nginx-otel icon indicating copy to clipboard operation
nginx-otel copied to clipboard

Published 20 hours ago verified publisher icon nginxinc

Add the option of enabling TLS for sending traces

Open ldvc opened this issue 1 year ago • 9 comments

Is your feature request related to a problem? Please describe

We would like to enforce TLS for sending our traces. But we are not able to do it for nginx traces as nginx-otel does not have any config option to enable it.

Describe the solution you'd like

Beeing able to specify:

  • that we want to send our traces over TLS
  • toggle an insecure mode in order to disable certificate verification

Describe alternatives you've considered

None.

Additional context

None.

ldvc avatar Oct 13 '23 15:10 ldvc

We have this feature (and few other features) in our roadmap:

otel_exporter {
    ssl on | off;   # “off” by default
    trusted_certificate “path/to/ca/bundle“;
}

Trying to understand priorities for those. So, thank you for your interest in this module and for submitting a feature request.

vladimirkokshenev avatar Nov 01 '23 23:11 vladimirkokshenev

I`m also interesting to use https for collector endpoint with tls option insecure_skip_verify its very important for our stack, How long needs to wait about this feature?

mk-raven avatar Jan 31 '24 15:01 mk-raven

We are going to implement TLS export, but I'm not sure about 'insecure_skip_verify'. If you need such option, perhaps, you don't really need TLS. As a workaround for now you can try to use otelcol, which can accept HTTP and reexport via HTTPS.

p-pautov avatar Feb 01 '24 06:02 p-pautov

If I understand the problem correct, the way we've gotten around this is by doing the following:

  1. Create a new server block in nginx for the otel upstream
  2. Set up grpc_pass, grpc_ssl_certificate, and grpc_ssl_certificate_key in the block
  3. Point the otel_exporter block to localhost: for the server block created in step 1.
  4. We also set otel_trace off for this server block so we don't create spans for nginx sending a trace to the otel upstream.

Would that solve this use case?

sahilganguly avatar Apr 02 '24 17:04 sahilganguly

I`m also interesting to use https for collector endpoint with tls option insecure_skip_verify its very important for our stack, How long needs to wait about this feature?

I mean, need to skip certificate verification. Because, using self signed ssl and some time there are problems, with adding these everytime.

mk-raven avatar Apr 05 '24 09:04 mk-raven

Any update of this issue?

mk-raven avatar Jun 20 '24 12:06 mk-raven

Any update of this issue? We need to have this option too.

AlekseySVTN avatar Sep 06 '24 08:09 AlekseySVTN

@dplotnikov-f5

AlekseySVTN avatar Sep 17 '24 11:09 AlekseySVTN

@vladimirkokshenev

AlekseySVTN avatar Sep 17 '24 11:09 AlekseySVTN