On 08/21/2014 03:22 AM, bruno binet wrote:
Hi,
I want to setup a simple tls tcp connection between two heka instances
(a server and a client) communicating with standard ProtobufEncoder, so
that the Heka client will forward all heka messages to the Heka server.
But I have no experience configuring tls/ssl stuff, so any help would be
really appreciated.
SSL is a tricky beast, and OpenSSL is notoriously finicky, but it can be
made to work. I fumbled through the process of setting up my own
Certificate Authority and issuing client and server certificates using
the following guide:
http://www.g-loaded.eu/2005/11/10/be-your-own-ca/
augmented by a couple of tweaks to the CA config as specified in the
following thread on the go-nuts mailing list:
https://groups.google.com/forum/#!topic/golang-nuts/vw7wiGxVu0g
Do you know how to use openssl to generate ssl certificates that need to
be used by the Heka server and the Heka client?
See the links above.
Should we use the same files for both the server and the client for
"cert_file" and "key_file" options (see:
http://hekad.readthedocs.org/en/v0.6.0/tls.html#tls-configuration-settings)?
This depends on whether or not the certificate and the key are in the
same file. When generating your certificates and your keys, you can put
them in a single (`.pem`) file, or you can put each in its own (`.crt`
and `.key`) file. Neither choice is intrinsically better than the other,
AFAIK, but for simple setups I usually use a single file for both.
Does anyone could also share some configuration examples both to setup
TcpInput for the Heka server, and TcpOutput for the Heka client?
Sure. I've used the following config to successfully test TLS encrypted
connections from TcpOutput in one hekad instance:
[TcpOutput]
message_matcher = "Type == 'hekabench'"
address = "127.0.0.1:5575"
use_tls = true
encoder = "ProtobufEncoder"
[TcpOutput.tls]
server_name = "agni.kalistra.com"
cert_file = "/home/rob/go/heka/etc/certs/client.pem"
key_file = "/home/rob/go/heka/etc/certs/client.pem"
root_cafile = "/home/rob/go/heka/etc/certs/myca.crt"
to TcpInput in another hekad instance:
[TcpInput]
address = "127.0.0.1:5575"
parser_type = "message.proto"
decoder = "protobuf"
use_tls = true
[TcpInput.tls]
server_name = "agni.kalistra.com"
cert_file = "/home/rob/go/heka/etc/certs/server.pem"
key_file = "/home/rob/go/heka/etc/certs/server.pem"
client_cafile = "/home/rob/go/heka/etc/certs/myca.crt"
client_auth = "RequireAndVerifyClientCert"
This was using certificates I generated and signed using my self-created
CA following the guides linked to above. Note that you'll want the
`server_name` config setting to match what was specified in the server
certificate.
I was also wondering if "client_cafile" and "root_cafile" (see:
http://hekad.readthedocs.org/en/v0.6.0/tls.html#tls-configuration-settings)
were required or optional, and what are they actually used for?
The `root_cafile` option is required on the client (i.e. TcpOutput)
side, unless you have the `insecure_skip_verify` option set to true,
which is *not* recommended. This option must point to the certificate of
the CA that was used to generate and sign the server certificate. If
you're acting as your own CA following the above linked guide, you'll
have this file. If you get your certificates signed by a third party
certificate authority, you should be able to get such a certificate from
your CA.
The `client_cafile` option is required on the server (i.e. TcpInput)
side if you're using any `client_auth` option other than the default of
`NoClientCert`. This must point to the certificate of the CA that was
used to generate and sign the client certificate. Again, if you're
acting as your own CA, you have this file, it will be the same one used
to sign the server certificate, and if you're using a third party CA,
you can get it from them.
Thanks for any help,
You're welcome. Hope this actually does help. Good luck!
-r
_______________________________________________
Heka mailing list
[email protected]
https://mail.mozilla.org/listinfo/heka
