Configure TLS 🔗
Crypto TLS exposes a variety of settings you can adjust within individual receivers or exporters of the Collector.
注釈
Mutual TLS (mTLS) is also supported.
Configure TLS / mTLS 🔗
By default, TLS is enabled:
See the required and optional settings available
To complete the TLS/mTLS configuration, proceed to Configure TLS clients or Configure TLS servers
Required settings 🔗
以下の設定が必要です:
insecure.falseby default. Whether to enable client transport security for the exporter’s HTTPs or gRPC connection.For gRCP, see Golang’s grpc.WithInsecure() .
cert_file. Use only ifinsecureis set tofalse. Path to the TLS cert to use for TLS required connections.cert_pem. Alternative tocert_file. Provide the certificate contents as a string instead of a filepath.key_file. Use only ifinsecureis set tofalse. Path to the TLS key to use for TLS required connections.key_pem: Alternative tokey_file. Provide the key contents as a string instead of a filepath.
追加設定 🔗
TLS version 🔗
注意
Avoid using TLS 1.0 and 1.1. Both are deprecated due to known vulnerabilities.
You can set minimum and maximum TLS versions:
min_version. 「1.2」 by default. Minimum acceptable TLS version.Options: 「1.0」, 「1.1」, 「1.2」, 「1.3」
max_version. 「」 by default. Maximum acceptable TLS version.Options: 「1.0」, 「1.1」, 「1.2」, 「1.3」
Cipher suites 🔗
You can set explicit cipher suites using cipher_suites.
[]by default. If left blank, a safe default list is used.See the Cipher suites source files for a list of supported cipher suites.
例:
cipher_suites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Reload certificates 🔗
Optionally you can reload certificates with reload_interval, which specifies the duration after which the certificate will be reloaded.
If not set, certificates are never reloaded.
Valid time units are 「ns」, 「us」 (or 「µs」), 「ms」, 「s」, 「m」, 「h」.
Configure TLS clients 🔗
To configure TLS clients in exporters use the settings in the previous section.
Optionally, you can also configure server_name_override.
If set to a non-empty string, it will override the virtual host name of the authority in requests.
This is typically used for testing.
例:
exporters:
otlp:
endpoint: myserver.local:55690
tls:
insecure: false
ca_file: server.crt
cert_file: client.crt
key_file: client.key
min_version: "1.1"
max_version: "1.2"
otlp/insecure:
endpoint: myserver.local:55690
tls:
insecure: true
otlp/secure_no_verify:
endpoint: myserver.local:55690
tls:
insecure: false
insecure_skip_verify: true
Configure TLS servers 🔗
To configure TLS servers in collector receivers use the settings in the previous section.
Optionally, you can also configure:
client_ca_file. Path to the TLS cert to use by the server to verify a client certificate. This sets the ClientCAs and ClientAuth toRequireAndVerifyClientCertin the TLS configuration. Refer to https://godoc.org/crypto/tls#Config for more information.client_ca_file_reload.falseby default. Reloads the ClientCAs file when it is modified.
注釈
These are required for mTLS.
例:
receivers:
otlp:
protocols:
grpc:
endpoint: mysite.local:55690
tls:
cert_file: server.crt
key_file: server.key
otlp/mtls:
protocols:
grpc:
endpoint: mysite.local:55690
tls:
client_ca_file: client.pem
cert_file: server.crt
key_file: server.key
otlp/notls:
protocols:
grpc:
endpoint: mysite.local:55690
さらに詳しく 🔗
For more details on the available settings refer to TLS Configuration Settings in OTel’s GitHub repo.