secure_forward

The in_secure_forward
input plugin accepts messages via SSL with authentication (cf. out_secure_forward). This document doesn't describe all parameters. If you want to know full features, check the Further Reading section.
Installation
in_secure_forward
is not included in either td-agent
package or fluentd
gem. In order to install it, please refer to the Plugin Management article.
Example Configurations
This section provides some example configurations for in_secure_forward
.
Minimalist Configuration
At first, generate private CA file by secure-forward-ca-generate
, then copy that file to output plugin side by safe way (scp, or anyway else).
<source>
@type secure_forward
shared_key secret_string
self_hostname server.fqdn.local # This fqdn is used as CN (Common Name) of certificates
secure true
ca_cert_path /path/to/certificate/ca_cert.pem
ca_private_key_path /path/to/certificate/ca_key.pem
ca_private_key_passphrase passphrase_for_private_CA_secret_key
</source>
Check username/password from Clients
<source>
@type secure_forward
shared_key secret_string
self_hostname server.fqdn.local
secure true
ca_cert_path /path/to/certificate/ca_cert.pem
ca_private_key_path /path/to/certificate/ca_key.pem
ca_private_key_passphrase passphrase_for_private_CA_secret_key
authentication yes # Deny clients without valid username/password
<user>
username tagomoris
password foobar012
</user>
<user>
username frsyuki
password yakiniku
</user>
</source>
Deny Unknown Source IP/hosts
<source>
@type secure_forward
shared_key secret_string
self_hostname server.fqdn.local
secure true
ca_cert_path /path/to/certificate/ca_cert.pem
ca_private_key_path /path/to/certificate/ca_key.pem
ca_private_key_passphrase passphrase_for_private_CA_secret_key
allow_anonymous_source no # Allow to accept from nodes of <client>
<client>
host 192.168.10.30
# network address (ex: 192.168.10.0/24) NOT Supported now
</client>
<client>
host your.host.fqdn.local
# wildcard (ex: *.host.fqdn.local) NOT Supported now
</client>
</source>
You can use the username/password check and client check together:
<source>
@type secure_forward
shared_key secret_string
self_hostname server.fqdn.local
secure true
ca_cert_path /path/to/certificate/ca_cert.pem
ca_private_key_path /path/to/certificate/ca_key.pem
ca_private_key_passphrase passphrase_for_private_CA_secret_key
allow_anonymous_source no # Allow to accept from nodes of <client>
authentication yes # Deny clients without valid username/password
<user>
username tagomoris
password foobar012
</user>
<user>
username frsyuki
password sukiyaki
</user>
<user>
username repeatedly
password sushi
</user
<client>
host 192.168.10.30 # allow all users to connect from 192.168.10.30
</client>
<client>
host 192.168.10.31
users tagomoris,frsyuki # deny repeatedly from 192.168.10.31
</client>
<client>
host 192.168.10.32
shared_key less_secret_string # limited shared_key for 192.168.10.32
users repeatedly # and repeatedly only
</client>
</source>
Secure Sender-Receiver Setup
Please refer to the Secure Sender-Receiver Setup sample documentation.
Parameters
type
This parameter is required. Its value must be secure_forward
.
port (integer)
The default value is 24284.
bind (string)
The default value is 0.0.0.0.
secure (bool)
Indicate published connection is secure or not. Specify yes
(or true
) if secure encryption needed.
self_hostname (string)
Default value of the auto-generated certificate common name (CN).
shared_key (string)
Shared key between nodes.
allow_keepalive (bool)
Accept keepalive connection. The default value is true
.
allow_anonymous_source (bool)
Accept connections from unknown hosts.
authentication (bool)
Require password authentication. The default value is false
.
ca_cert_path (string)
The path to the private CA certificate file, which is required to use private CA. (One of this parameter or cert_path
is required for secure yes
configuration.)
ca_private_key_path (string)
The path to the private key for private CA certificate key file.
ca_private_key_passphrase (string)
The passphrase string for private key file, specified by ca_private_key_path
.
read_length (size)
The number of bytes read per nonblocking read. The default value is 8MB=810241024 bytes.
read_interval_msec (integer)
The interval between the non-blocking reads, in milliseconds. The default value is 50.
socket_interval_msec (integer)
The interval between SSL reconnects in milliseconds. The default value is 200.
log_level option
The log_level
option allows the user to set different levels of logging for each plugin. The supported log levels are: fatal
, error
, warn
, info
, debug
, and trace
.
Please see the logging article for further details.
Further Reading
If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is a open source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.
Last updated
Was this helpful?