Influxdata
/
docs-v2
mirror of https://github.com/influxdata/docs-v2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #722 from influxdata/tls-revision 

Revise TLS instructions
pull/724/head
pierwill 2020-01-21 11:37:18 -08:00 committed by GitHub
parent 9fb62ba571 cd1c204522
commit 3792ab023c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 44 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
content/v2.0/security/enable-tls.md
View File

@ -10,8 +10,13 @@ menu:
v2.0/tags: [security, authentication, tls, https, ssl] v2.0/tags: [security, authentication, tls, https, ssl]
--- ---
Enabling HTTPS encrypts the communication between clients and the InfluxDB server. Enabling TLS encrypts the communication between clients and the InfluxDB server.
When configured with a signed certificate, HTTPS can also verify the authenticity of the InfluxDB server to connecting clients. When configured with a signed certificate, TLS also allows clients to verify the authenticity of the InfluxDB server.
To set up TLS over HTTPS, do the following:
- [Obtain requirements](#requirements)
- [Configure InfluxDB to use TLS](#configure-influxdb-to-use-tls)
{{% warn %}} {{% warn %}}
InfluxData **strongly recommends** enabling HTTPS, especially if you plan on sending requests to InfluxDB over a network. InfluxData **strongly recommends** enabling HTTPS, especially if you plan on sending requests to InfluxDB over a network.
@ -19,37 +24,53 @@ InfluxData **strongly recommends** enabling HTTPS, especially if you plan on sen
## Requirements ## Requirements
To enable HTTPS with InfluxDB, you need a Transport Layer Security (TLS) certificate (also known as a Secured Sockets Layer (SSL) certificate). To enable HTTPS with InfluxDB, you need a Transport Layer Security (TLS) certificate, also known as a Secured Sockets Layer (SSL) certificate.
InfluxDB supports three types of TLS certificates: InfluxDB supports three types of TLS certificates:
### Single domain certificates signed by a Certificate Authority * **Single domain certificates signed by a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority)**
Single domain certificates provide cryptographic security to HTTPS requests and allow clients to verify the identity of the InfluxDB server. Single domain certificates provide cryptographic security to HTTPS requests and allow clients to verify the identity of the InfluxDB server.
These certificates are signed and issued by a trusted, third-party Certificate Authority (CA). These certificates are signed and issued by a trusted, third-party Certificate Authority (CA).
With this certificate option, every InfluxDB instance requires a unique single domain certificate. With this certificate option, every InfluxDB instance requires a unique single domain certificate.
### Wildcard certificates signed by a Certificate Authority * **Wildcard certificates signed by a Certificate Authority**
Wildcard certificates provide cryptographic security to HTTPS requests and allow clients to verify the identity of the InfluxDB server. Wildcard certificates provide cryptographic security to HTTPS requests and allow clients to verify the identity of the InfluxDB server.
Wildcard certificates can be used across multiple InfluxDB instances on different servers. Wildcard certificates can be used across multiple InfluxDB instances on different servers.
### Self-signed certificates * **Self-signed certificates**
Self-signed certificates are _not_ signed by a trusted, third-party CA. Self-signed certificates are _not_ signed by a trusted, third-party CA.
Unlike CA-signed certificates, self-signed certificates only provide cryptographic security to HTTPS requests. Unlike CA-signed certificates, self-signed certificates only provide cryptographic security to HTTPS requests.
They do not allow clients to verify the identity of the InfluxDB server. They do not allow clients to verify the identity of the InfluxDB server.
With this certificate option, every InfluxDB instance requires a unique self-signed certificate. With this certificate option, every InfluxDB instance requires a unique self-signed certificate.
You can generate a self-signed certificate on your own machine. You can generate a self-signed certificate on your own machine.
<!-- InfluxDB supports certificates composed of a private key file (`.key`) and a signed certificate file (`.crt`) file pair, --> <!-- InfluxDB supports certificates composed of a private key file (`.key`) and a signed certificate file (`.crt`) file pair, -->
<!-- as well as certificates that combine the private key file and the signed certificate file into a single bundled file (`.pem`). --> <!-- as well as certificates that combine the private key file and the signed certificate file into a single bundled file (`.pem`). -->
## Enable HTTPS with a CA-signed certificate ## Configure InfluxDB to use TLS
1. **Install the certificate** 1. **Download or generate certificate files**
Place the private key file (`.key`) and the signed certificate file (`.crt`) in the `/etc/ssl/` directory. If using a certificate provided by a CA, follow their instructions to download the certificate files.
If using a self-signed certificate, use the `openssl` utility to create a certificate.
The following command generates a private key file (.key) and a self-signed certificate file (.crt) with required permissions
and saves them to `/etc/ssl/`.
(Other paths will also work.) (Other paths will also work.)
Files remain valid for the specified `NUMBER_OF_DAYS`.
```sh
sudo openssl req -x509 -nodes -newkey rsa:2048 \
-keyout /etc/ssl/influxdb-selfsigned.key \
-out /etc/ssl/influxdb-selfsigned.crt \
-days <NUMBER_OF_DAYS>
```
The command will prompt you for more information.
You can choose to fill out these fields or leave them blank; both actions generate valid certificate files.
2. **Set certificate file permissions** 2. **Set certificate file permissions**
@ -72,53 +93,20 @@ You can generate a self-signed certificate on your own machine.
```bash ```bash
influxd \ influxd \
--tls-cert "/etc/ssl/influxdb-selfsigned.crt" \ --tls-cert "<path-to-crt>" \
--tls-key "/etc/ssl/influxdb-selfsigned.key" --tls-key "<path-to-key>"
``` ```
4. **Verify TLS connection** 4. **Verify TLS connection**
Ensure you can connect over HTTPS by running Ensure you can connect over HTTPS by running
``` ```
curl -v https://influxdb:9999/api/v2/ping curl -v https://influxdb:9999/api/v2/ping
``` ```
With this command, you should see output confirming a succussful TLS handshake. If using a self-signed certificate, use the `-k` flag to skip certificate verification:
## Enable HTTPS with a self-signed certificate
1. **Generate a self-signed certificate**
Use the `openssl` utility (preinstalled on many OSes) to create a certificate.
The following command generates a private key file (`.key`) and a self-signed
certificate file (`.crt`) which remain valid for the specified `NUMBER_OF_DAYS`.
It outputs those files to `/etc/ssl/` and gives them the required permissions.
(Other paths will also work.)
```bash
sudo openssl req -x509 -nodes -newkey rsa:2048 \
-keyout /etc/ssl/influxdb-selfsigned.key \
-out /etc/ssl/influxdb-selfsigned.crt \
-days <NUMBER_OF_DAYS>
```
When you execute the command, it will prompt you for more information.
You can choose to fill out that information or leave it blank; both actions generate valid certificate files.
2. **Run `influxd` with TLS flags**
Start InfluxDB with TLS command line flags:
```bash
influxd \
--tls-cert "/etc/ssl/influxdb-selfsigned.crt" \
--tls-key "/etc/ssl/influxdb-selfsigned.key"
```
3. **Verify TLS connection**
Ensure you can connect over HTTPS by running
``` ```
curl -vk https://influxdb:9999/api/v2/ping curl -vk https://influxdb:9999/api/v2/ping