Security
Fluent Bit provides integrated support for Transport Layer Security (TLS) and it predecessor Secure Sockets Layer (SSL) respectively. In this section we will refer as TLS only for both implementations.
Each output plugin that requires to perform Network I/O can optionally enable TLS and configure the behavior. The following table describes the properties available:
Property | Description | Default |
---|---|---|
tls | enable or disable TLS support | Off |
tls.verify | force certificate validation | On |
tls.debug | Set TLS debug verbosity level. It accept the following values: 0 (No debug), 1 (Error), 2 (State change), 3 (Informational) and 4 Verbose | 1 |
tls.ca_file | absolute path to CA certificate file | |
tls.ca_path | absolute path to scan for certificate files | |
tls.crt_file | absolute path to Certificate file | |
tls.key_file | absolute path to private Key file | |
tls.key_passwd | optional password for tls.key_file file | |
tls.vhost | hostname to be used for TLS SNI extension |
The listed properties can be enabled in the configuration file, specifically on each output plugin section or directly through the command line.
The following output plugins can take advantage of the TLS feature:
- Amazon CloudWatch
- Amazon Kinesis Data Firehose
- Amazon S3
- Azure
- BigQuery
- Datadog
- Elasticsearch
- Forward
- GELF
- HTTP
- InfluxDB
- Kafka REST Proxy
- Slack
- Splunk
- Stackdriver
- TCP & TLS
- Treasure Data
In addition, other plugins implements a sub-set of TLS support, meaning, with restricted configuration:
Example: enable TLS on HTTP output
By default HTTP output plugin uses plain TCP, enabling TLS from the command line can be done with:
$ fluent-bit -i cpu -t cpu -o http://192.168.2.3:80/something \
-p tls=on \
-p tls.verify=off \
-m '*'
In the command line above, the two properties tls and tls.verify where enabled for demonstration purposes (we strongly suggest always keep verification ON).
The same behavior can be accomplished using a configuration file:
[INPUT]
Name cpu
Tag cpu
[OUTPUT]
Name http
Match *
Host 192.168.2.3
Port 80
URI /something
tls On
tls.verify Off
Tips and Tricks
Connect to virtual servers using TLS
Fluent Bit supports TLS server name indication. If you are serving multiple hostnames on a single IP address (a.k.a. virtual hosting), you can make use of tls.vhost
to connect to a specific hostname.
[INPUT]
Name cpu
Tag cpu
[OUTPUT]
Name forward
Match *
Host 192.168.10.100
Port 24224
tls On
tls.verify On
tls.ca_file /etc/certs/fluent.crt
tls.vhost fluent.example.com