Security

Fluent Bit provides integrated support for Transport Layer Security (TLS) and it predecessor Secure Sockets Layer (SSL) respectively. In this section we will refer as TLS only for both implementations.

Each output plugin that requires to perform Network I/O can optionally enable TLS and configure the behavior. The following table describes the properties available:

Property Description Default
tls enable or disable TLS support Off
tls.verify force certificate validation On
tls.debug Set TLS debug verbosity level. It accept the following values: 0 (No debug), 1 (Error), 2 (State change), 3 (Informational) and 4 Verbose 1
tls.ca_file absolute path to CA certificate file
tls.ca_path absolute path to scan for certificate files
tls.crt_file absolute path to Certificate file
tls.key_file absolute path to private Key file
tls.key_passwd optional password for tls.key_file file
tls.vhost hostname to be used for TLS SNI extension

The listed properties can be enabled in the configuration file, specifically on each output plugin section or directly through the command line.

The following output plugins can take advantage of the TLS feature:

In addition, other plugins implements a sub-set of TLS support, meaning, with restricted configuration:

Example: enable TLS on HTTP output

By default HTTP output plugin uses plain TCP, enabling TLS from the command line can be done with:

  1. $ fluent-bit -i cpu -t cpu -o http://192.168.2.3:80/something \
  2.     -p tls=on         \
  3.     -p tls.verify=off \
  4.     -m '*'

In the command line above, the two properties tls and tls.verify where enabled for demonstration purposes (we strongly suggest always keep verification ON).

The same behavior can be accomplished using a configuration file:

  1. [INPUT]
  2.     Name  cpu
  3.     Tag   cpu
  5. [OUTPUT]
  6.     Name       http
  7.     Match      *
  8.     Host       192.168.2.3
  9.     Port       80
  10.     URI        /something
  11.     tls        On
  12.     tls.verify Off

Tips and Tricks

Connect to virtual servers using TLS

Fluent Bit supports TLS server name indication. If you are serving multiple hostnames on a single IP address (a.k.a. virtual hosting), you can make use of tls.vhost to connect to a specific hostname.

  1. [INPUT]
  2.     Name  cpu
  3.     Tag   cpu
  5. [OUTPUT]
  6.     Name        forward
  7.     Match       *
  8.     Host        192.168.10.100
  9.     Port        24224
  10.     tls         On
  11.     tls.verify  On
  12.     tls.ca_file /etc/certs/fluent.crt
  13.     tls.vhost   fluent.example.com