Add documentation for running Chronograf with TLS
Chris Goller
parent
442b892bc3
commit
9b956f7c90
|
|
@ -107,6 +107,9 @@ A UI for [Kapacitor](https://github.com/influxdata/kapacitor) alert creation and
|
|||
* View all active alerts at a glance on the alerting dashboard
|
||||
* Enable and disable existing alert rules with the check of a box
|
||||
|
||||
### TLS/HTTPS support
|
||||
See [Chronograf with TLS](https://github.com/influxdata/chronograf/blob/master/docs/tls.md) for more information.
|
||||
|
||||
### GitHub OAuth Login
|
||||
See [Chronograf with OAuth 2.0](https://github.com/influxdata/chronograf/blob/master/docs/auth.md) for more information.
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,74 @@
|
|||
## Chronograf TLS
|
||||
|
||||
Chronograf supports TLS to securely communicate between the browser and server via
|
||||
HTTPS.
|
||||
|
||||
We recommend using HTTPS with Chronograf. If you are not using a TLS termination proxy,
|
||||
you can run Chronograf's server with TLS connections.
|
||||
### TL;DR
|
||||
|
||||
```sh
|
||||
chronograf --cert=my.crt --key=my.key
|
||||
```
|
||||
|
||||
### Running Chronograf with TLS
|
||||
|
||||
Chronograf server has command line and environment variable options to specify
|
||||
the certificate and key files. The server reads and parses a public/private key
|
||||
pair from these files. The files must contain PEM encoded data.
|
||||
|
||||
In Chronograf all command line options also have a corresponding environment
|
||||
variable.
|
||||
|
||||
To specify the the certificate file either use the `--cert` CLI option or `TLS_CERTIFICATE`
|
||||
environment variable.
|
||||
|
||||
To specify the key file either use the `--key` CLI option or `TLS_PRIVATE_KEY`
|
||||
environment variable.
|
||||
|
||||
#### Example with CLI options
|
||||
```sh
|
||||
chronograf --cert=my.crt --key=my.key
|
||||
```
|
||||
|
||||
#### Example with environment variables
|
||||
```sh
|
||||
TLS_CERTIFICATE=my.crt TLS_PRIVATE_KEY=my.key chronograf
|
||||
```
|
||||
|
||||
#### Docker example with environment variables
|
||||
```sh
|
||||
docker run -v /host/path/to/certs:/certs -e TLS_CERTIFICATE=/certs/my.crt -e TLS_PRIVATE_KEY=/certs/my.key quay.io/influxdb/chronograf:latest
|
||||
```
|
||||
|
||||
### Testing with self-signed certificates
|
||||
In a production environment you should not use self-signed certificates. However,
|
||||
for testing it is fast to create your own certs.
|
||||
|
||||
To create a cert and key in one file with openssl:
|
||||
|
||||
```sh
|
||||
openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout testing.pem -out testing.pem -subj "/CN=localhost" -days 365
|
||||
```
|
||||
|
||||
If the cert and the key are in the same file, you don't have to specify the
|
||||
`TLS_PRIVATE_KEY` option.
|
||||
|
||||
Next, set the environment variable `TLS_CERTIFICATE`:
|
||||
```sh
|
||||
export TLS_CERTIFICATE=$PWD/testing.pem
|
||||
```
|
||||
|
||||
Run chronograf:
|
||||
|
||||
```sh
|
||||
./chronograf
|
||||
INFO[0000] Serving chronograf at https://[::]:8888 component=server
|
||||
```
|
||||
|
||||
In the first log message you should `https` rather than `http`.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Loading…
Reference in New Issue