-
Notifications
You must be signed in to change notification settings - Fork 541
[docs] Add and improve SSL/TLS documentation #2715
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
fc1145f
docs: first draft - doesn’t build
bmorelli25 2c65f91
docs: it builds now
bmorelli25 f0f6482
docs: remove comments
bmorelli25 6449c2e
docs: cleanup
bmorelli25 ff8c1d5
docs: a little cleanup
bmorelli25 0d0ca91
docs: move ssl config settings
bmorelli25 76b2e1e
docs: reviewer feedback
bmorelli25 131ab14
docs: remove beat
bmorelli25 4b1958d
docs: one more fix
bmorelli25 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,89 @@ | ||
| [[secure-communication-agents]] | ||
| == Secure communication with APM Agents | ||
|
|
||
| To secure the communication between APM Agents and the APM Server: | ||
|
|
||
| . <<secret-token,Set a secret token in your Agents and Server>> | ||
| . <<ssl-setup,Enable SSL/TLS in APM Server>> | ||
| . <<https-in-agents,Enable HTTPS in your APM Agents>> | ||
|
|
||
| [[secret-token]] | ||
| [float] | ||
| === Secret token | ||
|
|
||
| You can configure a secret token to authorize requests to the APM Server. | ||
| This ensures that only your agents are able to send data to your APM servers. | ||
| Both the agents and the APM servers have to be configured with the same secret token, | ||
| and secret tokens only provide security when used in combination with SSL/TLS. | ||
|
|
||
| **APM Server configuration** | ||
|
|
||
| Here's how you set the secret token in APM Server: | ||
|
|
||
| [source,yaml] | ||
| ---- | ||
| apm-server.secret_token: <secret-token> | ||
| ---- | ||
|
|
||
| We recommend saving the token in the APM Server <<keystore>>. | ||
|
|
||
| IMPORTANT: Secret tokens are not applicable for the RUM Agent, | ||
| as there is no way to prevent them from being publicly exposed. | ||
|
|
||
| **Agent specific configuration** | ||
|
|
||
| Each Agent has a configuration for setting the value of the secret token: | ||
|
|
||
| * *Go Agent*: {apm-go-ref}/configuration.html#config-secret-token[`ELASTIC_APM_SECRET_TOKEN`] | ||
| * *Java Agent*: {apm-java-ref}/config-reporter.html#config-secret-token[`secret_token`] | ||
| * *.NET Agent*: {apm-dotnet-ref}/config-reporter.html#config-secret-token[`ELASTIC_APM_SECRET_TOKEN`] | ||
| * *Node.js Agent*: {apm-node-ref}/configuration.html#secret-token[`Secret Token`] | ||
| * *Python Agent*: {apm-py-ref}/configuration.html#config-secret-token[`secret_token`] | ||
| * *Ruby Agent*: {apm-ruby-ref}/configuration.html#config-secret-token[`secret_token`] | ||
|
|
||
| [[ssl-setup]] | ||
| [float] | ||
| === SSL/TLS communication in APM Server | ||
|
|
||
| To enable SSL/TLS, you need to enable SSL and provide both a private key and a certificate | ||
| issued by a certificate authority (CA). | ||
| You can then specify the path to those files in your configuration properties. | ||
| This will make APM Server serve HTTPS requests instead of HTTP. | ||
|
|
||
| Here's a basic APM Server SSL config with secure communication enabled: | ||
|
|
||
| [source,yaml] | ||
| ---- | ||
| apm-server.ssl.enabled: true | ||
| apm-server.ssl.key: "/etc/pki/key.pem" | ||
| apm-server.ssl.certificate: "/etc/pki/client.pem" | ||
| ---- | ||
|
|
||
| A full list of configuration options is available in <<agent-server-ssl>>. | ||
|
|
||
| [[https-in-agents]] | ||
| [float] | ||
| === HTTPS communication in APM Agents | ||
|
|
||
| To enable secure communication in your Agents, you need to update the configured server URL to use `HTTPS` instead of `HTTP`. | ||
|
|
||
| * *Go Agent*: {apm-go-ref}/configuration.html#config-server-url[`ELASTIC_APM_SERVER_URL`] | ||
| * *Java Agent*: {apm-java-ref}/config-reporter.html#config-server-urls[`server_urls`] | ||
| * *.NET Agent*: {apm-dotnet-ref}/config-reporter.html#config-server-urls[`ServerUrls`] | ||
| * *Node.js Agent*: {apm-node-ref}/configuration.html#server-url[`serverUrl`] | ||
| * *Python Agent*: {apm-py-ref}/[`server_url`] | ||
| * *Ruby Agent*: {apm-ruby-ref}/configuration.html#config-server-url[`server_url`] | ||
|
|
||
| Some Agents also allow you to specify a custom certificate authority for connecting to APM Server. | ||
|
|
||
| * *Go Agent*: {apm-go-ref}/configuration.html#config-server-cert[`ELASTIC_APM_SERVER_CERT`] | ||
| // * *.NET Agent*: {apm-dotnet-ref}/ | ||
| * *Python Agent*: {apm-py-ref}/configuration.html#config-server-cert[`ELASTIC_APM_SERVER_CERT`] | ||
| * *Ruby Agent*: {apm-ruby-ref}/configuration.html#config-ssl-ca-cert[`server_ca_certedit`] | ||
|
|
||
| Most Agents that don't allow you specify a custom certificate will allow you to | ||
| disable verification of the SSL certificate. | ||
| This ensures encryption, but does not verify that you are sending data to the correct APM Server. | ||
|
|
||
| * *Java Agent*: {apm-java-ref}/config-reporter.html#config-verify-server-cert[`verify_server_cert`] | ||
| * *Node.js Agent*: {apm-node-ref}/configuration.html#validate-server-cert[`verifyServerCert`] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,30 +1,9 @@ | ||
| [[security-overview]] | ||
| A reference of all available <<configuration-ssl-landing,SSL configuration settings>> is also available. | ||
|
|
||
| [float] | ||
| === Security Overview | ||
| [[security-overview]] | ||
| == Security Overview | ||
|
|
||
| APM Server exposes an HTTP endpoint and as with anything that opens ports on your servers, | ||
| APM Server exposes an HTTP endpoint, and as with anything that opens ports on your servers, | ||
| you should be careful about who can connect to it. | ||
| Firewall rules are recommended to ensure only authorized systems can connect. | ||
|
|
||
| [[secret-token]] | ||
| [float] | ||
| ==== Secret token | ||
|
|
||
| You can configure a secret token to authorize requests to the APM Server, | ||
| and ensure that only your agents can send data to your APM servers. | ||
| Both the agents and the APM servers have to be configured with the same secret token. | ||
|
|
||
| NOTE: Secret tokens provide security only when used in combination with SSL/TLS. | ||
| Secret tokens are not applicable for RUM, as they would be publicly exposed. | ||
|
|
||
| [[ssl-setup]] | ||
| [float] | ||
| ==== SSL/TLS setup | ||
|
|
||
| To enable SSL/TLS you need a private key and a certificate issued by a certification authority (CA). | ||
| You can then specify the path to those files in your configuration properties: | ||
| `apm-server.ssl.key` and `apm-server.ssl.certificate` respectively. | ||
| This will make the APM Server serve HTTPS requests instead of HTTP. | ||
| Don't forget, you also need to enable SSL in the agent. | ||
| For agent specific details on enabling SSL/TLS, | ||
| please see the {apm-agents-ref}/index.html[agent documentation]. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| [[agent-server-ssl]] | ||
| === SSL input settings | ||
|
|
||
| You can specify the following options in the `apm-server.ssl` section of the +{beatname_lc}.yml+ config file. | ||
| They apply to SSL/TLS communication between the APM Server and APM Agents. | ||
|
|
||
| [float] | ||
| ==== `enabled` | ||
|
|
||
| The `enabled` setting can be used to enable the ssl configuration by setting | ||
| it to `true`. The default value is `false`. | ||
|
|
||
| [float] | ||
| ==== `certificate` | ||
|
|
||
| The path to the file containing the certificate for Server authentication. | ||
| Required if `apm-server.enabled` is `true`. | ||
|
|
||
| [float] | ||
| ==== `key` | ||
|
|
||
| The path to the file containing the Server certificate key. | ||
| Required if `apm-server.enabled` is `true`. | ||
|
|
||
| [float] | ||
| ==== `certificate_authorities` | ||
|
|
||
| The list of root certificates for verifying client certificates. | ||
| If `certificate_authorities` is empty or not set, the trusted certificate authorities of the host system are used. | ||
|
|
||
| [float] | ||
| ==== `key_passphrase` | ||
|
|
||
| The passphrase used to decrypt an encrypted key stored in the configured `key` file. | ||
| We recommend saving the `key_passphrase` in the APM Server <<keystore>>. | ||
|
|
||
| [float] | ||
| ==== `supported_protocols` | ||
|
|
||
| This setting is a list of allowed protocol versions: | ||
| `SSLv3`, `TLSv1.0`, `TLSv1.1` and `TLSv1.2`. We do not recommend using `SSLv3` or `TLSv1.0`. | ||
| The default value is `[TLSv1.1, TLSv1.2]`. | ||
|
|
||
| [float] | ||
| ==== `cipher_suites` | ||
|
|
||
| The list of cipher suites to use. The first entry has the highest priority. | ||
| If this option is omitted, the Go crypto library's default | ||
| suites are used (recommended). | ||
|
|
||
| [float] | ||
| ==== `curve_types` | ||
|
|
||
| The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange). | ||
|
|
||
| [float] | ||
| ==== `client_authentication` | ||
|
|
||
| This configures what types of client authentication are supported. The valid options | ||
| are `none`, `optional`, and `required`. The default is `optional`. | ||
| If `certificate_authorities` has been specified, this setting will automatically change to `required`. | ||
|
|
||
| * `none` - Disables client authentication. | ||
| * `optional` - When a client certificate is given, the server will verify it. | ||
| * `required` - Requires clients to provide a valid certificate. | ||
|
|
||
| [float] | ||
| ==== `verification_mode` | ||
|
|
||
| This option controls whether the client verifies server certificates and host | ||
| names. Valid values are `none` and `full`. If `none` is used, | ||
| SSL-based connections are susceptible to man-in-the-middle attacks. Use this | ||
| option for testing only. | ||
|
|
||
| The default is `full`. |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.