From f75e8297725d7794f3cac8c3dfcb30459667e941 Mon Sep 17 00:00:00 2001 From: "Zsolt Gyulai (zgyulai)" Date: Wed, 24 Sep 2025 11:52:02 +0200 Subject: [PATCH 1/2] Addedd proper tls options and declaration without json. Signed-off-by: Zsolt Gyulai (zgyulai) --- .../240_webhook/000_webhook_options.md | 60 +++++++++++++++++-- .../060_Sources/240_webhook/README.md | 13 +++- 2 files changed, 66 insertions(+), 7 deletions(-) diff --git a/doc/_admin-guide/060_Sources/240_webhook/000_webhook_options.md b/doc/_admin-guide/060_Sources/240_webhook/000_webhook_options.md index 15fb23cf..430775cf 100644 --- a/doc/_admin-guide/060_Sources/240_webhook/000_webhook_options.md +++ b/doc/_admin-guide/060_Sources/240_webhook/000_webhook_options.md @@ -82,16 +82,64 @@ curl -H "X-Forwarded-FOR: 1.2.3.4" -X POST --data "{}" http://127.0.0.1:8080/ Note that {{ site.product.short_name }} only trusts the header that is specified in the `proxy_header()` option. If the request includes multiple headers with the specified name, the last one is used. {: .notice--info} -{% include doc/admin-guide/options/ca-dir.md %} +## tls_ca_dir() -{% include doc/admin-guide/options/ca-file.md %} +|Type:| Directory name| +|Default:| | + +*Description:* The name of a directory that contains a set of trusted CA certificates in PEM format. The CA certificate files have to be named after the 32-bit hash of the subject’s name. This naming can be created using the `c_rehash` utility in openssl. For an example, see Configuring TLS on the syslog-ng OSE clients. The {{ site.product.short_name }} application uses the CA certificates in this directory to validate the certificate of the peer. + +This option can be used together with the optional `tls_ca_file()` option. + +## tls_ca_file() + +|Type:| File name| +|Default:| | + +*Description:* Optional. The name of a file that contains a set of trusted CA certificates in PEM format. The {{ site.product.short_name }} application uses the CA certificates in this file to validate the certificate of the peer. + +Configuration example: + +```config +tls_ca_file("/etc/pki/tls/certs/ca-bundle.crt") +``` + +## tls_cert_file() + +|Type:| File name| +|Default:| | + +*Description:* For HTTPS endpoints, you can use the `tls_cert_file` and `tls_key_file` options. Set `tls_cert_file` to the name of a file that contains an `X.509` certificate (or a certificate chain) in PEM format, suitable as a TLS certificate, matching the private key set in the `tls_key_file()` option. The {{ site.product.short_name }} application shows this certificate to the clients sending data to the webhook endpoints. If the file contains a certificate chain, the file must begin with the certificate of the host, followed by the CA certificate that signed the certificate of the host, and any other signing CAs in order. + +## tls_key_file() + +|Type:| File name| +|Default:| | + +*Description:* The name of a file that contains an unencrypted private key in PEM format, suitable as a TLS key. If properly configured, the {{ site.product.short_name }} application uses this private key with the matching certificate (set in the `tls_cert_file()` option). + +## tls_peer_verify() + +|Accepted values:| `yes`, `no`| +|Default:| `no` | + +*Description:* Verification method of the peer. The table below summarizes the available options and their results depending on the certificate of the peer. + +| | | no certificate on the remote peer | invalid certificate on the remote peer | valid certificate on the remote peer | +|-----------------------------|-----------------------------|-----------------------|---------------------------|-------------------| +| Local peer-verify() setting: | no (optional-untrusted) | TLS-encryption | TLS-encryption | TLS-encryption | +| | yes (required-trusted) | rejected connection | rejected connection | TLS-encryption | + +For untrusted certificates only the existence of the certificate is checked, but it does not have to be valid — {{ site.product.short_name }} accepts the certificate even if it is expired, signed by an unknown CA, or its CN and the name of the machine mismatches. -{% include doc/admin-guide/options/cert-file.md %} + ![]({{ site.baseurl}}/assets/images/caution.png) **WARNING:** When validating a certificate, the entire certificate chain must be valid, including the CA certificate. If any certificate of the chain is invalid, {{ site.product.short_name }} will reject the connection. +{: .notice--warning} -{% include doc/admin-guide/options/key-file.md %} +## tls_peer_verify() -{% include doc/admin-guide/options/peer-verify.md %} +|Accepted values:| `yes`, `no`| +|Default:| `no` | -{% include doc/admin-guide/options/use-system-cert-store.md %} +*Description:* Use the certificate store of the system for verifying HTTPS certificates. For more information, see the [curl documentation](https://curl.se/docs/sslcerts.html). > *Copyright © 2025 Axoflow* \ No newline at end of file diff --git a/doc/_admin-guide/060_Sources/240_webhook/README.md b/doc/_admin-guide/060_Sources/240_webhook/README.md index 1978430e..62cbd6d3 100644 --- a/doc/_admin-guide/060_Sources/240_webhook/README.md +++ b/doc/_admin-guide/060_Sources/240_webhook/README.md @@ -3,11 +3,22 @@ title: 'Webhook source' short_title: webhook id: adm-src-webhook description: >- - From version 4.8.0 and onwards, {{ site.product.short_name }} can collect logs through a webhook using the `webhook()` and `webhook-json()` sources. The webhook-json() source automatically parses the payload using the `json-parser()`. + From version 4.9.0 and onwards, {{ site.product.short_name }} can collect logs through a webhook using the `webhook()` and `webhook-json()` sources. The webhook-json() source automatically parses the payload using the `json-parser()`. --- **Declaration** +```config +source s_webhook { + webhook( + port(8181) + paths(["/events","/events/(?P.*)"]) + ); +}; +``` + +**Declaration for webhook-json** + ```config source s_webhook { webhook-json( From 59754256b12c884000c2c2bdd187225031040985 Mon Sep 17 00:00:00 2001 From: "Zsolt Gyulai (zgyulai)" Date: Wed, 24 Sep 2025 11:55:43 +0200 Subject: [PATCH 2/2] Fixed one pasta typeo. Signed-off-by: Zsolt Gyulai (zgyulai) --- doc/_admin-guide/060_Sources/240_webhook/000_webhook_options.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/_admin-guide/060_Sources/240_webhook/000_webhook_options.md b/doc/_admin-guide/060_Sources/240_webhook/000_webhook_options.md index 430775cf..37c6ea42 100644 --- a/doc/_admin-guide/060_Sources/240_webhook/000_webhook_options.md +++ b/doc/_admin-guide/060_Sources/240_webhook/000_webhook_options.md @@ -135,7 +135,7 @@ For untrusted certificates only the existence of the certificate is checked, but ![]({{ site.baseurl}}/assets/images/caution.png) **WARNING:** When validating a certificate, the entire certificate chain must be valid, including the CA certificate. If any certificate of the chain is invalid, {{ site.product.short_name }} will reject the connection. {: .notice--warning} -## tls_peer_verify() +## tls_use_system_cert_store() |Accepted values:| `yes`, `no`| |Default:| `no` |