-
Notifications
You must be signed in to change notification settings - Fork 103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS Support #107
TLS Support #107
Conversation
Signed-off-by: Love Sharma <[email protected]>
@tagomoris All commits are signed off. |
@tagomoris - Can we merge this? |
This change looks good to me. I want confirmation from other maintainers. |
@tagomoris @zonito FWIW, I started testing this patch tonight. |
I spent some time this evening testing this patch with Fluentd v1.14.2. TLDR I could confirm that fluent-logger-golang now can connect to fluentd.conf <source>
@type forward
<transport tls>
cert_path fluentd.crt
private_key_path fluentd.key
private_key_passphrase *********
</transport>
</source>
<match debug.**>
@type stdout
</match> main.go package main
import (
"github.com/fluent/fluent-logger-golang/fluent"
)
func main() {
logger, err := fluent.New(fluent.Config{FluentNetwork: "tls", TlsInsecureSkipVerify: true})
if err != nil {
return
}
defer logger.Close()
var data = map[string]string{"foo": "bar", "hoge": "hoge"}
logger.Post("debug.log", data)
} Result 2021-11-19 20:42:19.000000000 +0900 debug.log: {"foo":"bar","hoge":"hoge"}
2021-11-19 20:42:34.000000000 +0900 debug.log: {"foo":"bar","hoge":"hoge"}
2021-11-19 20:42:34.000000000 +0900 debug.log: {"foo":"bar","hoge":"hoge"} |
@tagomoris @fujimotos Let's merge this.. then |
@tagomoris @zonito I'm basically okay with this patch, so I'll step ahead it looks to me that @zonito accidentally overwrote c16ce5d which is the I will merge this pr with some adjustment, so that it sits nicely on top of c16ce5d. |
Thanks, @fujimotos, appreciated! |
Merged via e5d6aa1. |
@fujimotos @zonito Although this PR allows using self-signed TLS certs, it doesn't offer proper way of securely doing TLS because there's no way to specify which CA cert is accepted. With this change, if an attacker can mitm/redirect fluentd's network stream, they could still generate their own self-signed cert and bypass TLS promises. IMHO it could give a false sense of security. It would be great to be able to specify which CA certs are accepted (on top of what's in system truststore). |
@akerouanton I created a ticket #112 to track that issue. I agree with you that it's better
The current option is register the certificate (which you want to use) into your operating system. I believe this works, since Go's TLS library recognizes system certificates by default. |
Created another PR because of --signoff meshed up in #96