# secure\_forward
The `in_secure_forward` input plugin accepts messages via **SSL with authentication** (cf. [out\_secure\_forward](https://docs.fluentd.org/0.12/output/secure_forward)). This document doesn't describe all parameters. If you want to know full features, check the Further Reading section.
## Installation
`in_secure_forward` is **not** included in either `td-agent` package or `fluentd` gem. In order to install it, please refer to the [Plugin Management](https://docs.fluentd.org/0.12/deployment/plugin-management) article.
## Example Configurations
This section provides some example configurations for `in_secure_forward`.
### Minimalist Configuration
At first, generate private CA file by `secure-forward-ca-generate`, then copy that file to output plugin side by safe way (scp, or anyway else).
```
@type secure_forward
shared_key secret_string
self_hostname server.fqdn.local # This fqdn is used as CN (Common Name) of certificates
secure true
ca_cert_path /path/to/certificate/ca_cert.pem
ca_private_key_path /path/to/certificate/ca_key.pem
ca_private_key_passphrase passphrase_for_private_CA_secret_key
```
### Check username/password from Clients
```
@type secure_forward
shared_key secret_string
self_hostname server.fqdn.local
secure true
ca_cert_path /path/to/certificate/ca_cert.pem
ca_private_key_path /path/to/certificate/ca_key.pem
ca_private_key_passphrase passphrase_for_private_CA_secret_key
authentication yes # Deny clients without valid username/password
username tagomoris
password foobar012
username frsyuki
password yakiniku
```
### Deny Unknown Source IP/hosts
```
@type secure_forward
shared_key secret_string
self_hostname server.fqdn.local
secure true
ca_cert_path /path/to/certificate/ca_cert.pem
ca_private_key_path /path/to/certificate/ca_key.pem
ca_private_key_passphrase passphrase_for_private_CA_secret_key
allow_anonymous_source no # Allow to accept from nodes of
host 192.168.10.30
# network address (ex: 192.168.10.0/24) NOT Supported now
host your.host.fqdn.local
# wildcard (ex: *.host.fqdn.local) NOT Supported now
```
You can use the username/password check and client check together:
```
@type secure_forward
shared_key secret_string
self_hostname server.fqdn.local
secure true
ca_cert_path /path/to/certificate/ca_cert.pem
ca_private_key_path /path/to/certificate/ca_key.pem
ca_private_key_passphrase passphrase_for_private_CA_secret_key
allow_anonymous_source no # Allow to accept from nodes of
authentication yes # Deny clients without valid username/password
username tagomoris
password foobar012
username frsyuki
password sukiyaki
username repeatedly
password sushi
host 192.168.10.30 # allow all users to connect from 192.168.10.30
host 192.168.10.31
users tagomoris,frsyuki # deny repeatedly from 192.168.10.31
host 192.168.10.32
shared_key less_secret_string # limited shared_key for 192.168.10.32
users repeatedly # and repeatedly only
```
### Secure Sender-Receiver Setup
Please refer to the **Secure Sender-Receiver Setup** [sample documentation](https://docs.fluentd.org/0.12/output/secure_forward#Secure-Sender-Receiver-Setup).
## Parameters
### type
This parameter is required. Its value must be `secure_forward`.
### port (integer)
The default value is 24284.
### bind (string)
The default value is 0.0.0.0.
### secure (bool)
Indicate published connection is secure or not. Specify `yes` (or `true`) if secure encryption needed.
### self\_hostname (string)
Default value of the auto-generated certificate common name (CN).
### shared\_key (string)
Shared key between nodes.
### allow\_keepalive (bool)
Accept keepalive connection. The default value is `true`.
### allow\_anonymous\_source (bool)
Accept connections from unknown hosts.
### authentication (bool)
Require password authentication. The default value is `false`.
### ca\_cert\_path (string)
The path to the private CA certificate file, which is required to use private CA. (One of this parameter or `cert_path` is required for `secure yes` configuration.)
### ca\_private\_key\_path (string)
The path to the private key for private CA certificate key file.
### ca\_private\_key\_passphrase (string)
The passphrase string for private key file, specified by `ca_private_key_path`.
### read\_length (size)
The number of bytes read per nonblocking read. The default value is 8MB=8*1024*1024 bytes.
### read\_interval\_msec (integer)
The interval between the non-blocking reads, in milliseconds. The default value is 50.
### socket\_interval\_msec (integer)
The interval between SSL reconnects in milliseconds. The default value is 200.
#### log\_level option
The `log_level` option allows the user to set different levels of logging for each plugin. The supported log levels are: `fatal`, `error`, `warn`, `info`, `debug`, and `trace`.
Please see the [logging article](https://docs.fluentd.org/0.12/deployment/logging) for further details.
## Further Reading
* [fluent-plugin-secure-forward repository](https://github.com/tagomoris/fluent-plugin-secure-forward)
If this article is incorrect or outdated, or omits critical information, please [let us know](https://github.com/fluent/fluentd-docs-gitbook/issues?state=open). [Fluentd](http://www.fluentd.org/) is a open source project under [Cloud Native Computing Foundation (CNCF)](https://cncf.io/). All components are available under the Apache 2 License.