Listens for incoming TCP connections and reads bytes from each connection.
from_tcp endpoint:string, [tls=record] { … }Description
Section titled “Description”The from_tcp operator binds to the given endpoint, accepts incoming TCP
connections, and reads bytes from each connection. Each connection spawns a
sub-pipeline that processes the incoming byte stream independently.
The sub-pipeline has access to a $peer variable containing the remote address
information of the connected client.
endpoint: string
Section titled “endpoint: string”The endpoint at which the server will listen. Must be of the form
[tcp://]<hostname>:<port>. Use the hostname 0.0.0.0 to accept connections on
all interfaces.
tls = record (optional)
Section titled “tls = record (optional)”TLS configuration. Provide an empty record (tls={}) to enable TLS with
defaults or set fields to customize it.
{ skip_peer_verification: bool, // skip certificate verification. cacert: string, // CA bundle to verify peers. certfile: string, // client certificate to present. keyfile: string, // private key for the client certificate. min_version: string, // minimum TLS version (`"1.0"`, `"1.1"`, `"1.2"`, "1.3"`). ciphers: string, // OpenSSL cipher list string. client_ca: string, // CA to validate client certificates. require_client_cert, // require clients to present a certificate.}The client_ca and require_client_cert options are only applied
for operators that accept incoming client connections, and otherwise
ignored.
Any value not specified in the record will either be picked up from the configuration or if not configured will not be used by the operator.
See the Node TLS Setup guide for more details.
The pipeline to run for each individual TCP connection. Inside the pipeline, the
$peer variable is available as a record with the following fields:
| Field | Type | Description |
|---|---|---|
ip | ip | The IP address of the connected peer |
port | int64 | The port number of the connected peer |
Examples
Section titled “Examples”Listen for incoming JSON over TCP
Section titled “Listen for incoming JSON over TCP”Listen on all network interfaces, parsing each individual connection as JSON:
from_tcp "0.0.0.0:8090" { read_json}Log the peer address of each connection
Section titled “Log the peer address of each connection”from_tcp "0.0.0.0:8090" { read_json this.client_ip = $peer.ip}Listen with TLS enabled
Section titled “Listen with TLS enabled”Accept TLS-encrypted connections on localhost:
from_tcp "127.0.0.1:4000", tls={certfile: "key_and_cert.pem", keyfile: "key_and_cert.pem"} { read_json}This example may use a self-signed certificate that can be generated like this:
openssl req -x509 -newkey rsa:2048 -keyout key_and_cert.pem -out key_and_cert.pem -days 365 -nodesYou can test the endpoint locally by issuing a TLS connection:
openssl s_client 127.0.0.1:4000Listen with mutual TLS (mTLS) authentication
Section titled “Listen with mutual TLS (mTLS) authentication”Require clients to present valid certificates signed by a trusted CA:
from_tcp "0.0.0.0:4000", tls={certfile: "server.pem", keyfile: "server-key.pem", client_ca: "ca.pem", require_client_cert: true} { read_json}