search
StackState.comDownloadSupportExplore playground

Set up TLS without reverse proxy

StackState Self-hosted v5.1.x

circle-info

StackState prefers Kubernetes! In the future we will move away from Linux support. Read how to migrate from the Linux install of StackState to the Kubernetes install.

This document provides the steps to set up TLS on StackState application side with no reverse proxy configured.

hashtag
Prerequisites

Prepare a TLS keypair in PKCS12arrow-up-right format. Certificate should include the hostname by which StackState will be accessed, for example, stackstate.infra.company.tld.

hashtag
Configure StackState

hashtag
Step 1. Configure applications

a. Enable TLS for Web UI/API by configuring section stackstate.api.tls in etc/application_stackstate.conf:


stackstate {
   ...
   api {
     tls {
       enabled = true
       keystore {
          path = "/path/to/keystore.pfx"
          password = "password"
          storeType = "PKCS12"
       }
     }
   ...

b. Enable TLS for topology/telemetry receiver by configuring a section stackstate.receiver.tls in etc/stackstate-receiver/application.conf:

hashtag
Step 2. Configure the process manager

a. Configure health check URL (properties.receiver-healthcheckuri) in etc/processmanager/processmanager-properties.conf using https protocol and the hostname:

b. (optional, if a self-signed certificate is used) Make process manager trust self-signed certificate by adding the following settings under server.akka section in etc/processmanager/processmanager-properties.conf:

hashtag
Step 3. Configure StackPacks configuration defaults

Configure the default receiver URL (stackstate.receiver.baseUrl) in etc/application_stackstate.conf using https protocol and the hostname:

hashtag
Step 4. Apply changes

Restart StackState to apply these changes:

hashtag
Configure StackState Agent

hashtag
Option 1. Agent running in Docker

a. (optional, for self-signed certificates) Prepare a self-signed certificate to be mounted into the container:

b. Update the Docker container parameters with:

  • configured URLs with https and the hostname in environment variables for receiver endpoints

    • STS_STS_URL=https://stackstate.infra.company.tld:7077/stsAgent

    • STS_APM_URL=https://stackstate.infra.company.tld:7077/stsAgent

    • STS_PROCESS_AGENT_URL=https://stackstate.infra.company.tld:7077/stsAgent

  • (for self-signed) mount prepared certificates into /etc/ssl/certs of a container

Example:

hashtag
Option 2. Agent running on machine

a. Update the receiver URLs using https and the hostname in /etc/stackstate-agent/stackstate.yaml:

b. If a self-signed certificate is used, then import it with the default keystore of the operating system. Ubuntu:

PreviousSet up a reverse proxyNextInitial run guide

Last updated