Security

Fluent Bit provides integrated support for Transport Layer Security (TLS) and it predecessor Secure Sockets Layer (SSL) respectively. In this section we will refer as TLS only for both implementations.
Each output plugin that requires to perform Network I/O can optionally enable TLS and configure the behavior. The following table describes the properties available:
Property
Description
Default
tls
enable or disable TLS support
Off
tls.verify
force certificate validation
On
tls.debug
Set TLS debug verbosity level. It accept the following values: 0 (No debug), 1 (Error), 2 (State change), 3 (Informational) and 4 Verbose
1
tls.ca_file
absolute path to CA certificate file
​
tls.ca_path
absolute path to scan for certificate files
​
tls.crt_file
absolute path to Certificate file
​
tls.key_file
absolute path to private Key file
​
tls.key_passwd
optional password for tls.key_file file
​
tls.vhost
hostname to be used for TLS SNI extension
​
The listed properties can be enabled in the configuration file, specifically on each output plugin section or directly through the command line. 
The following output plugins can take advantage of the TLS feature:
​Azure​
​BigQuery​
​Datadog​
​Elasticsearch​
​Forward​
​GELF​
​HTTP​
​InfluxDB​
​Kafka REST Proxy​
Slack
​Splunk​
​Stackdriver​
​TCP & TLS​
​Treasure Data​
In addition, other plugins implements a sub-set of TLS support, meaning, with restricted configuration:
​Kubernetes Filter​
Example: enable TLS on HTTP output
By default HTTP output plugin uses plain TCP, enabling TLS from the command line can be done with:
$ fluent-bit -i cpu -t cpu -o http://192.168.2.3:80/something \
    -p tls=on         \
    -p tls.verify=off \
    -m '*'
In the command line above, the two properties tls and tls.verify where enabled for demonstration purposes (we strongly suggest always keep verification ON).
The same behavior can be accomplished using a configuration file:
[INPUT]
    Name  cpu
    Tag   cpu
​
[OUTPUT]
    Name       http
    Match      *
    Host       192.168.2.3
    Port       80
    URI        /something
    tls        On
    tls.verify Off
Tips and Tricks
Connect to virtual servers using TLS
Fluent Bit supports TLS server name indication. If you are serving multiple hostnames on a single IP address (a.k.a. virtual hosting), you can make use of tls.vhost to connect to a specific hostname.
[INPUT]
    Name  cpu
    Tag   cpu
​
[OUTPUT]
    Name        forward
    Match       *
    Host        192.168.10.100
    Port        24224
    tls         On
    tls.verify  On
    tls.ca_file /etc/certs/fluent.crt
    tls.vhost   fluent.example.com

Last modified 3yr ago

Property	Description	Default
tls	enable or disable TLS support	Off
tls.verify	force certificate validation	On
tls.debug	Set TLS debug verbosity level. It accept the following values: 0 (No debug), 1 (Error), 2 (State change), 3 (Informational) and 4 Verbose	1
tls.ca_file	absolute path to CA certificate file
tls.ca_path	absolute path to scan for certificate files
tls.crt_file	absolute path to Certificate file
tls.key_file	absolute path to private Key file
tls.key_passwd	optional password for tls.key_file file
tls.vhost	hostname to be used for TLS SNI extension