Configure TLS π
Crypto TLS exposes a variety of settings you can adjust within individual receivers or exporters of the Collector.
Note
Mutual TLS (mTLS) is also supported.
Configure TLS / mTLS π
By default, TLS is enabled:
See the required and optional settings available
To complete the TLS/mTLS configuration, proceed to Configure TLS clients or Configure TLS servers
Required settings π
The following settings are required:
insecure
.false
by default. Whether to enable client transport security for the exporterβs HTTPs or gRPC connection.For gRCP, see Golangβs grpc.WithInsecure() .
cert_file
. Use only ifinsecure
is set tofalse
. Path to the TLS cert to use for TLS required connections.cert_pem
. Alternative tocert_file
. Provide the certificate contents as a string instead of a filepath.key_file
. Use only ifinsecure
is set tofalse
. Path to the TLS key to use for TLS required connections.key_pem
: Alternative tokey_file
. Provide the key contents as a string instead of a filepath.
Additional settings π
TLS version π
Caution
Avoid using TLS 1.0 and 1.1. Both are deprecated due to known vulnerabilities.
You can set minimum and maximum TLS versions:
min_version
. β1.2β by default. Minimum acceptable TLS version.Options: β1.0β, β1.1β, β1.2β, β1.3β
max_version
. ββ by default. Maximum acceptable TLS version.Options: β1.0β, β1.1β, β1.2β, β1.3β
Cipher suites π
You can set explicit cipher suites using cipher_suites
.
[]
by default. If left blank, a safe default list is used.See the Cipher suites source files for a list of supported cipher suites.
For example:
cipher_suites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Reload certificates π
Optionally you can reload certificates with reload_interval
, which specifies the duration after which the certificate will be reloaded.
If not set, certificates are never reloaded.
Valid time units are βnsβ, βusβ (or βΒ΅sβ), βmsβ, βsβ, βmβ, βhβ.
Configure TLS clients π
To configure TLS clients in exporters use the settings in the previous section.
Optionally, you can also configure server_name_override
.
If set to a non-empty string, it will override the virtual host name of the authority in requests.
This is typically used for testing.
For example:
exporters:
otlp:
endpoint: myserver.local:55690
tls:
insecure: false
ca_file: server.crt
cert_file: client.crt
key_file: client.key
min_version: "1.1"
max_version: "1.2"
otlp/insecure:
endpoint: myserver.local:55690
tls:
insecure: true
otlp/secure_no_verify:
endpoint: myserver.local:55690
tls:
insecure: false
insecure_skip_verify: true
Configure TLS servers π
To configure TLS servers in collector receivers use the settings in the previous section.
Optionally, you can also configure:
client_ca_file
. Path to the TLS cert to use by the server to verify a client certificate. This sets the ClientCAs and ClientAuth toRequireAndVerifyClientCert
in the TLS configuration. Refer to https://godoc.org/crypto/tls#Config for more information.client_ca_file_reload
.false
by default. Reloads the ClientCAs file when it is modified.
Note
These are required for mTLS.
For example:
receivers:
otlp:
protocols:
grpc:
endpoint: mysite.local:55690
tls:
cert_file: server.crt
key_file: server.key
otlp/mtls:
protocols:
grpc:
endpoint: mysite.local:55690
tls:
client_ca_file: client.pem
cert_file: server.crt
key_file: server.key
otlp/notls:
protocols:
grpc:
endpoint: mysite.local:55690
Learn more π
For more details on the available settings refer to TLS Configuration Settings in OTelβs GitHub repo.