Set up TLS without reverse proxy
StackState Self-hosted v5.1.x
This document provides the steps to set up TLS on StackState application side with no reverse proxy configured.
Prerequisites
Prepare a TLS keypair in PKCS12 format. Certificate should include the hostname by which StackState will be accessed, for example, stackstate.infra.company.tld
.
Configure StackState
Step 1. Configure applications
a. Enable TLS for Web UI/API by configuring section stackstate.api.tls
in etc/application_stackstate.conf
:
b. Enable TLS for topology/telemetry receiver by configuring a section stackstate.receiver.tls
in etc/stackstate-receiver/application.conf
:
Step 2. Configure the process manager
a. Configure health check URL (properties.receiver-healthcheckuri
) in etc/processmanager/processmanager-properties.conf
using https
protocol and the hostname:
b. (optional, if a self-signed certificate is used) Make process manager trust self-signed certificate by adding the following settings under server.akka
section in etc/processmanager/processmanager-properties.conf
:
Step 3. Configure StackPacks configuration defaults
Configure the default receiver URL (stackstate.receiver.baseUrl
) in etc/application_stackstate.conf
using https
protocol and the hostname:
Step 4. Apply changes
Restart StackState to apply these changes:
Configure StackState Agent
Option 1. Agent running in Docker
a. (optional, for self-signed certificates) Prepare a self-signed certificate to be mounted into the container:
b. Update the Docker container parameters with:
configured URLs with
https
and the hostname in environment variables for receiver endpointsSTS_STS_URL=https://stackstate.infra.company.tld:7077/stsAgent
STS_APM_URL=https://stackstate.infra.company.tld:7077/stsAgent
STS_PROCESS_AGENT_URL=https://stackstate.infra.company.tld:7077/stsAgent
(for self-signed) mount prepared certificates into
/etc/ssl/certs
of a container
Example:
Option 2. Agent running on machine
a. Update the receiver URLs using https
and the hostname in /etc/stackstate-agent/stackstate.yaml
:
b. If a self-signed certificate is used, then import it with the default keystore of the operating system. Ubuntu:
Last updated