Spark
Sign In
Prompt Chain

Securely Access APIs with TLS Configuration

A TLS-enabled HTTP provider example for promptfoo that demonstrates secure HTTPS endpoint testing with transport layer security configuration.

Copy chain
Works with github
Promptfoo
Maintainer?
91
Spark score
out of 100
Updated 3 months ago
Version 1.0.0
Models
gpt 4o
Add to Favorites

Why it matters

This asset helps you configure and manage TLS settings for secure API access. It ensures that your connections to external services are properly authenticated and encrypted, preventing unauthorized access and data breaches.

Outcomes

What it gets done

01

Configure TLS settings for HTTP requests.

02

Manage secrets for secure API authentication.

03

Audit and verify access controls for sensitive data.

04

Automate secure API connection setup.

Install

Add it to your toolbox

Run in your project directory:

curl -fsSL https://spark.entire.vc/get/pfoo-tls | bash

Capabilities

What this chain does

Audit access

Reviews permissions and logs to flag unauthorized activity.

Manage secrets

Stores, rotates, and injects API keys and credentials.

Overview

Tls

What it does

This is a working example from the promptfoo repository that demonstrates how to configure the HTTP provider with TLS (Transport Layer Security) support. It shows the setup needed to test prompts against HTTPS endpoints with proper certificate handling and secure connections.

How it connects

Use this example when you need to test prompts against secure HTTPS APIs in production environments, or when you're setting up promptfoo to work with endpoints that require TLS encryption and proper certificate validation.

Source README

provider-http/tls (HTTP Provider with TLS Certificates)

You can run this example with:

npx promptfoo@latest init --example provider-http/tls
cd provider-http/tls

This example demonstrates how to configure the HTTP provider with TLS/SSL certificates for mutual TLS (mTLS) authentication.

Overview

The HTTP provider supports multiple certificate formats for mutual TLS authentication:

  1. PEM (Separate cert/key files): Traditional format with separate certificate and key files
  2. PEM with Encrypted Key: PEM format where the private key is password-protected
  3. PFX/PKCS#12: Combined certificate bundle format

Each format can be provided via:

  • File Path: Reference files on disk
  • Inline Content: Embed certificate content directly (base64 for binary formats)
  • Environment Variables: Load from environment variables

PEM Certificate Options

Using Unencrypted PEM Files

The simplest approach - separate certificate and key files:

tls:
  certPath: '/path/to/client-cert.pem'
  keyPath: '/path/to/client-key.pem'

Using Encrypted PEM Private Key

When your private key is password-protected (starts with BEGIN ENCRYPTED PRIVATE KEY):

tls:
  certPath: '/path/to/client-cert.pem'
  keyPath: '/path/to/client-key-encrypted.pem'
  passphrase: 'your-key-password'

Using Inline PEM Content

Embed certificates directly in your configuration:

tls:
  cert: |
    -----BEGIN CERTIFICATE-----
    MIIDxTCCAq2gAwIBAgIJAL...
    -----END CERTIFICATE-----
  key: |
    -----BEGIN PRIVATE KEY-----
    MIIEvQIBADANBgkqhkiG9w0B...
    -----END PRIVATE KEY-----

PFX Certificate Options

Using File Path

Reference a PFX file on the filesystem:

tls:
  pfxPath: '/path/to/certificate.pfx'
  passphrase: 'your-passphrase'

Using Inline Base64 Content

Embed the certificate directly in your configuration:

tls:
  pfx: 'MIIJKQIBAzCCCO8GCSqGSIb3DQEHA...' # Base64-encoded PFX
  passphrase: 'your-passphrase'

Using Environment Variables

Store sensitive certificates in environment variables:

tls:
  pfx: '{{env.PFX_CERTIFICATE_BASE64}}'
  passphrase: '{{env.PFX_PASSPHRASE}}'

Converting PFX to Base64

To use inline PFX certificates, you need to convert your PFX file to base64:

Linux/Mac

base64 -i certificate.pfx -o certificate.b64

Windows

certutil -encode certificate.pfx certificate.b64

Then copy the content (excluding the BEGIN/END headers) to use as the pfx value.

Security Considerations

  1. Never commit certificates to version control: Use environment variables or external secret management
  2. Protect your private keys: Ensure PFX files have appropriate file permissions
  3. Use strong passphrases: Always protect PFX files with strong passphrases
  4. Certificate validation: Keep rejectUnauthorized: true in production

Running the Example

  1. Replace the sample certificate values with your actual certificates
  2. Set the required environment variables:
    export PFX_PASSPHRASE="your-passphrase"
export PFX_CERTIFICATE_BASE64="your-base64-cert"
  3. Run the evaluation:
    promptfoo eval

TLS Configuration Options

Option Description
cert Inline PEM certificate content
certPath Path to PEM certificate file
key Inline PEM private key content
keyPath Path to PEM private key file
pfx Inline PFX certificate (base64-encoded string or Buffer)
pfxPath Path to PFX file on disk
passphrase Password for encrypted PEM private key or PFX certificate
ca CA certificate content for server verification
caPath Path to CA certificate file
rejectUnauthorized Verify server certificates (always true in production)
minVersion Minimum TLS version (e.g., 'TLSv1.2')
maxVersion Maximum TLS version (e.g., 'TLSv1.3')
ciphers Cipher suite specification

Troubleshooting

Invalid PFX Format

If you get an error about invalid PFX format:

  • Ensure the base64 encoding is correct
  • Verify the passphrase is correct
  • Check that the PFX file is not corrupted

Connection Refused

If the connection is refused:

  • Verify the server requires client certificates
  • Ensure the certificate is valid and not expired
  • Check that the certificate is trusted by the server

Certificate Verification Failed

If certificate verification fails:

  • Add the server's CA certificate using ca or caPath
  • For development only: set rejectUnauthorized: false (never in production)

Related Documentation

Discussion

Questions & comments · 0

Sign In Sign in to leave a comment.