Tls Input

TLS provides transport security, with optional certificate-based client authentication.

With a dedicated thread/parser for each connection (recommended for optimal performance, using less persistent connections than the available number of cores):

[input]
type = "tls"
listen = "0.0.0.0:6514"
tls_cert = "flowgger.pem"
tls_key = "flowgger.pem"
tls_method = "any"

With a fixed number of threads, using coroutines (recommended if many persistent connections have to be processed on a limited number of cores):

[input]
type = "tls_co"
listen = "0.0.0.0:6514"
tls_cert = "flowgger.pem"
tls_key = "flowgger.pem"
tls_method = "any"

Note: a self-signed certificate and key can be created with:

openssl req -x509 -nodes -newkey rsa:3072 -sha256 -keyout flowgger.pem -out flowgger.pem

Optional properties:

• timeout = <seconds>: automatically close idle connections after the specified number of seconds. ignored by the tls_co implementation.
• framing = "<splitter>": indicates how messages are split.
• tls_threads = <number>: the number of threads to use. only for the tls_co implementation.
• tls_cert = "<path>": path to the certificate file in PEM format
• tls_key = "<path>": path to the key file in PEM format, which can be the same as tls_cert.
• tls_ciphers = "<ciphers suite>": the cipher suite. Flowgger ships with a safe default configuration for modern clients.
• tls_method = "<TLS method>": one of any (default), tlsv1, tlsv1.1 and tlsv1.2.
• tls_verify_peer = false|true: requires a valid client certificate.
• tls_ca_file = "<path>": path to root certificates file in PEM format, used to verify client certificates.
• tls_compression = false|true: disable/enable compression (not recommended for sensitive data).