0d3cb498a3
CI / Shell Format Check (push) Has been cancelled
CI / Check Ruby (3.4) (push) Has been cancelled
CI / CI Config (push) Has been cancelled
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Has been cancelled
CI / Build on Node ${{ matrix.node }} (push) Has been cancelled
CI / Style Check (push) Has been cancelled
CI / Generate Assets (push) Has been cancelled
CI / Check Python (3.14) (push) Has been cancelled
CI / Check Python (3.9) (push) Has been cancelled
CI / Build Docs (push) Has been cancelled
CI / Code Scan Action (push) Has been cancelled
CI / Site tests (push) Has been cancelled
CI / webui tests (push) Has been cancelled
CI / Run Integration Tests (push) Has been cancelled
CI / Run Smoke Tests (push) Has been cancelled
CI / Go Tests (push) Has been cancelled
CI / Share Test (push) Has been cancelled
CI / Redteam (Production API) (push) Has been cancelled
CI / Redteam (Staging API) (push) Has been cancelled
CI / GitHub Actions Lint (push) Has been cancelled
CI / Check Ruby (3.0) (push) Has been cancelled
release-please / release-please (push) Has been cancelled
release-please / build (push) Has been cancelled
release-please / publish-npm (push) Has been cancelled
release-please / publish-npm-backfill (push) Has been cancelled
release-please / docker (push) Has been cancelled
release-please / publish-code-scan-action (push) Has been cancelled
release-please / attest-code-scan-action (push) Has been cancelled
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Has been cancelled
Test and Publish Multi-arch Docker Image / test (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Has been cancelled
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Has been cancelled
Validate Renovate Config / Validate Renovate Configuration (push) Has been cancelled
182 lines
5.3 KiB
Markdown
182 lines
5.3 KiB
Markdown
# provider-http/tls (HTTP Provider with TLS Certificates)
|
|
|
|
You can run this example with:
|
|
|
|
```bash
|
|
npx promptfoo@latest init --example provider-http/tls
|
|
cd provider-http/tls
|
|
```
|
|
|
|
This example demonstrates how to configure the HTTP provider with TLS/SSL certificates for mutual TLS (mTLS) authentication.
|
|
|
|
## Overview
|
|
|
|
The HTTP provider supports multiple certificate formats for mutual TLS authentication:
|
|
|
|
1. **PEM (Separate cert/key files)**: Traditional format with separate certificate and key files
|
|
2. **PEM with Encrypted Key**: PEM format where the private key is password-protected
|
|
3. **PFX/PKCS#12**: Combined certificate bundle format
|
|
|
|
Each format can be provided via:
|
|
|
|
- **File Path**: Reference files on disk
|
|
- **Inline Content**: Embed certificate content directly (base64 for binary formats)
|
|
- **Environment Variables**: Load from environment variables
|
|
|
|
## PEM Certificate Options
|
|
|
|
### Using Unencrypted PEM Files
|
|
|
|
The simplest approach - separate certificate and key files:
|
|
|
|
```yaml
|
|
tls:
|
|
certPath: '/path/to/client-cert.pem'
|
|
keyPath: '/path/to/client-key.pem'
|
|
```
|
|
|
|
### Using Encrypted PEM Private Key
|
|
|
|
When your private key is password-protected (starts with `BEGIN ENCRYPTED PRIVATE KEY`):
|
|
|
|
```yaml
|
|
tls:
|
|
certPath: '/path/to/client-cert.pem'
|
|
keyPath: '/path/to/client-key-encrypted.pem'
|
|
passphrase: 'your-key-password'
|
|
```
|
|
|
|
### Using Inline PEM Content
|
|
|
|
Embed certificates directly in your configuration:
|
|
|
|
```yaml
|
|
tls:
|
|
cert: |
|
|
-----BEGIN CERTIFICATE-----
|
|
MIIDxTCCAq2gAwIBAgIJAL...
|
|
-----END CERTIFICATE-----
|
|
key: |
|
|
-----BEGIN PRIVATE KEY-----
|
|
MIIEvQIBADANBgkqhkiG9w0B...
|
|
-----END PRIVATE KEY-----
|
|
```
|
|
|
|
## PFX Certificate Options
|
|
|
|
### Using File Path
|
|
|
|
Reference a PFX file on the filesystem:
|
|
|
|
```yaml
|
|
tls:
|
|
pfxPath: '/path/to/certificate.pfx'
|
|
passphrase: 'your-passphrase'
|
|
```
|
|
|
|
### Using Inline Base64 Content
|
|
|
|
Embed the certificate directly in your configuration:
|
|
|
|
```yaml
|
|
tls:
|
|
pfx: 'MIIJKQIBAzCCCO8GCSqGSIb3DQEHA...' # Base64-encoded PFX
|
|
passphrase: 'your-passphrase'
|
|
```
|
|
|
|
### Using Environment Variables
|
|
|
|
Store sensitive certificates in environment variables:
|
|
|
|
```yaml
|
|
tls:
|
|
pfx: '{{env.PFX_CERTIFICATE_BASE64}}'
|
|
passphrase: '{{env.PFX_PASSPHRASE}}'
|
|
```
|
|
|
|
## Converting PFX to Base64
|
|
|
|
To use inline PFX certificates, you need to convert your PFX file to base64:
|
|
|
|
### Linux/Mac
|
|
|
|
```bash
|
|
base64 -i certificate.pfx -o certificate.b64
|
|
```
|
|
|
|
### Windows
|
|
|
|
```cmd
|
|
certutil -encode certificate.pfx certificate.b64
|
|
```
|
|
|
|
Then copy the content (excluding the BEGIN/END headers) to use as the `pfx` value.
|
|
|
|
## Security Considerations
|
|
|
|
1. **Never commit certificates to version control**: Use environment variables or external secret management
|
|
2. **Protect your private keys**: Ensure PFX files have appropriate file permissions
|
|
3. **Use strong passphrases**: Always protect PFX files with strong passphrases
|
|
4. **Certificate validation**: Keep `rejectUnauthorized: true` in production
|
|
|
|
## Running the Example
|
|
|
|
1. Replace the sample certificate values with your actual certificates
|
|
2. Set the required environment variables:
|
|
```bash
|
|
export PFX_PASSPHRASE="your-passphrase"
|
|
export PFX_CERTIFICATE_BASE64="your-base64-cert"
|
|
```
|
|
3. Run the evaluation:
|
|
```bash
|
|
promptfoo eval
|
|
```
|
|
|
|
## TLS Configuration Options
|
|
|
|
| Option | Description |
|
|
| -------------------- | --------------------------------------------------------- |
|
|
| `cert` | Inline PEM certificate content |
|
|
| `certPath` | Path to PEM certificate file |
|
|
| `key` | Inline PEM private key content |
|
|
| `keyPath` | Path to PEM private key file |
|
|
| `pfx` | Inline PFX certificate (base64-encoded string or Buffer) |
|
|
| `pfxPath` | Path to PFX file on disk |
|
|
| `passphrase` | Password for encrypted PEM private key or PFX certificate |
|
|
| `ca` | CA certificate content for server verification |
|
|
| `caPath` | Path to CA certificate file |
|
|
| `rejectUnauthorized` | Verify server certificates (always `true` in production) |
|
|
| `minVersion` | Minimum TLS version (e.g., 'TLSv1.2') |
|
|
| `maxVersion` | Maximum TLS version (e.g., 'TLSv1.3') |
|
|
| `ciphers` | Cipher suite specification |
|
|
|
|
## Troubleshooting
|
|
|
|
### Invalid PFX Format
|
|
|
|
If you get an error about invalid PFX format:
|
|
|
|
- Ensure the base64 encoding is correct
|
|
- Verify the passphrase is correct
|
|
- Check that the PFX file is not corrupted
|
|
|
|
### Connection Refused
|
|
|
|
If the connection is refused:
|
|
|
|
- Verify the server requires client certificates
|
|
- Ensure the certificate is valid and not expired
|
|
- Check that the certificate is trusted by the server
|
|
|
|
### Certificate Verification Failed
|
|
|
|
If certificate verification fails:
|
|
|
|
- Add the server's CA certificate using `ca` or `caPath`
|
|
- For development only: set `rejectUnauthorized: false` (never in production)
|
|
|
|
## Related Documentation
|
|
|
|
- [HTTP Provider Documentation](https://promptfoo.com/docs/providers/http)
|
|
- [TLS/HTTPS Configuration](https://promptfoo.com/docs/providers/http#tlshttps-configuration)
|