mirror of
https://github.com/VictoriaMetrics/VictoriaMetrics.git
synced 2025-01-07 08:32:18 +01:00
docs: update security chapters after bd716d1b0c
This commit is contained in:
parent
1259a931c8
commit
1df4f63bc8
22
README.md
22
README.md
@ -33,7 +33,9 @@ Each service may scale independently and may run on the most suitable hardware.
|
|||||||
This is a [shared nothing architecture](https://en.wikipedia.org/wiki/Shared-nothing_architecture).
|
This is a [shared nothing architecture](https://en.wikipedia.org/wiki/Shared-nothing_architecture).
|
||||||
It increases cluster availability, and simplifies cluster maintenance as well as cluster scaling.
|
It increases cluster availability, and simplifies cluster maintenance as well as cluster scaling.
|
||||||
|
|
||||||
![Naive cluster scheme](assets/images/Naive_cluster_scheme.png)
|
<p align="center">
|
||||||
|
<img src="docs/Cluster-VictoriaMetrics_cluster-scheme.png" width="800">
|
||||||
|
</p>
|
||||||
|
|
||||||
## Multitenancy
|
## Multitenancy
|
||||||
|
|
||||||
@ -233,9 +235,25 @@ for sending data from `vminsert` to `vmstorage` node according to `-vminsertAddr
|
|||||||
|
|
||||||
The currently discovered `vmstorage` nodes can be [monitored](#monitoring) with `vm_rpc_vmstorage_is_reachable` and `vm_rpc_vmstorage_is_read_only` metrics.
|
The currently discovered `vmstorage` nodes can be [monitored](#monitoring) with `vm_rpc_vmstorage_is_reachable` and `vm_rpc_vmstorage_is_read_only` metrics.
|
||||||
|
|
||||||
|
## Security
|
||||||
|
|
||||||
|
General security recommendations:
|
||||||
|
|
||||||
|
- All the VictoriaMetrics cluster components must run in protected private network without direct access from untrusted networks such as Internet.
|
||||||
|
- External clients must access `vminsert` and `vmselect` via auth proxy such as [vmauth](https://docs.victoriametrics.com/vmauth.html)
|
||||||
|
or [vmgateway](https://docs.victoriametrics.com/vmgateway.html).
|
||||||
|
- The auth proxy must accept auth tokens from untrusted networks only via https in order to protect the auth tokens from eavesdropping.
|
||||||
|
- It is recommended using distinct auth tokens for distinct [tenants](#multitenancy) in order to reduce potential damage in case of compromised auth token for some tenants.
|
||||||
|
- Prefer using lists of allowed [API endpoints](#url-format), while disallowing access to other endpoints when configuring auth proxy in front of `vminsert` and `vmselect`.
|
||||||
|
This minimizes attack surface.
|
||||||
|
|
||||||
|
See also [security recommendation for single-node VictoriaMetrics](https://docs.victoriametrics.com/#security)
|
||||||
|
and [the general security page at VictoriaMetrics website](https://victoriametrics.com/security/).
|
||||||
|
|
||||||
|
|
||||||
## mTLS protection
|
## mTLS protection
|
||||||
|
|
||||||
By default `vminsert` and `vmselect` nodes use unencrypted connections to `vmstorage` nodes, since it is assumed that all the cluster components run in a protected environment. [Enterprise version of VictoriaMetrics](https://docs.victoriametrics.com/enterprise.html) provides optional support for [mTLS connections](https://en.wikipedia.org/wiki/Mutual_authentication#mTLS) between cluster components. Pass `-cluster.tls=true` command-line flag to `vminsert`, `vmselect` and `vmstorage` nodes in order to enable mTLS protection. Additionally, `vminsert`, `vmselect` and `vmstorage` must be configured with mTLS certificates via `-cluster.tlsCertFile`, `-cluster.tlsKeyFile` command-line options. These certificates are mutually verified when `vminsert` and `vmselect` dial `vmstorage`.
|
By default `vminsert` and `vmselect` nodes use unencrypted connections to `vmstorage` nodes, since it is assumed that all the cluster components [run in a protected environment](#security). [Enterprise version of VictoriaMetrics](https://docs.victoriametrics.com/enterprise.html) provides optional support for [mTLS connections](https://en.wikipedia.org/wiki/Mutual_authentication#mTLS) between cluster components. Pass `-cluster.tls=true` command-line flag to `vminsert`, `vmselect` and `vmstorage` nodes in order to enable mTLS protection. Additionally, `vminsert`, `vmselect` and `vmstorage` must be configured with mTLS certificates via `-cluster.tlsCertFile`, `-cluster.tlsKeyFile` command-line options. These certificates are mutually verified when `vminsert` and `vmselect` dial `vmstorage`.
|
||||||
|
|
||||||
The following optional command-line flags related to mTLS are supported:
|
The following optional command-line flags related to mTLS are supported:
|
||||||
|
|
||||||
|
@ -37,7 +37,9 @@ Each service may scale independently and may run on the most suitable hardware.
|
|||||||
This is a [shared nothing architecture](https://en.wikipedia.org/wiki/Shared-nothing_architecture).
|
This is a [shared nothing architecture](https://en.wikipedia.org/wiki/Shared-nothing_architecture).
|
||||||
It increases cluster availability, and simplifies cluster maintenance as well as cluster scaling.
|
It increases cluster availability, and simplifies cluster maintenance as well as cluster scaling.
|
||||||
|
|
||||||
![Naive cluster scheme](Cluster-VictoriaMetrics_cluster-scheme.png)
|
<p align="center">
|
||||||
|
<img src="Cluster-VictoriaMetrics_cluster-scheme.png" width="800">
|
||||||
|
</p>
|
||||||
|
|
||||||
## Multitenancy
|
## Multitenancy
|
||||||
|
|
||||||
@ -241,29 +243,21 @@ The currently discovered `vmstorage` nodes can be [monitored](#monitoring) with
|
|||||||
|
|
||||||
General security recommendations:
|
General security recommendations:
|
||||||
|
|
||||||
- All the VictoriaMetrics components must run in protected private networks without direct access from untrusted networks such as Internet. The exception is [vmauth](https://docs.victoriametrics.com/vmauth.html) and [vmgateway](https://docs.victoriametrics.com/vmgateway.html).
|
- All the VictoriaMetrics cluster components must run in protected private network without direct access from untrusted networks such as Internet.
|
||||||
- All the requests from untrusted networks to VictoriaMetrics components must go through auth proxy such as vmauth or vmgateway. The proxy must be set up with proper authentication and authorization.
|
- External clients must access `vminsert` and `vmselect` via auth proxy such as [vmauth](https://docs.victoriametrics.com/vmauth.html)
|
||||||
- Prefer using lists of allowed API endpoints, while disallowing access to other endpoints when configuring auth proxy in front of VictoriaMetrics components.
|
or [vmgateway](https://docs.victoriametrics.com/vmgateway.html).
|
||||||
|
- The auth proxy must accept auth tokens from untrusted networks only via https in order to protect the auth tokens from eavesdropping.
|
||||||
|
- It is recommended using distinct auth tokens for distinct [tenants](#multitenancy) in order to reduce potential damage in case of compromised auth token for some tenants.
|
||||||
|
- Prefer using lists of allowed [API endpoints](#url-format), while disallowing access to other endpoints when configuring auth proxy in front of `vminsert` and `vmselect`.
|
||||||
|
This minimizes attack surface.
|
||||||
|
|
||||||
VictoriaMetrics Cluster provides the following security-related command-line flags:
|
See also [security recommendation for single-node VictoriaMetrics](https://docs.victoriametrics.com/#security)
|
||||||
|
and [the general security page at VictoriaMetrics website](https://victoriametrics.com/security/).
|
||||||
|
|
||||||
* `-tls`, `-tlsCertFile` and `-tlsKeyFile` for switching from HTTP to HTTPS.
|
|
||||||
* `-httpAuth.username` and `-httpAuth.password` for protecting all the HTTP endpoints
|
|
||||||
with [HTTP Basic Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication).
|
|
||||||
* `-snapshotAuthKey` for protecting `/snapshot*` endpoints. See [how to work with snapshots](https://docs.victoriametrics.com/#how-to-work-with-snapshots) and [backups](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html#backups).
|
|
||||||
* `-forceMergeAuthKey` for protecting `/internal/force_merge` endpoint. See [force merge docs](https://docs.victoriametrics.com/#forced-merge).
|
|
||||||
* `-search.resetCacheAuthKey` for protecting `/internal/resetRollupResultCache` endpoint. See [backfilling](https://docs.victoriametrics.com/#backfilling) for more details.
|
|
||||||
* `-flagsAuthKey` for protecting `/flags` endpoint.
|
|
||||||
* `-pprofAuthKey` for protecting `/debug/pprof/*` endpoints, which can be used for [profiling](https://docs.victoriametrics.com/#profiling).
|
|
||||||
* `-denyQueryTracing` for disallowing [query tracing](https://docs.victoriametrics.com/#query-tracing).
|
|
||||||
|
|
||||||
VictoriaMetrics Cluster supports [multiple isolated tenants](#multitenancy) (aka namespaces) and do not provide flag `-deleteAuthKey` to secure time series from deletion via API. It is strongly recommend to use [vmauth](https://docs.victoriametrics.com/vmauth.html) or [vmgateway](https://docs.victoriametrics.com/vmgateway.html) to protect `/delete/<accountID>/prometheus/api/v1/admin/tsdb/delete_series`.
|
|
||||||
|
|
||||||
VictoriaMetrics has achieved security certifications for Database Software Development and Software-Based Monitoring Services. We apply strict security measures in everything we do. See our [Security page](https://victoriametrics.com/security/) for more details.
|
|
||||||
|
|
||||||
## mTLS protection
|
## mTLS protection
|
||||||
|
|
||||||
By default `vminsert` and `vmselect` nodes use unencrypted connections to `vmstorage` nodes, since it is assumed that all the cluster components run in a protected environment. [Enterprise version of VictoriaMetrics](https://docs.victoriametrics.com/enterprise.html) provides optional support for [mTLS connections](https://en.wikipedia.org/wiki/Mutual_authentication#mTLS) between cluster components. Pass `-cluster.tls=true` command-line flag to `vminsert`, `vmselect` and `vmstorage` nodes in order to enable mTLS protection. Additionally, `vminsert`, `vmselect` and `vmstorage` must be configured with mTLS certificates via `-cluster.tlsCertFile`, `-cluster.tlsKeyFile` command-line options. These certificates are mutually verified when `vminsert` and `vmselect` dial `vmstorage`.
|
By default `vminsert` and `vmselect` nodes use unencrypted connections to `vmstorage` nodes, since it is assumed that all the cluster components [run in a protected environment](#security). [Enterprise version of VictoriaMetrics](https://docs.victoriametrics.com/enterprise.html) provides optional support for [mTLS connections](https://en.wikipedia.org/wiki/Mutual_authentication#mTLS) between cluster components. Pass `-cluster.tls=true` command-line flag to `vminsert`, `vmselect` and `vmstorage` nodes in order to enable mTLS protection. Additionally, `vminsert`, `vmselect` and `vmstorage` must be configured with mTLS certificates via `-cluster.tlsCertFile`, `-cluster.tlsKeyFile` command-line options. These certificates are mutually verified when `vminsert` and `vmselect` dial `vmstorage`.
|
||||||
|
|
||||||
The following optional command-line flags related to mTLS are supported:
|
The following optional command-line flags related to mTLS are supported:
|
||||||
|
|
||||||
|
@ -175,8 +175,7 @@ To avoid excessive resource usage or performance degradation limits must be in p
|
|||||||
* [Resource usage limits](https://docs.victoriametrics.com/FAQ.html#how-to-set-a-memory-limit-for-victoriametrics-components);
|
* [Resource usage limits](https://docs.victoriametrics.com/FAQ.html#how-to-set-a-memory-limit-for-victoriametrics-components);
|
||||||
* [Cardinality limiter](https://docs.victoriametrics.com/Single-server-VictoriaMetrics.html#cardinality-limiter).
|
* [Cardinality limiter](https://docs.victoriametrics.com/Single-server-VictoriaMetrics.html#cardinality-limiter).
|
||||||
|
|
||||||
### Security recommendation
|
### Security recommendations
|
||||||
|
|
||||||
Enabling HTTPS encrypts the communication between clients and the VictoriaMetrics database. HTTPS can also verify the authenticity of the VictoriaMetrics database to connecting clients. General security recommendations for:
|
* [Security recommendations for single-node VictoriaMetrics](https://docs.victoriametrics.com/#security)
|
||||||
* [Single node](https://docs.victoriametrics.com/#security)
|
* [Security recommendations for cluster version of VictoriaMetrics](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html#security)
|
||||||
* [Cluster version](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html#security)
|
|
||||||
|
@ -1617,7 +1617,9 @@ VictoriaMetrics provides the following security-related command-line flags:
|
|||||||
Explicitly set internal network interface for TCP and UDP ports for data ingestion with Graphite and OpenTSDB formats.
|
Explicitly set internal network interface for TCP and UDP ports for data ingestion with Graphite and OpenTSDB formats.
|
||||||
For example, substitute `-graphiteListenAddr=:2003` with `-graphiteListenAddr=<internal_iface_ip>:2003`. This protects from unexpected requests from untrusted network interfaces.
|
For example, substitute `-graphiteListenAddr=:2003` with `-graphiteListenAddr=<internal_iface_ip>:2003`. This protects from unexpected requests from untrusted network interfaces.
|
||||||
|
|
||||||
VictoriaMetrics has achieved security certifications for Database Software Development and Software-Based Monitoring Services. We apply strict security measures in everything we do. See our [Security page](https://victoriametrics.com/security/) for more details.
|
See also [security recommendation for VictoriaMetrics cluster](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html#security)
|
||||||
|
and [the general security page at VictoriaMetrics website](https://victoriametrics.com/security/).
|
||||||
|
|
||||||
|
|
||||||
## Tuning
|
## Tuning
|
||||||
|
|
||||||
|
@ -1620,7 +1620,9 @@ VictoriaMetrics provides the following security-related command-line flags:
|
|||||||
Explicitly set internal network interface for TCP and UDP ports for data ingestion with Graphite and OpenTSDB formats.
|
Explicitly set internal network interface for TCP and UDP ports for data ingestion with Graphite and OpenTSDB formats.
|
||||||
For example, substitute `-graphiteListenAddr=:2003` with `-graphiteListenAddr=<internal_iface_ip>:2003`. This protects from unexpected requests from untrusted network interfaces.
|
For example, substitute `-graphiteListenAddr=:2003` with `-graphiteListenAddr=<internal_iface_ip>:2003`. This protects from unexpected requests from untrusted network interfaces.
|
||||||
|
|
||||||
VictoriaMetrics has achieved security certifications for Database Software Development and Software-Based Monitoring Services. We apply strict security measures in everything we do. See our [Security page](https://victoriametrics.com/security/) for more details.
|
See also [security recommendation for VictoriaMetrics cluster](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html#security)
|
||||||
|
and [the general security page at VictoriaMetrics website](https://victoriametrics.com/security/).
|
||||||
|
|
||||||
|
|
||||||
## Tuning
|
## Tuning
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user