdriver](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/stackdriver) * [Syslog](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/syslog) * [TCP & TLS](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/tcp-and-tls) * [Treasure Data](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/treasure-data) * [WebSocket](https://docs.fluentbit.io/manual/3.0/pipeline/outputs/websocket) The following **input** plugins can take advantage of the TLS feature: * [Docker Events](https://docs.fluentbit.io/manual/3.0/pipeline/inputs/docker-events) * [Elasticsearch (Bulk API)](https://docs.fluentbit.io/manual/3.0/pipeline/inputs/elasticsearch) * [Forward](https://docs.fluentbit.io/manual/3.0/pipeline/inputs/forward) * [Health](https://docs.fluentbit.io/manual/3.0/pipeline/inputs/health) * [HTTP](https://docs.fluentbit.io/manual/3.0/pipeline/inputs/http) * [Kubernetes Events](https://docs.fluentbit.io/manual/3.0/pipeline/inputs/kubernetes-events) * [MQTT](https://docs.fluentbit.io/manual/3.0/pipeline/inputs/mqtt) * [NGINX Exporter Metrics](https://docs.fluentbit.io/manual/3.0/pipeline/inputs/nginx) * [OpenTelemetry](https://docs.fluentbit.io/manual/3.0/pipeline/inputs/opentelemetry) * [Prometheus Scrape Metrics](https://docs.fluentbit.io/manual/3.0/pipeline/inputs/prometheus-scrape-metrics) * [Prometheus Remote Write](https://docs.fluentbit.io/manual/3.0/pipeline/inputs/prometheus-remote-write) * [Splunk (HTTP HEC)](https://docs.fluentbit.io/manual/3.0/pipeline/inputs/splunk) * [Syslog](https://docs.fluentbit.io/manual/3.0/pipeline/inputs/syslog) * [TCP](https://docs.fluentbit.io/manual/3.0/pipeline/inputs/tcp) In addition, other plugins implements a sub-set of TLS support, meaning, with restricted configuration: * [Kubernetes Filter](https://docs.fluentbit.io/manual/3.0/pipeline/filters/kubernetes) ## Example: enable TLS on HTTP input By default HTTP input plugin uses plain TCP, enabling TLS from the command line can be done with: ``` ./bin/fluent-bit -i http \ -p port=9999 \ -p tls=on \ -p tls.verify=off \ -p tls.crt_file=self_signed.crt \ -p tls.key_file=self_signed.key \ -o stdout \ -m '*' ``` In the command line above, the two properties *tls* and *tls.verify* where enabled for demonstration purposes (we strongly suggest always keep verification ON). The same behavior can be accomplished using a configuration file: ``` [INPUT] name http port 9999 tls on tls.verify off tls.crt_file self_signed.crt tls.key_file self_signed.key [OUTPUT] Name stdout Match * ``` ## Example: enable TLS on HTTP output By default HTTP output plugin uses plain TCP, enabling TLS from the command line can be done with: ``` $ fluent-bit -i cpu -t cpu -o http://192.168.2.3:80/something \ -p tls=on \ -p tls.verify=off \ -m '*' ``` In the command line above, the two properties *tls* and *tls.verify* where enabled for demonstration purposes (we strongly suggest always keep verification ON). The same behavior can be accomplished using a configuration file: ``` [INPUT] Name cpu Tag cpu [OUTPUT] Name http Match * Host 192.168.2.3 Port 80 URI /something tls On tls.verify Off ``` ## Tips and Tricks ### Generate your own self signed certificates for testing purposes. This will generate a 4096 bit RSA key pair and a certificate that is signed using SHA-256 with the expiration date set to 30 days in the future, `test.host.net` set as common name and since we opted out of `DES` the private key will be stored in plain text. ``` openssl req -x509 \ -newkey rsa:4096 \ -sha256 \ -nodes \ -keyout self_signed.key \ -out self_signed.crt \ -subj "/CN=test.host.net" ``` ### Connect to virtual servers using TLS Fluent Bit supports [TLS server name indication](https://en.wikipedia.org/wiki/Server_Name_Indication). If you are serving multiple hostnames on a single IP address (a.k.a. virtual hosting), you can make use of `tls.vhost` to connect to a specific hostname. ``` [INPUT] Name cpu Tag cpu [OUTPUT] Name forward Match * Host 192.168.10.100 Port 24224 tls On tls.verify On tls.ca_file /etc/certs/fluent.crt tls.vhost fluent.example.com ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.fluentbit.io/manual/3.0/administration/transport-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.