Encrypt communication

Follow the steps in this guide to encrypt communication between NGINX Agent and Instance Manager with TLS.

To enable mTLS, you must have TLS enabled and supply a key, cert, and a CA cert on both the client and server. See the Secure Traffic with Certificates topic for instructions on how to generate keys and set them in the specific values in the NGINX Agent configuration.

See the examples below for how to set these values using a configuration file, CLI flags, or environment variables.

You can edit the /etc/nginx-agent/nginx-agent.conf file to enable mTLS for NGINX Agent. Make the following changes:

yaml
server:
  metrics: "cert-sni-name"
  command: "cert-sni-name"
tls:
  enable: true
  cert: "path-to-cert"
  key: "path-to-key"
  ca: "path-to-ca-cert"
  skip_verify: false

The cert-sni-name value should match the SubjectAltName of the server certificate. For more information see Configuring HTTPS servers.

To enable mTLS for the NGINX Agent from the command line, run the following command:

nginx-agent --tls-cert "path-to-cert" --tls-key "path-to-key" --tls-ca "path-to-ca-cert" --tls-enable

To enable mTLS for NGINX Agent using environment variables, run the following commands:

bash
NGINX_AGENT_TLS_CA="my-env-ca"
NGINX_AGENT_TLS_KEY="my-env-key"
NGINX_AGENT_TLS_CERT="my-env-cert"
NGINX_AGENT_TLS_ENABLE=true


To enable server-side TLS you must have TLS enabled. See the following examples for how to set these values using a configuration file, CLI flags, or environment variables.

You can edit the /etc/nginx-agent/nginx-agent.conf file to enable server-side TLS. Make the following changes:

bash
tls:
  enable: true
  skip_verify: false

To enable server-side TLS from the command line, run the following command:

nginx-agent --tls-enable

To enable server-side TLS using environment variables, run the following commands:

NGINX_AGENT_TLS_ENABLE=true


Warning
These steps are not recommended for production environments.

To enable server-side TLS with a self-signed certificate, you must have TLS enabled and set skip_verify to true, which disables hostname validation. Setting skip_verify can be done done only by updating the configuration file. See the following example:

bash
tls:
  enable: true
  skip_verify: true

To enable insecure mode, you simply need to set tls:enable to false. Setting this value to false can be done only by updating the configuration file or with environment variables. See the following examples:

You can edit the /etc/nginx-agent/nginx-agent.conf file to enable insecure mode. Make the following changes:

bash
tls:
  enable: false

To enable insecure mode using environment variables, run the following commands:

NGINX_AGENT_TLS_ENABLE=false