170 lines
6.4 KiB
Markdown
170 lines
6.4 KiB
Markdown
---
|
|
title: HTTPS and authentication
|
|
sort_rank: 11
|
|
---
|
|
|
|
# HTTPS and authentication
|
|
|
|
Alertmanager supports basic authentication and TLS.
|
|
This is **experimental** and might change in the future.
|
|
|
|
Currently TLS is supported for the HTTP traffic and gossip traffic.
|
|
|
|
## HTTP Traffic
|
|
|
|
To specify which web configuration file to load, use the `--web.config.file` flag.
|
|
|
|
The file is written in [YAML format](https://en.wikipedia.org/wiki/YAML),
|
|
defined by the scheme described below.
|
|
Brackets indicate that a parameter is optional. For non-list parameters the
|
|
value is set to the specified default.
|
|
|
|
The file is read upon every http request, such as any change in the
|
|
configuration and the certificates is picked up immediately.
|
|
|
|
Generic placeholders are defined as follows:
|
|
|
|
* `<boolean>`: a boolean that can take the values `true` or `false`
|
|
* `<filename>`: a valid path in the current working directory
|
|
* `<secret>`: a regular string that is a secret, such as a password
|
|
* `<string>`: a regular string
|
|
|
|
```
|
|
tls_server_config:
|
|
# Certificate and key files for server to use to authenticate to client.
|
|
cert_file: <filename>
|
|
key_file: <filename>
|
|
|
|
# Server policy for client authentication. Maps to ClientAuth Policies.
|
|
# For more detail on clientAuth options:
|
|
# https://golang.org/pkg/crypto/tls/#ClientAuthType
|
|
#
|
|
# NOTE: If you want to enable client authentication, you need to use
|
|
# RequireAndVerifyClientCert. Other values are insecure.
|
|
[ client_auth_type: <string> | default = "NoClientCert" ]
|
|
|
|
# CA certificate for client certificate authentication to the server.
|
|
[ client_ca_file: <filename> ]
|
|
|
|
# Minimum TLS version that is acceptable.
|
|
[ min_version: <string> | default = "TLS12" ]
|
|
|
|
# Maximum TLS version that is acceptable.
|
|
[ max_version: <string> | default = "TLS13" ]
|
|
|
|
# List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
|
|
# Go default cipher suites are used. Available cipher suites are documented
|
|
# in the go documentation:
|
|
# https://golang.org/pkg/crypto/tls/#pkg-constants
|
|
[ cipher_suites:
|
|
[ - <string> ] ]
|
|
|
|
# prefer_server_cipher_suites controls whether the server selects the
|
|
# client's most preferred ciphersuite, or the server's most preferred
|
|
# ciphersuite. If true then the server's preference, as expressed in
|
|
# the order of elements in cipher_suites, is used.
|
|
[ prefer_server_cipher_suites: <bool> | default = true ]
|
|
|
|
# Elliptic curves that will be used in an ECDHE handshake, in preference
|
|
# order. Available curves are documented in the go documentation:
|
|
# https://golang.org/pkg/crypto/tls/#CurveID
|
|
[ curve_preferences:
|
|
[ - <string> ] ]
|
|
|
|
http_server_config:
|
|
# Enable HTTP/2 support. Note that HTTP/2 is only supported with TLS.
|
|
# This can not be changed on the fly.
|
|
[ http2: <boolean> | default = true ]
|
|
# List of headers that can be added to HTTP responses.
|
|
[ headers:
|
|
# Set the Content-Security-Policy header to HTTP responses.
|
|
# Unset if blank.
|
|
[ Content-Security-Policy: <string> ]
|
|
# Set the X-Frame-Options header to HTTP responses.
|
|
# Unset if blank. Accepted values are deny and sameorigin.
|
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
|
|
[ X-Frame-Options: <string> ]
|
|
# Set the X-Content-Type-Options header to HTTP responses.
|
|
# Unset if blank. Accepted value is nosniff.
|
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
|
|
[ X-Content-Type-Options: <string> ]
|
|
# Set the X-XSS-Protection header to all responses.
|
|
# Unset if blank. Accepted value is nosniff.
|
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
|
|
[ X-XSS-Protection: <string> ]
|
|
# Set the Strict-Transport-Security header to HTTP responses.
|
|
# Unset if blank.
|
|
# Please make sure that you use this with care as this header might force
|
|
# browsers to load Prometheus and the other applications hosted on the same
|
|
# domain and subdomains over HTTPS.
|
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
|
|
[ Strict-Transport-Security: <string> ] ]
|
|
|
|
# Usernames and hashed passwords that have full access to the web
|
|
# server via basic authentication. If empty, no basic authentication is
|
|
# required. Passwords are hashed with bcrypt.
|
|
basic_auth_users:
|
|
[ <string>: <secret> ... ]
|
|
```
|
|
|
|
## Gossip Traffic
|
|
|
|
To specify whether to use mutual TLS for gossip, use the `--cluster.tls-config` flag.
|
|
|
|
The server and client sides of the gossip are configurable.
|
|
|
|
```
|
|
tls_server_config:
|
|
# Certificate and key files for server to use to authenticate to client.
|
|
cert_file: <filename>
|
|
key_file: <filename>
|
|
|
|
# Server policy for client authentication. Maps to ClientAuth Policies.
|
|
# For more detail on clientAuth options:
|
|
# https://golang.org/pkg/crypto/tls/#ClientAuthType
|
|
[ client_auth_type: <string> | default = "NoClientCert" ]
|
|
|
|
# CA certificate for client certificate authentication to the server.
|
|
[ client_ca_file: <filename> ]
|
|
|
|
# Minimum TLS version that is acceptable.
|
|
[ min_version: <string> | default = "TLS12" ]
|
|
|
|
# Maximum TLS version that is acceptable.
|
|
[ max_version: <string> | default = "TLS13" ]
|
|
|
|
# List of supported cipher suites for TLS versions up to TLS 1.2. If empty,
|
|
# Go default cipher suites are used. Available cipher suites are documented
|
|
# in the go documentation:
|
|
# https://golang.org/pkg/crypto/tls/#pkg-constants
|
|
[ cipher_suites:
|
|
[ - <string> ] ]
|
|
|
|
# prefer_server_cipher_suites controls whether the server selects the
|
|
# client's most preferred ciphersuite, or the server's most preferred
|
|
# ciphersuite. If true then the server's preference, as expressed in
|
|
# the order of elements in cipher_suites, is used.
|
|
[ prefer_server_cipher_suites: <bool> | default = true ]
|
|
|
|
# Elliptic curves that will be used in an ECDHE handshake, in preference
|
|
# order. Available curves are documented in the go documentation:
|
|
# https://golang.org/pkg/crypto/tls/#CurveID
|
|
[ curve_preferences:
|
|
[ - <string> ] ]
|
|
|
|
tls_client_config:
|
|
# Path to the CA certificate with which to validate the server certificate.
|
|
[ ca_file: <filepath> ]
|
|
|
|
# Certificate and key files for client cert authentication to the server.
|
|
[ cert_file: <filepath> ]
|
|
[ key_file: <filepath> ]
|
|
|
|
# Server name extension to indicate the name of the server.
|
|
# http://tools.ietf.org/html/rfc4366#section-3.1
|
|
[ server_name: <string> ]
|
|
|
|
# Disable validation of the server certificate.
|
|
[ insecure_skip_verify: <boolean> | default = false]
|
|
```
|