我正在按照步骤使用 td-agent 启用 TLS/SSL 加密,但无法通过测试 ( https://docs.fluentd.org/v1.0/articles/in_forward#how-to-enable-tls/ssl-encryption ):
1) 创建证书,
$ openssl req -new -x509 -sha256 -days 1095 -newkey rsa:2048 -keyout fluentd.key -out fluentd.crt
2)安装它们,
$ sudo mkdir -p /etc/td-agent/certs
$ sudo mv fluentd.key fluentd.crt /etc/td-agent/certs
$ sudo chown td-agent:td-agent -R /etc/td-agent/certs
$ sudo chmod 700 /etc/td-agent/certs/
$ sudo chmod 400 /etc/td-agent/certs/fluentd.key
3)配置td-agent.conf,
$ sudo cat /etc/td-agent/td-agent.conf
<source>
@type forward
<transport>
cert_path /etc/td-agent/certs/fluentd.crt
private_key_path /etc/td-agent/certs/fluentd.key
private_key_passphrase testing
</transport>
</source>
<match debug.**>
@type stdout
</match>
4)重新启动服务,
$ sudo systemctl restart td-agent
5)当我尝试测试时,
$ echo -e '\x93\xa9debug.tls\xceZr\xbc1\x81\xa3foo\xa3bar' | openssl s_client -connect localhost:24224
我在/var/log/td-agent/td-agent.log tail 上得到了这个,
2018-05-05 12:06:08 -0300 [info]: #0 fluentd worker is now running worker=0
2018-05-05 12:06:33 -0300 [warn]: #0 incoming chunk is broken: host="127.0.0.1" msg=22 2018-05-05 12:06:33 -0300 [warn]: #0 incoming chunk is broken: host="127.0.0.1" msg=3
2018-05-05 12:06:33 -0300 [warn]: #0 incoming chunk is broken: host="127.0.0.1" msg=1 2018-05-05 12:06:33 -0300 [warn]: #0 incoming chunk is broken: host="127.0.0.1" msg=1
2018-05-05 12:06:33 -0300 [warn]: #0 incoming chunk is broken: host="127.0.0.1" msg=44
2018-05-05 12:06:33 -0300 [warn]: #0 incoming chunk is broken: host="127.0.0.1" msg=1
2018-05-05 12:06:33 -0300 [warn]: #0 incoming chunk is broken: host="127.0.0.1" msg=0
2018-05-05 12:06:33 -0300 [warn]: #0 incoming chunk is broken: host="127.0.0.1" msg=1
2018-05-05 12:06:33 -0300 [warn]: #0 incoming chunk is broken: host="127.0.0.1" msg=40 2018-05-05 12:06:33 -0300 [warn]: #0 incoming chunk is broken: host="127.0.0.1" msg=3
2018-05-05 12:06:33 -0300 [warn]: #0 incoming chunk is broken: host="127.0.0.1" msg=3 2018-05-05 12:06:33 -0300 [warn]: #0 incoming chunk is broken: host="127.0.0.1" msg="C\x91\xA4Qz\xB4\xD2\xF1\x85&2\u07F5\u0004\xC2F\x9C\xEDt\x89\u0012\xF2\u0535"
2018-05-05 12:06:33 -0300 [warn]: #0 incoming chunk is broken: host="127.0.0.1" msg=33
2018-05-05 12:06:33 -0300 [warn]: #0 incoming chunk is broken: host="127.0.0.1" msg=13
2018-05-05 12:06:33 -0300 [warn]: #0 incoming chunk is broken: host="127.0.0.1" msg=103
2018-05-05 12:06:33 -0300 [warn]: #0 incoming chunk is broken: host="127.0.0.1" msg=65
2018-05-05 12:06:33 -0300 [warn]: #0 incoming chunk is broken: host="127.0.0.1" msg=103
2018-05-05 12:06:33 -0300 [error]: #0 unexpected error on reading data host="127.0.0.1" port=59102 error_class=MessagePack::MalformedFormatError error="invalid byte"
2018-05-05 12:06:33 -0300 [error]: #0 /opt/td-agent/embedded/lib/ruby/gems/2.4.0/gems/fluentd-1.0.2/lib/fluent/plugin/in_forward.rb:247:in `feed_each'
2018-05-05 12:06:33 -0300 [error]: #0 /opt/td-agent/embedded/lib/ruby/gems/2.4.0/gems/fluentd-1.0.2/lib/fluent/plugin/in_forward.rb:247:in `block (2 levels) in read_messages'
2018-05-05 12:06:33 -0300 [error]: #0 /opt/td-agent/embedded/lib/ruby/gems/2.4.0/gems/fluentd-1.0.2/lib/fluent/plugin/in_forward.rb:256:in `block in read_messages'
2018-05-05 12:06:33 -0300 [error]: #0 /opt/td-agent/embedded/lib/ruby/gems/2.4.0/gems/fluentd-1.0.2/lib/fluent/plugin_helper/server.rb:588:in `on_read_without_connection'
2018-05-05 12:06:33 -0300 [error]: #0 /opt/td-agent/embedded/lib/ruby/gems/2.4.0/gems/cool.io-1.5.3/lib/cool.io/io.rb:123:in `on_readable'
2018-05-05 12:06:33 -0300 [error]: #0 /opt/td-agent/embedded/lib/ruby/gems/2.4.0/gems/cool.io-1.5.3/lib/cool.io/io.rb:186:in `on_readable'
2018-05-05 12:06:33 -0300 [error]: #0 /opt/td-agent/embedded/lib/ruby/gems/2.4.0/gems/cool.io-1.5.3/lib/cool.io/loop.rb:88:in `run_once'
2018-05-05 12:06:33 -0300 [error]: #0 /opt/td-agent/embedded/lib/ruby/gems/2.4.0/gems/cool.io-1.5.3/lib/cool.io/loop.rb:88:in `run'
2018-05-05 12:06:33 -0300 [error]: #0 /opt/td-agent/embedded/lib/ruby/gems/2.4.0/gems/fluentd-1.0.2/lib/fluent/plugin_helper/event_loop.rb:84:in `block in start'
2018-05-05 12:06:33 -0300 [error]: #0 /opt/td-agent/embedded/lib/ruby/gems/2.4.0/gems/fluentd-1.0.2/lib/fluent/plugin_helper/thread.rb:78:in `block in thread_create'
为了确保我已经测试了自签名 key /crt 对,
$ openssl rsa -modulus -noout -in fluentd.key | openssl md5
Enter pass phrase for fluentd.key:
(stdin)= b149fbd30d9192f3c3b5e445f757bbf1
$ openssl x509 -modulus -noout -in fluentd.crt | openssl md5
(stdin)= b149fbd30d9192f3c3b5e445f757bbf1
我在 ubuntu 服务器 16.04 上运行 td-agent 1.0.2。
说实话,我不知道到底该从哪里继续..
最佳答案
我遇到了同样的问题,经过几个小时的调查后我能够解决它。
问题出在 [transport tls] block 上,官方文档位于 https://docs.fluentd.org/v1.0/articles/in_forward从 block 中省略tls。 添加 tls 解决了问题。
总之,将您的 in_forward 编辑为以下内容:
<source>
@type forward
<transport tls>
cert_path ....
private_key_path ...
private_key_passphrase YOUR_PASSPHRASE
</transport>
编辑完成后,echo 测试命令将会成功。
echo -e '\x93\xa9debug.tls\xceZr\xbc1\x81\xa3foo\xa3bar' | openssl s_client -connect localhost:24224
Fluentd 日志输出:
018-05-14 19:15:55.906208368 +0100 fluent.info: {"worker":0,"message":"fluentd worker is now running worker=0"}
2018-02-01 07:05:21.000000000 +0000 debug.tls: {"foo":"bar"}
关于fluentd - 如何让 fluidd/td-agent TLS/SSL 加密使 in_forward 发挥作用?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/50190993/