# Transport Security Fluent Bit provides integrated support for *Transport Layer Security* (TLS) and it predecessor *Secure Sockets Layer* (SSL) respectively. In this section we will refer as TLS only for both implementations. Both input and output plugins that perform Network I/O can optionally enable TLS and configure the behavior. The following table describes the properties available: | Property | Description | Default | | -------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------- | | tls | enable or disable TLS support | Off | | tls.verify | force certificate validation | On | | tls.verify\_hostname | force TLS verification of hostnames | Off | | tls.debug | Set TLS debug verbosity level. It accept the following values: 0 (No debug), 1 (Error), 2 (State change), 3 (Informational) and 4 Verbose | 1 | | tls.ca\_file | absolute path to CA certificate file | | | tls.ca\_path | absolute path to scan for certificate files | | | tls.crt\_file | absolute path to Certificate file | | | tls.key\_file | absolute path to private Key file | | | tls.key\_passwd | optional password for tls.key\_file file | | | tls.vhost | hostname to be used for TLS SNI extension | | *Note : in order to use TLS on input plugins the user is expected to provide both a certificate and private key* The listed properties can be enabled in the configuration file, specifically on each output plugin section or directly through the command line. The following **output** plugins can take advantage of the TLS feature: * [Amazon S3](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/s3) * [Apache SkyWalking](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/skywalking) * [Azure](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/azure) * [Azure Blob](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/azure_blob) * [Azure Data Explorer (Kusto)](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/azure_kusto) * [Azure Logs Ingestion API](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/azure_logs_ingestion) * [BigQuery](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/bigquery) * [Datadog](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/datadog) * [Elasticsearch](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/elasticsearch) * [Forward](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/forward) * [GELF](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/gelf) * [Google Chronicle](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/chronicle) * [HTTP](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/http) * [InfluxDB](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/influxdb) * [Kafka REST Proxy](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/kafka-rest-proxy) * [LogDNA](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/logdna) * [Loki](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/loki) * [New Relic](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/new-relic) * [OpenSearch](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/opensearch) * [OpenTelemetry](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/opentelemetry) * [Oracle Cloud Infrastructure Logging Analytics](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/oci-logging-analytics) * [Prometheus Remote Write](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/prometheus-remote-write) * [Slack](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/slack) * [Splunk](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/splunk) * [Stackdriver](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/stackdriver) * [Syslog](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/syslog) * [TCP & TLS](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/tcp-and-tls) * [Treasure Data](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/treasure-data) * [WebSocket](https://docs.fluentbit.io/manual/3.1/pipeline/outputs/websocket) The following **input** plugins can take advantage of the TLS feature: * [Docker Events](https://docs.fluentbit.io/manual/3.1/pipeline/inputs/docker-events) * [Elasticsearch (Bulk API)](https://docs.fluentbit.io/manual/3.1/pipeline/inputs/elasticsearch) * [Forward](https://docs.fluentbit.io/manual/3.1/pipeline/inputs/forward) * [Health](https://docs.fluentbit.io/manual/3.1/pipeline/inputs/health) * [HTTP](https://docs.fluentbit.io/manual/3.1/pipeline/inputs/http) * [Kubernetes Events](https://docs.fluentbit.io/manual/3.1/pipeline/inputs/kubernetes-events) * [MQTT](https://docs.fluentbit.io/manual/3.1/pipeline/inputs/mqtt) * [NGINX Exporter Metrics](https://docs.fluentbit.io/manual/3.1/pipeline/inputs/nginx) * [OpenTelemetry](https://docs.fluentbit.io/manual/3.1/pipeline/inputs/opentelemetry) * [Prometheus Scrape Metrics](https://docs.fluentbit.io/manual/3.1/pipeline/inputs/prometheus-scrape-metrics) * [Prometheus Remote Write](https://docs.fluentbit.io/manual/3.1/pipeline/inputs/prometheus-remote-write) * [Splunk (HTTP HEC)](https://docs.fluentbit.io/manual/3.1/pipeline/inputs/splunk) * [Syslog](https://docs.fluentbit.io/manual/3.1/pipeline/inputs/syslog) * [TCP](https://docs.fluentbit.io/manual/3.1/pipeline/inputs/tcp) In addition, other plugins implements a sub-set of TLS support, meaning, with restricted configuration: * [Kubernetes Filter](https://docs.fluentbit.io/manual/3.1/pipeline/filters/kubernetes) ## Example: enable TLS on HTTP input By default HTTP input plugin uses plain TCP, enabling TLS from the command line can be done with: ``` ./bin/fluent-bit -i http \ -p port=9999 \ -p tls=on \ -p tls.verify=off \ -p tls.crt_file=self_signed.crt \ -p tls.key_file=self_signed.key \ -o stdout \ -m '*' ``` In the command line above, the two properties *tls* and *tls.verify* where enabled for demonstration purposes (we strongly suggest always keep verification ON). The same behavior can be accomplished using a configuration file: ``` [INPUT] name http port 9999 tls on tls.verify off tls.crt_file self_signed.crt tls.key_file self_signed.key [OUTPUT] Name stdout Match * ``` ## Example: enable TLS on HTTP output By default HTTP output plugin uses plain TCP, enabling TLS from the command line can be done with: ``` $ fluent-bit -i cpu -t cpu -o http://192.168.2.3:80/something \ -p tls=on \ -p tls.verify=off \ -m '*' ``` In the command line above, the two properties *tls* and *tls.verify* where enabled for demonstration purposes (we strongly suggest always keep verification ON). The same behavior can be accomplished using a configuration file: ``` [INPUT] Name cpu Tag cpu [OUTPUT] Name http Match * Host 192.168.2.3 Port 80 URI /something tls On tls.verify Off ``` ## Tips and Tricks ### Generate your own self signed certificates for testing purposes. This will generate a 4096 bit RSA key pair and a certificate that is signed using SHA-256 with the expiration date set to 30 days in the future, `test.host.net` set as common name and since we opted out of `DES` the private key will be stored in plain text. ``` openssl req -x509 \ -newkey rsa:4096 \ -sha256 \ -nodes \ -keyout self_signed.key \ -out self_signed.crt \ -subj "/CN=test.host.net" ``` ### Connect to virtual servers using TLS Fluent Bit supports [TLS server name indication](https://en.wikipedia.org/wiki/Server_Name_Indication). If you are serving multiple hostnames on a single IP address (a.k.a. virtual hosting), you can make use of `tls.vhost` to connect to a specific hostname. ``` [INPUT] Name cpu Tag cpu [OUTPUT] Name forward Match * Host 192.168.10.100 Port 24224 tls On tls.verify On tls.ca_file /etc/certs/fluent.crt tls.vhost fluent.example.com ``` ### Verify subjectAltName By default, TLS verification of hostnames is not done automatically. As an example, we can extract the X509v3 Subject Alternative Name from a certificate: ``` X509v3 Subject Alternative Name: DNS:my.fluent-aggregator.net ``` As you can see, this certificate covers only `my.fluent-aggregator.net` so if we use a different hostname it should fail. To fully verify the alternative name and demonstrate the failure we enable `tls.verify_hostname`: ``` [INPUT] Name cpu Tag cpu [OUTPUT] Name forward Match * Host other.fluent-aggregator.net Port 24224 tls On tls.verify On tls.verify_hostname on tls.ca_file /path/to/fluent-x509v3-alt-name.crt ``` This outgoing connect will be failed and disconnected: ``` [2024/06/17 16:51:31] [error] [tls] error: unexpected EOF with reason: certificate verify failed [2024/06/17 16:51:31] [debug] [upstream] connection #50 failed to other.fluent-aggregator.net:24224 [2024/06/17 16:51:31] [error] [output:forward:forward.0] no upstream connections available ```