fluent · patrick-stephens · Jun 19, 2025 · Jun 19, 2025
@@ -98,12 +98,40 @@ TLS:
            -m '*'
 ```
 
+{% hint style="info" %}
+See Tips & Trick section below for details on generating `self_signed.crt` and `self_signed.key` files shown in these 
+examples.
+{% endhint %}
+
 In the previous command, the two properties `tls` and `tls.verify` are set
 for demonstration purposes. Always enable verification in production environments.
 
 The same behavior can be accomplished using a configuration file:
 
-```python
+{% tabs %}
+
+{% tab title="fluent-bit.yaml" %}
+
+```yaml
+pipeline:
+    inputs:
+      - name: http
+        port: 9999
+        tls: on
+        tls.verify: off
+        tls.cert_file: self_signed.crt
+        tls.key_file: self_signed.key
+
+    outputs:
+      - name: stdout
+        match: '*'
+```
+
+{% endtab %}
+
+{% tab title="fluent-bit.conf" %}
+
+```text
 [INPUT]
     name http
     port 9999
@@ -117,6 +145,9 @@ The same behavior can be accomplished using a configuration file:
     Match      *
 ```
 
+{% endtab %}
+{% endtabs %}
+
 ## Example: enable TLS on HTTP output
 
 By default, the HTTP output plugin uses plain TCP. Run the following command to enable
@@ -134,7 +165,31 @@ for demonstration purposes. Always enable verification in production environment
 
 The same behavior can be accomplished using a configuration file:
 
-```python
+{% tabs %}
+
+{% tab title="fluent-bit.yaml" %}
+
+```yaml
+pipeline:
+    inputs:
+      - name: cpu
+        tag: cpu
+
+    outputs:
+      - name: http
+        match: '*'
+        host: 192.168.2.3
+        port: 80
+        uri: /something
+        tls: on
+        tls.verify: off
+```
+
+{% endtab %}
+
+{% tab title="fluent-bit.conf" %}
+
+```text
 [INPUT]
     Name  cpu
     Tag   cpu
@@ -149,6 +204,9 @@ The same behavior can be accomplished using a configuration file:
     tls.verify Off
 ```
 
+{% endtab %}
+{% endtabs %}
+
 ## Tips and Tricks
 
 ### Generate a self signed certificates for testing purposes
@@ -175,7 +233,32 @@ Fluent Bit supports
 If you are serving multiple host names on a single IP address (for example, using
 virtual hosting), you can make use of `tls.vhost` to connect to a specific hostname.
 
-```python
+{% tabs %}
+
+{% tab title="fluent-bit.yaml" %}
+
+```yaml
+pipeline:
+    inputs:
+      - name: cpu
+        tag: cpu
+
+    outputs:
+      - name: forward
+        match: '*'
+        host: 192.168.10.100
+        port: 24224
+        tls: on
+        tls.verify: off
+        tls.ca_file: '/etc/certs/fluent.crt'
+        tls.vhost: 'fluent.example.com'
+```
+
+{% endtab %}
+
+{% tab title="fluent-bit.conf" %}
+
+```text
 [INPUT]
     Name  cpu
     Tag   cpu
@@ -191,6 +274,9 @@ virtual hosting), you can make use of `tls.vhost` to connect to a specific hostn
     tls.vhost   fluent.example.com
 ```
 
+{% endtab %}
+{% endtabs %}
+
 ### Verify `subjectAltName`
 
 By default, TLS verification of host names isn't done automatically.
@@ -207,6 +293,31 @@ hostname it should fail.
 To fully verify the alternative name and demonstrate the failure, enable
 `tls.verify_hostname`:
 
+{% tabs %}
+
+{% tab title="fluent-bit.yaml" %}
+
+```yaml
+pipeline:
+    inputs:
+      - name: cpu
+        tag: cpu
+
+    outputs:
+      - name: forward
+        match: '*'
+        host: other.fluent-aggregator.net
+        port: 24224
+        tls: on
+        tls.verify: on
+        tls.verify_hostname: on
+        tls.ca_file: '/path/to/fluent-x509v3-alt-name.crt'
+```
+
+{% endtab %}
+
+{% tab title="fluent-bit.conf" %}
+
 ```python
 [INPUT]
     Name  cpu
@@ -223,10 +334,13 @@ To fully verify the alternative name and demonstrate the failure, enable
     tls.ca_file         /path/to/fluent-x509v3-alt-name.crt
 ```
 
+{% endtab %}
+{% endtabs %}
+
 This outgoing connect will fail and disconnect:
 
 ```text
 [2024/06/17 16:51:31] [error] [tls] error: unexpected EOF with reason: certificate verify failed
 [2024/06/17 16:51:31] [debug] [upstream] connection #50 failed to other.fluent-aggregator.net:24224
 [2024/06/17 16:51:31] [error] [output:forward:forward.0] no upstream connections available
-```
+```