fluent-plugin: Add client certificate verification #1189
Conversation
|
|
| @@ -67,6 +74,13 @@ def configure(conf) | |||
|
|
|||
| @label_keys = @label_keys.split(/\s*,\s*/) if @label_keys | |||
| @remove_keys = @remove_keys.split(',').map(&:strip) if @remove_keys | |||
|
|
|||
| @cert = OpenSSL::X509::Certificate.new(File.read(@cert)) if @cert | |||
| @key = OpenSSL::PKey::RSA.new(File.read(key)) if @key | |||
There was a problem hiding this comment.
Any chance to use OpenSSL::PKey.read?
ref: https://ruby-doc.org/stdlib-2.4.0/libdoc/openssl/rdoc/OpenSSL/PKey.html#method-c-read
This method should be more flexible to handle private key.
There was a problem hiding this comment.
Should be possible, I'll update this in the next commit
|
|
||
| if !@cert.nil? && !@key.nil? | ||
| opts = opts.merge( | ||
| verify_mode: OpenSSL::SSL::VERIFY_PEER, |
There was a problem hiding this comment.
Should we handle VERIFY_NONE case for self-signed sertificates?
There was a problem hiding this comment.
If we're using self-signed certificates, wouldn't it be better to pass ca_cert to verify the server's self-signed cert?
There was a problem hiding this comment.
Hmm, you are right.
Please leave it as-is until VERIFY_NONE use case is found.
putrasattvika
force-pushed
the
fluentd-tls
branch
from
9aac566
to
7ee3dbc
Compare
|
Did you tried this PR out? I immediately got without cert config. edit: I added a fix here #1242 |
What this PR does / why we need it:
Allow the fluentd to push logs to Loki servers located behind a reverse proxy with client certificate verification.
Checklist