HTTPS and authentication

    Currently TLS is supported for the HTTP traffic and gossip traffic.

    The file is written in YAML format, defined by the scheme described below. Brackets indicate that a parameter is optional. For non-list parameters the value is set to the specified default.

    Generic placeholders are defined as follows:

    • <boolean>: a boolean that can take the values true or false
    • <filename>: a valid path in the current working directory
    • <secret>: a regular string that is a secret, such as a password
    • <string>: a regular string

    Gossip Traffic

    The server and client sides of the gossip are configurable.

    1. tls_server_config:
    2.   # Certificate and key files for server to use to authenticate to client.
    3.   cert_file: <filename>
    4.   key_file: <filename>
    6.   # Server policy for client authentication. Maps to ClientAuth Policies.
    7.   # For more detail on clientAuth options:
    8.   # https://golang.org/pkg/crypto/tls/#ClientAuthType
    9.   [ client_auth_type: <string> | default = "NoClientCert" ]
    11.   # CA certificate for client certificate authentication to the server.
    12.   [ client_ca_file: <filename> ]
    13.   # Minimum TLS version that is acceptable.
    14.   [ min_version: <string> | default = "TLS12" ]
    16.   # Maximum TLS version that is acceptable.
    17.   [ max_version: <string> | default = "TLS13" ]
    19.   # List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
    20.   # Go default cipher suites are used. Available cipher suites are documented
    21.   # in the go documentation:
    22.   # https://golang.org/pkg/crypto/tls/#pkg-constants
    23.   [ cipher_suites:
    24.     [ - <string> ] ]
    26.   # prefer_server_cipher_suites controls whether the server selects the
    27.   # client's most preferred ciphersuite, or the server's most preferred
    28.   # ciphersuite. If true then the server's preference, as expressed in
    29.   # the order of elements in cipher_suites, is used.
    30.   [ prefer_server_cipher_suites: <bool> | default = true ]
    32.   # order. Available curves are documented in the go documentation:
    33.   # https://golang.org/pkg/crypto/tls/#CurveID
    34.   [ curve_preferences:
    35.     [ - <string> ] ]
    37. tls_client_config:
    38.   # Path to the CA certificate with which to validate the server certificate.
    39.   [ ca_file: <filepath> ]
    41.   # Certificate and key files for client cert authentication to the server.
    42.   [ cert_file: <filepath> ]
    43.   [ key_file: <filepath> ]
    45.   # Server name extension to indicate the name of the server.
    46.   # http://tools.ietf.org/html/rfc4366#section-3.1
    47.   [ server_name: <string> ]
    49.   [ insecure_skip_verify: <boolean> | default = false]