Local

The qtap-config.yaml file is used to configure Qtap, an eBPF probe that captures application traffic before encryption without requiring certificate management. This file defines global settings and specific endpoint capture rules.

Configuration File Structure

The qtap-config.yaml file consists of four main sections:

  1. Global Qtap Settings

  2. Protocol Specific Settings

  3. Endpoint-specific Capture Rules

  4. Stacks

Here's an example of the basic structure:

tap:
  direction: egress-external
  audit_logs: stdout
  audit_include_dns: false
  ignore_loopback: false
  http:
    stack: stdout
  endpoints:
    - domain: "api.github.com"
      http:
        stack: stdout
    - domain: "www.cloudflare.com"
      http:
        stack: none

stacks:
  stdout:
    middlewares:
      - wasm: builtin
        name: access_logs
        config: '{"mode":"full"}'

Global Settings

These settings apply across the entire Qtap configuration.

tap:
  direction: egress-external
  audit_logs: stdout
  audit_include_dns: false
  ignore_loopback: false

  • direction: Determines which traffic direction to capture. Options are:

    • all: Capture all traffic

    • ingress: Capture only incoming traffic

    • egress: Capture only outgoing traffic

    • egress-external: Capture only outgoing traffic to external networks

    • egress-internal: Capture only outgoing traffic within internal networks

  • audit_logs: Specifies where to publish audit logs. Options are:

    • stdout: Print to standard output

    • pulse: Send to a pulse service (if configured)

    • none: Disable audit logging

  • audit_include_dns: When set to true, includes DNS information in audit logs. When false, DNS information is excluded.

  • ignore_loopback: When set to true, ignores traffic on the loopback interface. When false, captures loopback traffic.

HTTP Data Stream Settings

These settings control how HTTP data streams are handled globally.

tap:
  http:
    stack: none

  • stack: Specifies the default middleware stack to use for HTTP traffic. Use none for no middleware.

Endpoint-specific Capture Rules

Controls specific settings for individual domains, overriding the global and protocol settings.

tap:
  endpoints:
    - domain: "api.github.com"
      http:
        stack: complete
    - domain: "www.cloudflare.com"
      http:
        stack: none

  • domain: The specific domain to which the rule applies

  • http: HTTP-specific settings for this domain

    • stack: Overrides the global stack setting for this domain

Stacks

Qtap supports the concept of "stacks," which are collections of middleware modules that can be applied to the captured traffic. Stacks allow you to customize the processing and analysis of the traffic data.

To define a stack, add a stacks section to your qtap-config.yaml file:

stacks:
  stdout:
    middlewares:
      - wasm: builtin
        name: access_logs
        config: '{"mode":"full"}'

In this example, we define a stack named stdout that includes the built-in access_logs middleware with the full mode configuration. This middleware will log all HTTP traffic to stdout.

You can define multiple stacks and selectively apply them to different protocols or endpoints by using the endpoints section of the configuration file.

Applying Stacks

Once you have defined a stack, you can apply it to the captured traffic by specifying it in the tap section of your qtap-config.yaml file:

tap:
  direction: egress-external
  audit_logs: stdout
  audit_include_dns: false
  ignore_loopback: false
  http:
    stack: stdout

In this example, we set the http.stack option to stdout, which tells Qtap to apply the stdout stack to all HTTP traffic.

You can define multiple stacks and selectively apply them to different protocols or endpoints by using the endpoints section of the configuration file.

PreviousConfigurationNextTroubleshooting

Last updated