Files
promptfoo--promptfoo/examples/provider-http/tls/README.md
T
wehub-resource-sync 0d3cb498a3
CI / Shell Format Check (push) Has been cancelled
CI / Check Ruby (3.4) (push) Has been cancelled
CI / CI Config (push) Has been cancelled
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Has been cancelled
CI / Build on Node ${{ matrix.node }} (push) Has been cancelled
CI / Style Check (push) Has been cancelled
CI / Generate Assets (push) Has been cancelled
CI / Check Python (3.14) (push) Has been cancelled
CI / Check Python (3.9) (push) Has been cancelled
CI / Build Docs (push) Has been cancelled
CI / Code Scan Action (push) Has been cancelled
CI / Site tests (push) Has been cancelled
CI / webui tests (push) Has been cancelled
CI / Run Integration Tests (push) Has been cancelled
CI / Run Smoke Tests (push) Has been cancelled
CI / Go Tests (push) Has been cancelled
CI / Share Test (push) Has been cancelled
CI / Redteam (Production API) (push) Has been cancelled
CI / Redteam (Staging API) (push) Has been cancelled
CI / GitHub Actions Lint (push) Has been cancelled
CI / Check Ruby (3.0) (push) Has been cancelled
release-please / release-please (push) Has been cancelled
release-please / build (push) Has been cancelled
release-please / publish-npm (push) Has been cancelled
release-please / publish-npm-backfill (push) Has been cancelled
release-please / docker (push) Has been cancelled
release-please / publish-code-scan-action (push) Has been cancelled
release-please / attest-code-scan-action (push) Has been cancelled
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Has been cancelled
Test and Publish Multi-arch Docker Image / test (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Has been cancelled
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Has been cancelled
Validate Renovate Config / Validate Renovate Configuration (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:24:08 +08:00

182 lines
5.3 KiB
Markdown

# provider-http/tls (HTTP Provider with TLS Certificates)
You can run this example with:
```bash
npx promptfoo@latest init --example provider-http/tls
cd provider-http/tls
```
This example demonstrates how to configure the HTTP provider with TLS/SSL certificates for mutual TLS (mTLS) authentication.
## Overview
The HTTP provider supports multiple certificate formats for mutual TLS authentication:
1. **PEM (Separate cert/key files)**: Traditional format with separate certificate and key files
2. **PEM with Encrypted Key**: PEM format where the private key is password-protected
3. **PFX/PKCS#12**: Combined certificate bundle format
Each format can be provided via:
- **File Path**: Reference files on disk
- **Inline Content**: Embed certificate content directly (base64 for binary formats)
- **Environment Variables**: Load from environment variables
## PEM Certificate Options
### Using Unencrypted PEM Files
The simplest approach - separate certificate and key files:
```yaml
tls:
certPath: '/path/to/client-cert.pem'
keyPath: '/path/to/client-key.pem'
```
### Using Encrypted PEM Private Key
When your private key is password-protected (starts with `BEGIN ENCRYPTED PRIVATE KEY`):
```yaml
tls:
certPath: '/path/to/client-cert.pem'
keyPath: '/path/to/client-key-encrypted.pem'
passphrase: 'your-key-password'
```
### Using Inline PEM Content
Embed certificates directly in your configuration:
```yaml
tls:
cert: |
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIJAL...
-----END CERTIFICATE-----
key: |
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0B...
-----END PRIVATE KEY-----
```
## PFX Certificate Options
### Using File Path
Reference a PFX file on the filesystem:
```yaml
tls:
pfxPath: '/path/to/certificate.pfx'
passphrase: 'your-passphrase'
```
### Using Inline Base64 Content
Embed the certificate directly in your configuration:
```yaml
tls:
pfx: 'MIIJKQIBAzCCCO8GCSqGSIb3DQEHA...' # Base64-encoded PFX
passphrase: 'your-passphrase'
```
### Using Environment Variables
Store sensitive certificates in environment variables:
```yaml
tls:
pfx: '{{env.PFX_CERTIFICATE_BASE64}}'
passphrase: '{{env.PFX_PASSPHRASE}}'
```
## Converting PFX to Base64
To use inline PFX certificates, you need to convert your PFX file to base64:
### Linux/Mac
```bash
base64 -i certificate.pfx -o certificate.b64
```
### Windows
```cmd
certutil -encode certificate.pfx certificate.b64
```
Then copy the content (excluding the BEGIN/END headers) to use as the `pfx` value.
## Security Considerations
1. **Never commit certificates to version control**: Use environment variables or external secret management
2. **Protect your private keys**: Ensure PFX files have appropriate file permissions
3. **Use strong passphrases**: Always protect PFX files with strong passphrases
4. **Certificate validation**: Keep `rejectUnauthorized: true` in production
## Running the Example
1. Replace the sample certificate values with your actual certificates
2. Set the required environment variables:
```bash
export PFX_PASSPHRASE="your-passphrase"
export PFX_CERTIFICATE_BASE64="your-base64-cert"
```
3. Run the evaluation:
```bash
promptfoo eval
```
## TLS Configuration Options
| Option | Description |
| -------------------- | --------------------------------------------------------- |
| `cert` | Inline PEM certificate content |
| `certPath` | Path to PEM certificate file |
| `key` | Inline PEM private key content |
| `keyPath` | Path to PEM private key file |
| `pfx` | Inline PFX certificate (base64-encoded string or Buffer) |
| `pfxPath` | Path to PFX file on disk |
| `passphrase` | Password for encrypted PEM private key or PFX certificate |
| `ca` | CA certificate content for server verification |
| `caPath` | Path to CA certificate file |
| `rejectUnauthorized` | Verify server certificates (always `true` in production) |
| `minVersion` | Minimum TLS version (e.g., 'TLSv1.2') |
| `maxVersion` | Maximum TLS version (e.g., 'TLSv1.3') |
| `ciphers` | Cipher suite specification |
## Troubleshooting
### Invalid PFX Format
If you get an error about invalid PFX format:
- Ensure the base64 encoding is correct
- Verify the passphrase is correct
- Check that the PFX file is not corrupted
### Connection Refused
If the connection is refused:
- Verify the server requires client certificates
- Ensure the certificate is valid and not expired
- Check that the certificate is trusted by the server
### Certificate Verification Failed
If certificate verification fails:
- Add the server's CA certificate using `ca` or `caPath`
- For development only: set `rejectUnauthorized: false` (never in production)
## Related Documentation
- [HTTP Provider Documentation](https://promptfoo.com/docs/providers/http)
- [TLS/HTTPS Configuration](https://promptfoo.com/docs/providers/http#tlshttps-configuration)