1 of 1

Transport Security

Fluent Bit provides integrated support for Transport Layer Security (TLS) and it predecessor Secure Sockets Layer (SSL) respectively. In this section we will refer as TLS only for both implementations.

Both input and output plugins that perform Network I/O can optionally enable TLS and configure the behavior. The following table describes the properties available:

Property

Description

Default

tls

enable or disable TLS support

Off

tls.verify

force certificate validation

Note : in order to use TLS on input plugins the user is expected to provide both a certificate and private key

The listed properties can be enabled in the configuration file, specifically on each output plugin section or directly through the command line.

The following output plugins can take advantage of the TLS feature:

The following input plugins can take advantage of the TLS feature:

In addition, other plugins implements a sub-set of TLS support, meaning, with restricted configuration:

Example: enable TLS on HTTP input

By default HTTP input plugin uses plain TCP, enabling TLS from the command line can be done with:

In the command line above, the two properties tls and tls.verify where enabled for demonstration purposes (we strongly suggest always keep verification ON).

The same behavior can be accomplished using a configuration file:

Example: enable TLS on HTTP output

By default HTTP output plugin uses plain TCP, enabling TLS from the command line can be done with:

In the command line above, the two properties tls and tls.verify where enabled for demonstration purposes (we strongly suggest always keep verification ON).

The same behavior can be accomplished using a configuration file:

Tips and Tricks

Generate your own self signed certificates for testing purposes.

This will generate a 4096 bit RSA key pair and a certificate that is signed using SHA-256 with the expiration date set to 30 days in the future, test.host.net set as common name and since we opted out of DES the private key will be stored in plain text.

Connect to virtual servers using TLS

Fluent Bit supports . If you are serving multiple hostnames on a single IP address (a.k.a. virtual hosting), you can make use of tls.vhost to connect to a specific hostname.

Verify subjectAltName

By default, TLS verification of hostnames is not done automatically. As an example, we can extract the X509v3 Subject Alternative Name from a certificate:

As you can see, this certificate covers only my.fluent-aggregator.net so if we use a different hostname it should fail.

To fully verify the alternative name and demonstrate the failure we enable tls.verify_hostname:

This outgoing connect will be failed and disconnected:

Transport Security

Both input and output plugins that perform Network I/O can optionally enable TLS and configure the behavior. The following table describes the properties available:

Property

Description

Default

tls

enable or disable TLS support

Off

tls.verify

force certificate validation

Note : in order to use TLS on input plugins the user is expected to provide both a certificate and private key

The listed properties can be enabled in the configuration file, specifically on each output plugin section or directly through the command line.

The following output plugins can take advantage of the TLS feature:

The following input plugins can take advantage of the TLS feature:

In addition, other plugins implements a sub-set of TLS support, meaning, with restricted configuration:

Example: enable TLS on HTTP input

By default HTTP input plugin uses plain TCP, enabling TLS from the command line can be done with:

In the command line above, the two properties tls and tls.verify where enabled for demonstration purposes (we strongly suggest always keep verification ON).

The same behavior can be accomplished using a configuration file:

Example: enable TLS on HTTP output

By default HTTP output plugin uses plain TCP, enabling TLS from the command line can be done with:

In the command line above, the two properties tls and tls.verify where enabled for demonstration purposes (we strongly suggest always keep verification ON).

The same behavior can be accomplished using a configuration file:

Tips and Tricks

Generate your own self signed certificates for testing purposes.

Connect to virtual servers using TLS

Fluent Bit supports . If you are serving multiple hostnames on a single IP address (a.k.a. virtual hosting), you can make use of tls.vhost to connect to a specific hostname.

Verify subjectAltName

By default, TLS verification of hostnames is not done automatically. As an example, we can extract the X509v3 Subject Alternative Name from a certificate:

As you can see, this certificate covers only my.fluent-aggregator.net so if we use a different hostname it should fail.

To fully verify the alternative name and demonstrate the failure we enable tls.verify_hostname:

This outgoing connect will be failed and disconnected:

Transport Security

hashtagExample: enable TLS on HTTP input

hashtagExample: enable TLS on HTTP output

hashtagTips and Tricks

hashtagGenerate your own self signed certificates for testing purposes.

hashtagConnect to virtual servers using TLS

hashtagVerify subjectAltName

Transport Security

hashtagExample: enable TLS on HTTP input

hashtagExample: enable TLS on HTTP output

hashtagTips and Tricks

hashtagGenerate your own self signed certificates for testing purposes.

hashtagConnect to virtual servers using TLS

hashtagVerify subjectAltName

Example: enable TLS on HTTP input

Example: enable TLS on HTTP output

Tips and Tricks

Generate your own self signed certificates for testing purposes.

Connect to virtual servers using TLS

Verify subjectAltName

Example: enable TLS on HTTP input

Example: enable TLS on HTTP output

Tips and Tricks

Generate your own self signed certificates for testing purposes.

Connect to virtual servers using TLS

Verify subjectAltName