Comment on page
Config: Transport Section
Some Fluentd input, output, and filter plugins, that use
server
/http_server
plugin helper, also support the <transport>
section to specify how to handle the connections.The
transport
section must be under <match>
, <source>
, and <filter>
sections. It specifies the transport protocol, version, and certificates.# tcp
<transport tcp>
</transport>
# udp
<transport udp>
</transport>
# tls
<transport tls>
cert_path /path/to/fluentd.crt
private_key_path /path/to/fluentd.key
private_key_passphrase YOUR_PASSPHRASE
# ...
</transport>
protocol
[enum:tcp
/udp
/tls
]- Default:
tcp
version
: [enum:TLS1_1
/TLS1_2
/TLS1_3
]- Default:
TLSv1_2
min_version
: [enum:TLS1_1
/TLS1_2
/TLS1_3
]- Default:
nil
- Specifies the lower bound of the supported SSL/TLS protocol.
max_version
: [enum:TLS1_1
/TLS1_2
/TLS1_3
]- Default:
nil
- Specifies the upper bound of the supported SSL/TLS protocol.
ciphers
[string]- Default:
"ALL:!aNULL:!eNULL:!SSLv2"
- OpenSSL 1.0.0 or higher default.
insecure
[bool]- Default:
false
(uses secure connection withtls
)
If you want to accept multiple TLS protocols, use
min_version
/max_version
instead of version
. To support the old style, fluentd accepts TLS1_1
and TLSv1_1
values.NOTE:
TLS1_3
is available when your system supports TLS 1.3.For
<transport tls>
:ca_path
: [string]- Default:
nil
- Specifies the path of CA certificate file
cert_path
: [string]- Default:
nil
- Specifies the path of Certificate file
private_key_path
: [string]- Default:
nil
- Specifies the path of Private Key file
private_key_passphrase
: [string]- Default:
nil
- Specifies the public CA private key passphrase
client_cert_auth
: [bool]- Default:
false
- If
true
, Fluentd will check all the incoming HTTPS requests for aclient certificate signed by the trusted CA. The requests that don'tsupply a valid client certificate will fail.
cert_verifier
: [string]- Default:
nil
- Specifies the code path for cert verification. See also [serverarticle](/developer/api-plugin-helper-server.md#cert_verifier-example).
For
<transport tls>
:ca_cert_path
: [string]- Default:
nil
- Specifies the private CA cert path
ca_private_key_path
: [string]- Default:
nil
- Specifies the private CA private key path
ca_private_key_passphrase
: [string]- Default:
nil
- Specifies the private CA private key passphrase
For
<transport tls>
:generate_private_key_length
: [integer]- Default: 2048
generate_cert_country
: [string]- Default: US
generate_cert_state
: [string]- Default: CA
generate_cert_locality
: [string]- Default: Mountain View
generate_cert_common_name
: [string]- Default:
nil
generate_cert_expiration
: [integer]- Default: (60 * 60 * 24 = 86400) * 365 * 10 = 10 years
For
<transport tls>
:generate_cert_digest
: [enum:sha1
/sha256
/sha384
/sha512
]- Default:
sha256
If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is an open-source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.
Last modified 2yr ago