diff --git a/README.md b/README.md index 004ebc646..b1b845225 100644 --- a/README.md +++ b/README.md @@ -1616,7 +1616,9 @@ VictoriaMetrics provides the following security-related command-line flags: Explicitly set internal network interface for TCP and UDP ports for data ingestion with Graphite and OpenTSDB formats. For example, substitute `-graphiteListenAddr=:2003` with `-graphiteListenAddr=:2003`. This protects from unexpected requests from untrusted network interfaces. -VictoriaMetrics has achieved security certifications for Database Software Development and Software-Based Monitoring Services. We apply strict security measures in everything we do. See our [Security page](https://victoriametrics.com/security/) for more details. +See also [security recommendation for VictoriaMetrics cluster](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html#security) +and [the general security page at VictoriaMetrics website](https://victoriametrics.com/security/). + ## Tuning diff --git a/docs/Cluster-VictoriaMetrics.md b/docs/Cluster-VictoriaMetrics.md index df713cc4c..47d40c2d9 100644 --- a/docs/Cluster-VictoriaMetrics.md +++ b/docs/Cluster-VictoriaMetrics.md @@ -37,7 +37,9 @@ Each service may scale independently and may run on the most suitable hardware. This is a [shared nothing architecture](https://en.wikipedia.org/wiki/Shared-nothing_architecture). It increases cluster availability, and simplifies cluster maintenance as well as cluster scaling. -![Naive cluster scheme](Cluster-VictoriaMetrics_cluster-scheme.png) +

+ +

## Multitenancy @@ -241,29 +243,21 @@ The currently discovered `vmstorage` nodes can be [monitored](#monitoring) with General security recommendations: -- All the VictoriaMetrics components must run in protected private networks without direct access from untrusted networks such as Internet. The exception is [vmauth](https://docs.victoriametrics.com/vmauth.html) and [vmgateway](https://docs.victoriametrics.com/vmgateway.html). -- All the requests from untrusted networks to VictoriaMetrics components must go through auth proxy such as vmauth or vmgateway. The proxy must be set up with proper authentication and authorization. -- Prefer using lists of allowed API endpoints, while disallowing access to other endpoints when configuring auth proxy in front of VictoriaMetrics components. +- All the VictoriaMetrics cluster components must run in protected private network without direct access from untrusted networks such as Internet. +- External clients must access `vminsert` and `vmselect` via auth proxy such as [vmauth](https://docs.victoriametrics.com/vmauth.html) + or [vmgateway](https://docs.victoriametrics.com/vmgateway.html). +- The auth proxy must accept auth tokens from untrusted networks only via https in order to protect the auth tokens from eavesdropping. +- It is recommended using distinct auth tokens for distinct [tenants](#multitenancy) in order to reduce potential damage in case of compromised auth token for some tenants. +- Prefer using lists of allowed [API endpoints](#url-format), while disallowing access to other endpoints when configuring auth proxy in front of `vminsert` and `vmselect`. + This minimizes attack surface. -VictoriaMetrics Cluster provides the following security-related command-line flags: +See also [security recommendation for single-node VictoriaMetrics](https://docs.victoriametrics.com/#security) +and [the general security page at VictoriaMetrics website](https://victoriametrics.com/security/). -* `-tls`, `-tlsCertFile` and `-tlsKeyFile` for switching from HTTP to HTTPS. -* `-httpAuth.username` and `-httpAuth.password` for protecting all the HTTP endpoints - with [HTTP Basic Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication). -* `-snapshotAuthKey` for protecting `/snapshot*` endpoints. See [how to work with snapshots](https://docs.victoriametrics.com/#how-to-work-with-snapshots) and [backups](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html#backups). -* `-forceMergeAuthKey` for protecting `/internal/force_merge` endpoint. See [force merge docs](https://docs.victoriametrics.com/#forced-merge). -* `-search.resetCacheAuthKey` for protecting `/internal/resetRollupResultCache` endpoint. See [backfilling](https://docs.victoriametrics.com/#backfilling) for more details. -* `-flagsAuthKey` for protecting `/flags` endpoint. -* `-pprofAuthKey` for protecting `/debug/pprof/*` endpoints, which can be used for [profiling](https://docs.victoriametrics.com/#profiling). -* `-denyQueryTracing` for disallowing [query tracing](https://docs.victoriametrics.com/#query-tracing). - -VictoriaMetrics Cluster supports [multiple isolated tenants](#multitenancy) (aka namespaces) and do not provide flag `-deleteAuthKey` to secure time series from deletion via API. It is strongly recommend to use [vmauth](https://docs.victoriametrics.com/vmauth.html) or [vmgateway](https://docs.victoriametrics.com/vmgateway.html) to protect `/delete//prometheus/api/v1/admin/tsdb/delete_series`. - -VictoriaMetrics has achieved security certifications for Database Software Development and Software-Based Monitoring Services. We apply strict security measures in everything we do. See our [Security page](https://victoriametrics.com/security/) for more details. ## mTLS protection -By default `vminsert` and `vmselect` nodes use unencrypted connections to `vmstorage` nodes, since it is assumed that all the cluster components run in a protected environment. [Enterprise version of VictoriaMetrics](https://docs.victoriametrics.com/enterprise.html) provides optional support for [mTLS connections](https://en.wikipedia.org/wiki/Mutual_authentication#mTLS) between cluster components. Pass `-cluster.tls=true` command-line flag to `vminsert`, `vmselect` and `vmstorage` nodes in order to enable mTLS protection. Additionally, `vminsert`, `vmselect` and `vmstorage` must be configured with mTLS certificates via `-cluster.tlsCertFile`, `-cluster.tlsKeyFile` command-line options. These certificates are mutually verified when `vminsert` and `vmselect` dial `vmstorage`. +By default `vminsert` and `vmselect` nodes use unencrypted connections to `vmstorage` nodes, since it is assumed that all the cluster components [run in a protected environment](#security). [Enterprise version of VictoriaMetrics](https://docs.victoriametrics.com/enterprise.html) provides optional support for [mTLS connections](https://en.wikipedia.org/wiki/Mutual_authentication#mTLS) between cluster components. Pass `-cluster.tls=true` command-line flag to `vminsert`, `vmselect` and `vmstorage` nodes in order to enable mTLS protection. Additionally, `vminsert`, `vmselect` and `vmstorage` must be configured with mTLS certificates via `-cluster.tlsCertFile`, `-cluster.tlsKeyFile` command-line options. These certificates are mutually verified when `vminsert` and `vmselect` dial `vmstorage`. The following optional command-line flags related to mTLS are supported: diff --git a/docs/Quick-Start.md b/docs/Quick-Start.md index 94c9bf7de..411ec6bf9 100644 --- a/docs/Quick-Start.md +++ b/docs/Quick-Start.md @@ -175,8 +175,7 @@ To avoid excessive resource usage or performance degradation limits must be in p * [Resource usage limits](https://docs.victoriametrics.com/FAQ.html#how-to-set-a-memory-limit-for-victoriametrics-components); * [Cardinality limiter](https://docs.victoriametrics.com/Single-server-VictoriaMetrics.html#cardinality-limiter). -### Security recommendation +### Security recommendations -Enabling HTTPS encrypts the communication between clients and the VictoriaMetrics database. HTTPS can also verify the authenticity of the VictoriaMetrics database to connecting clients. General security recommendations for: -* [Single node](https://docs.victoriametrics.com/#security) -* [Cluster version](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html#security) \ No newline at end of file +* [Security recommendations for single-node VictoriaMetrics](https://docs.victoriametrics.com/#security) +* [Security recommendations for cluster version of VictoriaMetrics](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html#security) diff --git a/docs/README.md b/docs/README.md index f3d0f8586..bcdc45b09 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1617,7 +1617,9 @@ VictoriaMetrics provides the following security-related command-line flags: Explicitly set internal network interface for TCP and UDP ports for data ingestion with Graphite and OpenTSDB formats. For example, substitute `-graphiteListenAddr=:2003` with `-graphiteListenAddr=:2003`. This protects from unexpected requests from untrusted network interfaces. -VictoriaMetrics has achieved security certifications for Database Software Development and Software-Based Monitoring Services. We apply strict security measures in everything we do. See our [Security page](https://victoriametrics.com/security/) for more details. +See also [security recommendation for VictoriaMetrics cluster](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html#security) +and [the general security page at VictoriaMetrics website](https://victoriametrics.com/security/). + ## Tuning diff --git a/docs/Single-server-VictoriaMetrics.md b/docs/Single-server-VictoriaMetrics.md index a1d2a6429..6fcfc14c1 100644 --- a/docs/Single-server-VictoriaMetrics.md +++ b/docs/Single-server-VictoriaMetrics.md @@ -1620,7 +1620,9 @@ VictoriaMetrics provides the following security-related command-line flags: Explicitly set internal network interface for TCP and UDP ports for data ingestion with Graphite and OpenTSDB formats. For example, substitute `-graphiteListenAddr=:2003` with `-graphiteListenAddr=:2003`. This protects from unexpected requests from untrusted network interfaces. -VictoriaMetrics has achieved security certifications for Database Software Development and Software-Based Monitoring Services. We apply strict security measures in everything we do. See our [Security page](https://victoriametrics.com/security/) for more details. +See also [security recommendation for VictoriaMetrics cluster](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html#security) +and [the general security page at VictoriaMetrics website](https://victoriametrics.com/security/). + ## Tuning