api_key.*
configuration optionsedit
You can specify the following options in the apm-server.api_key.*
section of the
apm-server.yml
configuration file.
They apply to API key communication between the APM Server and APM Agents.
These are different from the API key settings used for the Elasticsearch output and monitoring.
enabled
edit
Enable API key authorization by setting enabled
to true
.
Agents will include a valid API key in the following format: Authorization: ApiKey <token>
.
The key must be the base64 encoded representation of the API key’s id:name
.
By default, enabled
is set to false
, and API key support is disabled.
limit
edit
Each unique API key triggers one request to Elasticsearch.
This setting restricts the number of unique API keys are allowed per minute.
The minimum value for this setting should be the number of API keys configured in your monitored services.
The default limit
is 100
.
api_key.elasticsearch.*
configuration optionsedit
All of the api_key.elasticsearch.*
configurations are optional.
If none are set, configuration settings from the apm-server.output
section will be reused.
elasticsearch.hosts
edit
API keys are fetched from Elasticsearch. This configuration needs to point to a secured Elasticsearch cluster that is able to serve API key requests.
elasticsearch.protocol
edit
The name of the protocol Elasticsearch is reachable on.
The options are: http
or https
. The default is http
.
If nothing is configured, configuration settings from the output
section will be reused.
elasticsearch.path
edit
An optional HTTP path prefix that is prepended to the HTTP API calls.
If nothing is configured, configuration settings from the output
section will be reused.
elasticsearch.proxy_url
edit
The URL of the proxy to use when connecting to the Elasticsearch servers.
The value may be either a complete URL or a "host[:port]", in which case the "http"scheme is assumed.
If nothing is configured, configuration settings from the output
section will be reused.
elasticsearch.timeout
edit
The http request timeout in seconds for the Elasticsearch request.
If nothing is configured, configuration settings from the output
section will be reused.
api_key.elasticsearch.ssl.*
configuration optionsedit
SSL is off by default. Set elasticsearch.protocol
to https
if you want to enable https
.
elasticsearch.ssl.enabled
edit
Enable custom SSL settings. Set to false to ignore custom SSL settings for secure communication.
elasticsearch.ssl.verification_mode
edit
Configure SSL verification mode.
If none
is configured, all server hosts and certificates will be accepted.
In this mode, SSL based connections are susceptible to man-in-the-middle attacks.
Use only for testing. Default is full
.
elasticsearch.ssl.supported_protocols
edit
List of supported/valid TLS versions. By default, all TLS versions from 1.0 to 1.2 are enabled.
elasticsearch.ssl.certificate_authorities
edit
List of root certificates for HTTPS server verifications.
elasticsearch.ssl.certificate
edit
The path to the certificate for SSL client authentication.
elasticsearch.ssl.key
edit
The client certificate key used for client authentication. This option is required if certificate is specified.
elasticsearch.ssl.key_passphrase
edit
An optional passphrase used to decrypt an encrypted key stored in the configured key file. It is recommended to use the provided keystore instead of entering the passphrase in plain text.
elasticsearch.ssl.cipher_suites
edit
The list of cipher suites to use. The first entry has the highest priority. If this option is omitted, the Go crypto library’s default suites are used (recommended).
elasticsearch.ssl.curve_types
edit
The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange).
elasticsearch.ssl.renegotiation
edit
Configure what types of renegotiation are supported.
Valid options are never
, once
, and freely
. Default is never
.
-
never
- Disables renegotiation. -
once
- Allows a remote server to request renegotiation once per connection. -
freely
- Allows a remote server to repeatedly request renegotiation.