github.com/thanos-io/thanos@v0.32.5/docs/operating/https.md

github.com/thanos-io/thanos@v0.32.5/docs/operating/https.md (about)

     1  # Running Thanos with HTTPS and basic authentication
     2  
     3  Thanos supports basic authentication and TLS. This is **experimental** and might change in the future.
     4  
     5  To specify which HTTP TLS configuration file to load, use the `--http.config` flag. The file is written in [YAML format](https://en.wikipedia.org/wiki/YAML), defined by the scheme described below.
     6  
     7  ## Scheme
     8  
     9  Brackets indicate that a parameter is optional. For non-list parameters the value is set to the specified default. The file is read upon every http request, such as any change in the configuration and the certificates is picked up immediately.
    10  
    11  Generic placeholders are defined as follows:
    12  
    13  - `<boolean>`: a boolean that can take the values `true` or `false`
    14  - `<filename>`: a valid path in the current working directory
    15  - `<secret>`: a regular string that is a secret, such as a password
    16  - `<string>`: a regular string
    17  
    18  ```yaml
    19  tls_server_config:
    20    # Certificate and key files for server to use to authenticate to client.
    21    cert_file: <filename>
    22    key_file: <filename>
    23  
    24    # Server policy for client authentication. Maps to ClientAuth Policies.
    25    # For more detail on clientAuth options:
    26    # https://golang.org/pkg/crypto/tls/#ClientAuthType
    27    [ client_auth_type: <string> | default = "NoClientCert" ]
    28  
    29    # CA certificate for client certificate authentication to the server.
    30    [ client_ca_file: <filename> ]
    31  
    32    # Minimum TLS version that is acceptable.
    33    [ min_version: <string> | default = "TLS12" ]
    34  
    35    # Maximum TLS version that is acceptable.
    36    [ max_version: <string> | default = "TLS13" ]
    37  
    38    # List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
    39    # Go default cipher suites are used. Available cipher suites are documented
    40    # in the go documentation:
    41    # https://golang.org/pkg/crypto/tls/#pkg-constants
    42    [ cipher_suites:
    43      [ - <string> ] ]
    44  
    45    # prefer_server_cipher_suites controls whether the server selects the
    46    # client's most preferred ciphersuite, or the server's most preferred
    47    # ciphersuite. If true then the server's preference, as expressed in
    48    # the order of elements in cipher_suites, is used.
    49    [ prefer_server_cipher_suites: <bool> | default = true ]
    50  
    51    # Elliptic curves that will be used in an ECDHE handshake, in preference
    52    # order. Available curves are documented in the go documentation:
    53    # https://golang.org/pkg/crypto/tls/#CurveID
    54    [ curve_preferences:
    55      [ - <string> ] ]
    56  
    57  http_server_config:
    58    # Enable HTTP/2 support. Note that HTTP/2 is only supported with TLS.
    59    # This can not be changed on the fly.
    60    [ http2: <boolean> | default = true ]
    61  
    62  # Usernames and hashed passwords that have full access to the web
    63  # server via basic authentication. If empty, no basic authentication is
    64  # required. Passwords are hashed with bcrypt.
    65  basic_auth_users:
    66    [ <string>: <secret> ... ]
    67  ```
    68  
    69  ## Example
    70  
    71  An example configuration file is provided below,
    72  
    73  ```yaml
    74  # A certificate and a key file are needed.
    75  tls_server_config:
    76    cert_file: server.crt
    77    key_file: server.key
    78  
    79  # Usernames and passwords required to connect to Thanos.
    80  # Passwords are hashed with bcrypt.
    81  basic_auth_users:
    82    alice: $2y$10$mDwo.lAisC94iLAyP81MCesa29IzH37oigHC/42V2pdJlUprsJPze
    83    bob: $2y$10$hLqFl9jSjoAAy95Z/zw8Ye8wkdMBM8c5Bn1ptYqP/AXyV0.oy0S8m
    84  ```