2016-11-01 12:53:13 +00:00
|
|
|
---
|
2020-02-06 23:45:31 +00:00
|
|
|
layout: docs
|
2023-01-30 14:48:43 +00:00
|
|
|
page_title: tls Block - Agent Configuration
|
2016-11-01 12:53:13 +00:00
|
|
|
description: |-
|
2023-01-30 14:48:43 +00:00
|
|
|
The "tls" block configures Nomad's TLS communication via HTTP and RPC to
|
2022-06-16 17:15:40 +00:00
|
|
|
enforce secure cluster communication between servers and clients.
|
2016-11-01 12:53:13 +00:00
|
|
|
---
|
|
|
|
|
2023-01-30 14:48:43 +00:00
|
|
|
# `tls` Block
|
2016-11-01 12:53:13 +00:00
|
|
|
|
2020-02-06 23:45:31 +00:00
|
|
|
<Placement groups={['tls']} />
|
2016-11-01 12:53:13 +00:00
|
|
|
|
2023-01-30 14:48:43 +00:00
|
|
|
The `tls` block configures Nomad's TLS communication via HTTP and RPC to
|
2016-11-01 12:53:13 +00:00
|
|
|
enforce secure cluster communication between servers, clients, and between.
|
|
|
|
|
|
|
|
```hcl
|
|
|
|
tls {
|
|
|
|
http = true
|
|
|
|
rpc = true
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
~> Incorrect configuration of the TLS configuration can result in failure to
|
|
|
|
start the Nomad agent.
|
|
|
|
|
|
|
|
This section of the documentation only covers the configuration options for
|
2023-01-30 14:48:43 +00:00
|
|
|
`tls` block. To understand how to setup the certificates themselves, please see
|
2023-01-25 17:31:14 +00:00
|
|
|
the [Enable TLS Encryption for Nomad Tutorial](/nomad/tutorials/transport-security/security-enable-tls).
|
2016-11-01 12:53:13 +00:00
|
|
|
|
|
|
|
## `tls` Parameters
|
|
|
|
|
|
|
|
- `ca_file` `(string: "")` - Specifies the path to the CA certificate to use for
|
|
|
|
Nomad's TLS communication.
|
|
|
|
|
|
|
|
- `cert_file` `(string: "")` - Specifies the path to the certificate file used
|
|
|
|
for Nomad's TLS communication.
|
|
|
|
|
|
|
|
- `key_file` `(string: "")` - Specifies the path to the key file to use for
|
|
|
|
Nomad's TLS communication.
|
|
|
|
|
|
|
|
- `http` `(bool: false)` - Specifies if TLS should be enabled on the HTTP
|
|
|
|
endpoints on the Nomad agent, including the API.
|
|
|
|
|
|
|
|
- `rpc` `(bool: false)` - Specifies if TLS should be enabled on the RPC
|
|
|
|
endpoints and [Raft][raft] traffic between the Nomad servers. Enabling this on
|
|
|
|
a Nomad client makes the client use TLS for making RPC requests to the Nomad
|
|
|
|
servers.
|
|
|
|
|
2017-10-30 14:42:08 +00:00
|
|
|
- `rpc_upgrade_mode` `(bool: false)` - This option should be used only when the
|
|
|
|
cluster is being upgraded to TLS, and removed after the migration is
|
|
|
|
complete. This allows the agent to accept both TLS and plaintext traffic.
|
|
|
|
|
2019-03-20 16:17:38 +00:00
|
|
|
- `tls_cipher_suites` `string: "")` - Specifies the TLS cipher suites that will
|
|
|
|
be used by the agent as a comma-separated string. Known insecure ciphers are
|
|
|
|
disabled (3DES and RC4). By default, an agent is configured to use
|
2018-06-07 22:30:00 +00:00
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
2018-05-30 17:23:41 +00:00
|
|
|
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
2018-06-07 22:30:00 +00:00
|
|
|
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 and
|
|
|
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
|
2018-05-08 20:32:07 +00:00
|
|
|
|
2018-05-30 17:23:41 +00:00
|
|
|
- `tls_min_version` `(string: "tls12")`- Specifies the minimum supported version
|
|
|
|
of TLS. Accepted values are "tls10", "tls11", "tls12".
|
2018-05-09 20:30:02 +00:00
|
|
|
|
2018-05-30 17:23:41 +00:00
|
|
|
- `tls_prefer_server_cipher_suites` `(bool: false)` - Specifies whether
|
|
|
|
TLS connections should prefer the server's ciphersuites over the client's.
|
2018-05-23 17:34:53 +00:00
|
|
|
|
2017-05-03 00:10:16 +00:00
|
|
|
- `verify_https_client` `(bool: false)` - Specifies agents should require
|
|
|
|
client certificates for all incoming HTTPS requests. The client certificates
|
|
|
|
must be signed by the same CA as Nomad.
|
|
|
|
|
2016-11-01 12:53:13 +00:00
|
|
|
- `verify_server_hostname` `(bool: false)` - Specifies if outgoing TLS
|
|
|
|
connections should verify the server's hostname.
|
|
|
|
|
|
|
|
## `tls` Examples
|
|
|
|
|
2023-01-30 14:48:43 +00:00
|
|
|
The following examples only show the `tls` blocks. Remember that the
|
|
|
|
`tls` block is only valid in the placements listed above.
|
2016-11-01 12:53:13 +00:00
|
|
|
|
2016-11-02 23:26:10 +00:00
|
|
|
### Enabling TLS
|
2016-11-01 12:53:13 +00:00
|
|
|
|
2016-11-02 23:26:10 +00:00
|
|
|
This example shows enabling TLS configuration. This enables TLS communication
|
2016-11-01 12:53:13 +00:00
|
|
|
between all servers and clients using the default system CA bundle and
|
|
|
|
certificates.
|
|
|
|
|
|
|
|
```hcl
|
|
|
|
tls {
|
|
|
|
http = true
|
|
|
|
rpc = true
|
|
|
|
|
|
|
|
ca_file = "/etc/certs/ca.crt"
|
|
|
|
cert_file = "/etc/certs/nomad.crt"
|
|
|
|
key_file = "/etc/certs/nomad.key"
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2020-12-18 16:55:00 +00:00
|
|
|
### `tls` Configuration Reloads
|
|
|
|
|
|
|
|
Nomad supports dynamically reloading both client and server TLS
|
|
|
|
configuration. To reload an agent's TLS configuration, first update the TLS
|
|
|
|
block in the agent's configuration file and then send the Nomad agent a
|
|
|
|
`SIGHUP` signal. Note that this will only reload a subset of the configuration
|
|
|
|
file, including the TLS configuration.
|
|
|
|
|
|
|
|
The agent reloads all its network connections when there are changes to its
|
|
|
|
TLS configuration during a config reload via `SIGHUP`. Any new connections
|
|
|
|
established will use the updated configuration, and any outstanding old
|
|
|
|
connections will be closed. This process works when upgrading to TLS,
|
|
|
|
downgrading from it, as well as rolling certificates.
|
|
|
|
|
2020-02-06 23:45:31 +00:00
|
|
|
[raft]: https://github.com/hashicorp/serf 'Serf by HashiCorp'
|