Local

The qtap-config.yaml file is used to configure Qtap, an eBPF probe that captures application traffic before encryption without requiring certificate management. This file defines global settings and specific endpoint capture rules.

Configuration File Structure

The qtap-config.yaml file consists of three main sections:

  1. Global Qtap Settings

  2. Protocol Specific Settings

  3. Endpoint-specific Capture Rules

Here's an example of the basic structure:

tap:
  direction: egress-external
  audit_logs: stdout
  ignore_loopback: false
  http:
    display: print-details
    stack: none
  endpoints:
    - domain: "api.github.com"
      http:
        stack: complete
    - domain: "www.cloudflare.com"
      http:
        display: none
        stack: none

Global Settings

These settings apply across the entire Qtap configuration.

tap:
  direction: egress-external
  audit_logs: stdout
  ignore_loopback: false
  • direction: Determines which traffic direction to capture. Options are:

    • all: Capture all traffic

    • ingress: Capture only incoming traffic

    • egress: Capture only outgoing traffic

    • egress-external: Capture only outgoing traffic to external networks

    • egress-internal: Capture only outgoing traffic within internal networks

  • audit_logs: Specifies where to publish audit logs. Options are:

    • stdout: Print to standard output

    • pulse: Send to a pulse service (if configured)

    • none: Disable audit logging

  • ignore_loopback: When set to true, ignores traffic on the loopback interface. When false, captures loopback traffic.

HTTP Data Stream Settings

These settings control how HTTP data streams are handled globally.

tap:
  http:
    display: print-details
    stack: none
  • display: Determines the level of detail for HTTP traffic display. Options are:

    • none: Do not display HTTP traffic

    • summary: Display a summary of HTTP traffic

    • details: Display detailed HTTP traffic information

    • full: Display full HTTP traffic information

    • print-summary: Print a summary of HTTP traffic

    • print-details: Print detailed HTTP traffic information

    • print-full: Print full HTTP traffic information

  • stack: Specifies the default middleware stack to use for HTTP traffic. Use none for no middleware.

Endpoint-specific Capture Rules

Controls specific settings for individual domains, overriding the global settings.

tap:
  endpoints:
    - domain: "api.github.com"
      http:
        stack: complete
    - domain: "www.cloudflare.com"
      http:
        display: none
        stack: none
  • domain: The specific domain to which the rule applies

  • http: HTTP-specific settings for this domain

    • display: Overrides the global display setting for this domain

    • stack: Overrides the global stack setting for this domain

Complete Configuration Example

Here's a complete example of a qtap-config.yaml file:

tap:
  direction: egress-external
  audit_logs: stdout
  ignore_loopback: false
  http:
    display: print-details
    stack: none
  endpoints:
    - domain: "api.github.com"
      http:
        stack: complete
    - domain: "www.cloudflare.com"
      http:
        display: none
        stack: none

In this configuration:

  • Only outgoing traffic to external networks is captured

  • Audit logs are sent to stdout

  • Loopback traffic is not ignored

  • HTTP traffic details are printed by default

  • No middleware stack is used by default

  • Traffic to api.github.com uses the 'complete' middleware stack

  • Traffic to www.cloudflare.com is not displayed and uses no middleware stack

Remember to adjust your Qtap configuration based on your specific monitoring needs and network architecture.

Last updated