-
Notifications
You must be signed in to change notification settings - Fork 56
Tls Input
Frank Denis edited this page Sep 30, 2015
·
5 revisions
TLS provides transport security, with optional certificate-based client authentication.
With a dedicated thread/parser for each connection (recommended for optimal performance, using less persistent connections than the available number of cores):
[input]
type = "tls"
listen = "0.0.0.0:6514"
tls_cert = "flowgger.pem"
tls_key = "flowgger.pem"
tls_method = "any"
With a fixed number of threads, using coroutines (recommended if many persistent connections have to be processed on a limited number of cores):
[input]
type = "tls_co"
listen = "0.0.0.0:6514"
tls_cert = "flowgger.pem"
tls_key = "flowgger.pem"
tls_method = "any"
Note: a self-signed certificate and key can be created with:
openssl req -x509 -nodes -newkey rsa:3072 -sha256 -keyout flowgger.pem -out flowgger.pem
Optional properties:
-
timeout = <seconds>
: automatically close idle connections after the specified number of seconds. ignored by thetls_co
implementation. -
framing = "<splitter>"
: indicates how messages are split. -
tls_threads = <number>
: the number of threads to use. only for thetls_co
implementation. -
tls_cert = "<path>"
: path to the certificate file in PEM format -
tls_key = "<path>"
: path to the key file in PEM format, which can be the same astls_cert
. -
tls_ciphers = "<ciphers suite>"
: the cipher suite. Flowgger ships with a safe default configuration for modern clients. -
tls_method = "<TLS method>"
: one ofany
(default),tlsv1
,tlsv1.1
andtlsv1.2
. -
tls_verify_peer = false|true
: requires a valid client certificate. -
tls_ca_file = "<path>"
: path to root certificates file in PEM format, used to verify client certificates. -
tls_compression = false|true
: disable/enable compression (not recommended for sensitive data).