The server
plugin helper manages various types of servers.
Here is an example:
require 'fluent/plugin/input'​module Fluent::Pluginclass ExampleInput < InputFluent::Plugin.register_input('example', self)​# 1. Load server helperhelpers :server​# Omit `configure`, `shutdown` and other plugin APIs​def start# 2. Create serverserver_create(:title, @port) do |data|#3. Process dataendendendend
The launched server is managed by the plugin helper. No need of server shutdown code in plugin's shutdown
method. The plugin shutdowns the launched servers automatically.
For more details, see Transport Section.
This method creates a server instance for various protocols.
The &block
is invoked with the new connection as a parameter.
title
: unique symbol
port
: the port to listen to
proto
: protocol type. { :tcp
, :tls
}
bind
: the bind address to listen to
shared
: if true
, share socket via server engine for multiple workers
backlog
: the maximum length of the queue for pending connections
tls_options
: options for TLS
version
: set TLS version :TLSv1_1
or :TLSv1_2
.
Default: :TLSv1_2
ciphers
: set the list of available cipher suites. (default:
"ALL:!aNULL:!eNULL:!SSLv2"
)
insecure
: if true
, set TLS verify mode NONE
cert_verifier
: if specified, pass evaluated object to OpenSSL's verify_callback
. See also "cert_verifier
example" section.
verify_fqdn
: if true
, validate the server certificate for the hostname
fqdn
: set FQDN
enable_system_cert_store
: if true
, enable system default cert store
allow_self_signed_cert
: if true
, allow self-signed certificate
cert_paths
: files contain PEM-encoded certificates
socket_options
: options for socket
resolve_name
: if true
, resolve the hostname
connect
: if true
, connect to host
nonblock
: if true
, use non-blocking I/O
linger_timeout
: the timeout (seconds) to set SO_LINGER
recv_timeout
: the timeout (seconds) to set SO_RECVTIMEO
send_timeout
: the timeout (seconds) to set SO_SNDTIMEO
send_keepalive_packet
: if true
, enable TCP keep-alive via SO_KEEPALIVE
. See also socket article.
Example:
# TCPserver_create_connection(:title, @port) do |conn|# on connection# conn is Fluent::PluginHelper::Server::TCPCallbackSocketsource_addr = conn.remote_hostsource_port = conn.remote_portconn.data do |data|conn.write(something)endend
This method creates a server instance for various protocols.
The &block
is invoked with parameter(s) on data.
title
: unique symbol
port
: the port to listen to
proto
: protocol type. { :tcp
, :udp
, :tls
}
bind
: the bind address to listen to
shared
: if true
, share socket via server engine for multiple workers
socket
: socket instance for UDP (only for UDP)
backlog
: the maximum length of the queue for pending connections
tls_options
: options for TLS
version
: set TLS version :TLSv1_1
or :TLSv1_2
. (default: :TLSv1_2
)
ciphers
: set the list of available cipher suites. (default:
"ALL:!aNULL:!eNULL:!SSLv2"
)
insecure
: if true
, set TLS verify mode NONE
cert_verifier
: if specified, pass evaluated object to OpenSSL's verify_callback
. See also "cert_verifier
example" section.
verify_fqdn
: if true
, validate the server certificate for the hostname
fqdn
: set FQDN
enable_system_cert_store
: if true
, enable system default cert store
allow_self_signed_cert
: if true
, allow self signed certificate
cert_paths
: files contain PEM-encoded certificates
max_bytes
: the maximum number of bytes to receive (required for UDP)
flags
: zero or more of the MSG_
options (UDP-only)
socket_options
: options for socket
resolve_name
: if true
, resolve the hostname
connect
: if true
, connect to host
nonblock
: if true
, use non-blocking I/O
linger_timeout
: the timeout (seconds) to set SO_LINGER
recv_timeout
: the timeout (seconds) to set SO_RECVTIMEO
send_timeout
: the timeout (seconds) to set SO_SNDTIMEO
send_keepalive_packet
: if true
, enable TCP keep-alive via SO_KEEPALIVE
. See also socket article.
Code example:
# UDP (w/o socket)server_create(:title, @port, proto: :udp, max_bytes: 2048) do |data|# data is received dataend​# UDP (w/ socket)server_create(:title, @port, proto: :udp, max_bytes: 2048) do |data, sock|# data is received data# sock is UDPSocketend​# TCP (w/o connection)server_create(:title, @port) do |data|# data is received dataend​# TCP (w/ connection)server_create(:title, @port) do |data, conn|# data is received data# conn is Fluent::PluginHelper::Server::TCPCallbackSocketend​# TLS (w/o connection)server_create(:title, @port, proto: :tls) do |data|# data is received dataend​# TLS (w/ connection)server_create(:title, @port, proto: :tls) do |data, conn|# data is received data# conn is Fluent::PluginHelper::Server::TLSCallbackSocketend
Here is a TLS configuration example:
<source>@type forward# other plugin parameters<transport tls>version TLSv1_2ciphers ALL:!aNULL:!eNULL:!SSLv2insecure false​# For Cert signed by public CAca_path /path/to/ca_filecert_path /path/to/cert_pathprivate_key_path /path/to/priv_keyprivate_key_passphrase "passphrase"client_cert_auth false​# For Cert generated and signed by private CA Certificateca_cert_path /path/to/ca_certca_private_key_path /path/to/ca_priv_keyca_private_key_passphrase "ca_passphrase"​# For generating certs by private CA certs or self-signedgenerate_private_key_length 2048generate_cert_country USgenerate_cert_state CAgenerate_cert_locality Mountain Viewgenerate_cert_common_name "Common Name"generate_cert_expiration "#{10 * 365 * 86400}"generate_cert_digest sha256</transport></source>
cert_verifier
is supported since v1.10.0.
Configuration example:
<source>@type forward<transport tls># other parametersclient_cert_auth truecert_verifier /path/to/my_verifier.rb</transport></source>
my_verifier.rb
example
The code must return a callable object that has a call
method with two arguments. This object is used as OpenSSL's verify_callback
.
Proc.new { |ok, ctx|# check code​if condtrueelsefalseend}
This is CN check example:
module Fluentmodule Pluginclass InForwardCNCheckerdef initialize# Modify for actual common names@allow_list = ['fluentd', 'fluentd-client', 'other-org']end​def call(ok, ctx)subject = ctx.chain.first.subject.to_a.find { |entry| entry.first == 'CN' }if subject@allow_list.include?(subject[1])elsefalseendendendendend​Fluent::Plugin::InForwardCNChecker.new
​in_forward
​
​in_syslog
​
​in_tcp
​
​in_udp
​
​out_forward
​
If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is an open-source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.