github.com/iqoqo/nomad@v0.11.3-0.20200911112621-d7021c74d101/website/pages/docs/configuration/tls.mdx (about) 1 --- 2 layout: docs 3 page_title: tls Stanza - Agent Configuration 4 sidebar_title: tls 5 description: |- 6 The "tls" stanza configures Nomad's TLS communication via HTTP and RPC to 7 enforce secure cluster communication between servers, clients, and between. 8 --- 9 10 # `tls` Stanza 11 12 <Placement groups={['tls']} /> 13 14 The `tls` stanza configures Nomad's TLS communication via HTTP and RPC to 15 enforce secure cluster communication between servers, clients, and between. 16 17 ```hcl 18 tls { 19 http = true 20 rpc = true 21 } 22 ``` 23 24 ~> Incorrect configuration of the TLS configuration can result in failure to 25 start the Nomad agent. 26 27 This section of the documentation only covers the configuration options for 28 `tls` stanza. To understand how to setup the certificates themselves, please see 29 the [Encryption Overview Guide](https://learn.hashicorp.com/nomad/transport-security/gossip-encryption). 30 31 ## `tls` Parameters 32 33 - `ca_file` `(string: "")` - Specifies the path to the CA certificate to use for 34 Nomad's TLS communication. 35 36 - `cert_file` `(string: "")` - Specifies the path to the certificate file used 37 for Nomad's TLS communication. 38 39 - `key_file` `(string: "")` - Specifies the path to the key file to use for 40 Nomad's TLS communication. 41 42 - `http` `(bool: false)` - Specifies if TLS should be enabled on the HTTP 43 endpoints on the Nomad agent, including the API. 44 45 - `rpc` `(bool: false)` - Specifies if TLS should be enabled on the RPC 46 endpoints and [Raft][raft] traffic between the Nomad servers. Enabling this on 47 a Nomad client makes the client use TLS for making RPC requests to the Nomad 48 servers. 49 50 - `rpc_upgrade_mode` `(bool: false)` - This option should be used only when the 51 cluster is being upgraded to TLS, and removed after the migration is 52 complete. This allows the agent to accept both TLS and plaintext traffic. 53 54 - `tls_cipher_suites` `string: "")` - Specifies the TLS cipher suites that will 55 be used by the agent as a comma-separated string. Known insecure ciphers are 56 disabled (3DES and RC4). By default, an agent is configured to use 57 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 58 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 59 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 60 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 61 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 62 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 63 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 64 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 65 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 and 66 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. 67 68 - `tls_min_version` `(string: "tls12")`- Specifies the minimum supported version 69 of TLS. Accepted values are "tls10", "tls11", "tls12". 70 71 - `tls_prefer_server_cipher_suites` `(bool: false)` - Specifies whether 72 TLS connections should prefer the server's ciphersuites over the client's. 73 74 - `verify_https_client` `(bool: false)` - Specifies agents should require 75 client certificates for all incoming HTTPS requests. The client certificates 76 must be signed by the same CA as Nomad. 77 78 - `verify_server_hostname` `(bool: false)` - Specifies if outgoing TLS 79 connections should verify the server's hostname. 80 81 ## `tls` Examples 82 83 The following examples only show the `tls` stanzas. Remember that the 84 `tls` stanza is only valid in the placements listed above. 85 86 ### Enabling TLS 87 88 This example shows enabling TLS configuration. This enables TLS communication 89 between all servers and clients using the default system CA bundle and 90 certificates. 91 92 ```hcl 93 tls { 94 http = true 95 rpc = true 96 97 ca_file = "/etc/certs/ca.crt" 98 cert_file = "/etc/certs/nomad.crt" 99 key_file = "/etc/certs/nomad.key" 100 } 101 ``` 102 103 [raft]: https://github.com/hashicorp/serf 'Serf by HashiCorp'