Enable TLS encryption

    To set up TLS over HTTPS, do the following:

    InfluxData strongly recommends enabling HTTPS, especially if you plan on sending requests to InfluxDB over a network.

    To enable HTTPS with InfluxDB, you need a Transport Layer Security (TLS) certificate, also known as a Secured Sockets Layer (SSL) certificate. InfluxDB supports three types of TLS certificates:

    • Single domain certificates signed by a Certificate Authority

      Single domain certificates provide cryptographic security to HTTPS requests and allow clients to verify the identity of the InfluxDB server. These certificates are signed and issued by a trusted, third-party Certificate Authority (CA). With this certificate option, every InfluxDB instance requires a unique single domain certificate.

    • Wildcard certificates signed by a Certificate Authority

      Wildcard certificates provide cryptographic security to HTTPS requests and allow clients to verify the identity of the InfluxDB server. Wildcard certificates can be used across multiple InfluxDB instances on different servers.

    • Self-signed certificates

    1. Download or generate certificate files

      If using a certificate provided by a CA, follow their instructions to download the certificate files.

      If using a self-signed certificate, use the utility to create a certificate.

      The following command generates a private key file (.key) and a self-signed certificate file (.crt) with required permissions and saves them to /etc/ssl/. (Other paths will also work.) Files remain valid for the specified NUMBER_OF_DAYS.

      The command will prompt you for more information. You can choose to fill out these fields or leave them blank; both actions generate valid certificate files.

    2. Set certificate file permissions

      The user running InfluxDB must have read permissions on the TLS certificate.

      You may opt to set up multiple users, groups, and permissions. Ultimately, make sure all users running InfluxDB have read permissions for the TLS certificate.

      1. sudo chmod 600 /etc/ssl/<private-key-file>

    3. Run influxd with TLS flags

      Start InfluxDB with TLS command line flags:

    4. Verify TLS connection

      Ensure you can connect over HTTPS by running

      1. curl -v https://localhost:8086/api/v2/ping

      If using a self-signed certificate, use the -k flag to skip certificate verification:

      With this command, you should see output confirming a succussful TLS handshake.

    You can further configure TLS settings using and tls-strict-ciphers.

    To connect to an InfluxDB 2.2 instance with TLS enabled, update the following influxdb_v2 output settings in your Telegraf configuration file:

    • Update URLs to use HTTPS instead of HTTP.
    • If using a self-signed certificate, uncomment and set to true.
    1. ###############################################################################
    2. #                            OUTPUT PLUGINS                                   #
    3. ###############################################################################
    5. # Configuration for sending metrics to InfluxDB
    6.   ## The URLs of the InfluxDB cluster nodes.
    8.   ## Multiple URLs can be specified for a single cluster, only ONE of the
    9.   ## urls will be written to each interval.
    10.   urls = ["https://127.0.0.1:8086"]
    12.   [...]
    14.   ## Optional TLS Config for use on HTTP connections.
    15.   [...]