github.com/quite/nomad@v0.8.6/website/source/docs/agent/configuration/tls.html.md (about) 1 --- 2 layout: "docs" 3 page_title: "tls Stanza - Agent Configuration" 4 sidebar_current: "docs-agent-configuration-tls" 5 description: |- 6 The "tls" stanza configures Nomad's TLS communication via HTTP and RPC to 7 enforce secure cluster communication between servers, clients, and between. 8 --- 9 10 # `tls` Stanza 11 12 <table class="table table-bordered table-striped"> 13 <tr> 14 <th width="120">Placement</th> 15 <td> 16 <code>**tls**</code> 17 </td> 18 </tr> 19 </table> 20 21 The `tls` stanza configures Nomad's TLS communication via HTTP and RPC to 22 enforce secure cluster communication between servers, clients, and between. 23 24 ```hcl 25 tls { 26 http = true 27 rpc = true 28 } 29 ``` 30 31 ~> Incorrect configuration of the TLS configuration can result in failure to 32 start the Nomad agent. 33 34 This section of the documentation only covers the configuration options for 35 `tls` stanza. To understand how to setup the certificates themselves, please see 36 the [Agent's Gossip and RPC Encryption](/docs/agent/encryption.html). 37 38 ## `tls` Parameters 39 40 - `ca_file` `(string: "")` - Specifies the path to the CA certificate to use for 41 Nomad's TLS communication. 42 43 - `cert_file` `(string: "")` - Specifies the path to the certificate file used 44 for Nomad's TLS communication. 45 46 - `key_file` `(string: "")` - Specifies the path to the key file to use for 47 Nomad's TLS communication. 48 49 - `http` `(bool: false)` - Specifies if TLS should be enabled on the HTTP 50 endpoints on the Nomad agent, including the API. 51 52 - `rpc` `(bool: false)` - Specifies if TLS should be enabled on the RPC 53 endpoints and [Raft][raft] traffic between the Nomad servers. Enabling this on 54 a Nomad client makes the client use TLS for making RPC requests to the Nomad 55 servers. 56 57 - `rpc_upgrade_mode` `(bool: false)` - This option should be used only when the 58 cluster is being upgraded to TLS, and removed after the migration is 59 complete. This allows the agent to accept both TLS and plaintext traffic. 60 61 - `tls_cipher_suites` `(array<string>: [])` - Specifies the TLS cipher suites 62 that will be used by the agent. Known insecure ciphers are disabled (3DES and 63 RC4). By default, an agent is configured to use 64 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 65 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 66 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 67 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 68 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 69 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 70 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 71 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 72 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 and 73 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. 74 75 - `tls_min_version` `(string: "tls12")`- Specifies the minimum supported version 76 of TLS. Accepted values are "tls10", "tls11", "tls12". 77 78 - `tls_prefer_server_cipher_suites` `(bool: false)` - Specifies whether 79 TLS connections should prefer the server's ciphersuites over the client's. 80 81 - `verify_https_client` `(bool: false)` - Specifies agents should require 82 client certificates for all incoming HTTPS requests. The client certificates 83 must be signed by the same CA as Nomad. 84 85 - `verify_server_hostname` `(bool: false)` - Specifies if outgoing TLS 86 connections should verify the server's hostname. 87 88 ## `tls` Examples 89 90 The following examples only show the `tls` stanzas. Remember that the 91 `tls` stanza is only valid in the placements listed above. 92 93 ### Enabling TLS 94 95 This example shows enabling TLS configuration. This enables TLS communication 96 between all servers and clients using the default system CA bundle and 97 certificates. 98 99 ```hcl 100 tls { 101 http = true 102 rpc = true 103 104 ca_file = "/etc/certs/ca.crt" 105 cert_file = "/etc/certs/nomad.crt" 106 key_file = "/etc/certs/nomad.key" 107 } 108 ``` 109 110 [raft]: https://github.com/hashicorp/serf "Serf by HashiCorp"