Set up TLS without reverse proxy

StackState Self-hosted v5.1.x

StackState prefers Kubernetes! In the future we will move away from Linux support. Read how to .

This document provides the steps to set up TLS on StackState application side with no reverse proxy configured.

Prerequisites

Prepare a TLS keypair in format. Certificate should include the hostname by which StackState will be accessed, for example, stackstate.infra.company.tld.

Configure StackState

Step 1. Configure applications

a. Enable TLS for Web UI/API by configuring section stackstate.api.tls in etc/application_stackstate.conf:


stackstate {
   ...
   api {
     tls {
       enabled = true
       keystore {
          path = "/path/to/keystore.pfx"
          password = "password"
          storeType = "PKCS12"
       }
     }
   ...

b. Enable TLS for topology/telemetry receiver by configuring a section stackstate.receiver.tls in etc/stackstate-receiver/application.conf:

stackstate.receiver {
  ...
  tls {
    enabled = true
    keystore {
      path = "/path/to/keystore.pfx"
      password = "password"
      storeType = "PKCS12"
    }
  }

Step 2. Configure the process manager

a. Configure health check URL (properties.receiver-healthcheckuri) in etc/processmanager/processmanager-properties.conf using https protocol and the hostname:

 receiver-healthcheckuri = "https://stackstate.infra.company.tld:7077/health"

b. (optional, if a self-signed certificate is used) Make process manager trust self-signed certificate by adding the following settings under server.akka section in etc/processmanager/processmanager-properties.conf:

server {
  akka {  
    ...
    ssl-config {
      trustManager = {
        stores = [
          {type: "PEM", path: "/path/to/certificate-authority.pem"},
        ]
      }
    }
  ...

Step 3. Configure StackPacks configuration defaults

Configure the default receiver URL (stackstate.receiver.baseUrl) in etc/application_stackstate.conf using https protocol and the hostname:

stackstate.receiver.baseUrl = "https://stackstate.infra.company.tld:7077"

Step 4. Apply changes

Restart StackState to apply these changes:

sudo systemctl restart stackstate.service

Configure StackState Agent

Option 1. Agent running in Docker

a. (optional, for self-signed certificates) Prepare a self-signed certificate to be mounted into the container:

mkdir self-signed-certs
cd self-signed-certs
cp /path/to/certificate-authority.pem ./ca.crt
cp ./ca.crt ./ca-certificates.crt

b. Update the Docker container parameters with:

configured URLs with https and the hostname in environment variables for receiver endpoints
- STS_STS_URL=https://stackstate.infra.company.tld:7077/stsAgent
- STS_APM_URL=https://stackstate.infra.company.tld:7077/stsAgent
- STS_PROCESS_AGENT_URL=https://stackstate.infra.company.tld:7077/stsAgent
(for self-signed) mount prepared certificates into /etc/ssl/certs of a container

Example:

docker run -ti --rm\
    -e STS_API_KEY=<api key>
    -v /path/to/self-signed-certs:/etc/ssl/certs \
    -e STS_STS_URL=https://stackstate.infra.company.tld:7077/stsAgent \
    -e STS_APM_URL=https://stackstate.infra.company.tld:7077/stsAgent \
    -e STS_PROCESS_AGENT_URL=https://stackstate.infra.company.tld:7077/stsAgent \
    stackstate/stackstate-agent-2:2.1.0

Option 2. Agent running on machine

a. Update the receiver URLs using https and the hostname in /etc/stackstate-agent/stackstate.yaml:

sts_url: https://stackstate.infra.company.tld:7077/stsAgent
process_sts_url: https://stackstate.infra.company.tld:7077/stsAgent
apm_sts_url: https://stackstate.infra.company.tld:7077/stsAgent

b. If a self-signed certificate is used, then import it with the default keystore of the operating system. Ubuntu:

cp /path/to/certificate-authority.pem /usr/local/share/ca-certificates/stackstate.crt # extension .crt is important here
sudo update-ca-certificates

PreviousSet up a reverse proxy NextInitial run guide

Last updated 2 years ago