diff --git a/README.md b/README.md index 4e2457d54..784919a2d 100644 --- a/README.md +++ b/README.md @@ -2123,7 +2123,7 @@ General security recommendations: - All the VictoriaMetrics components must run in protected private networks without direct access from untrusted networks such as Internet. The exception is [vmauth](https://docs.victoriametrics.com/vmauth/) and [vmgateway](https://docs.victoriametrics.com/vmgateway/), - which are indended for serving public requests and performing authorization with [TLS termination](https://en.wikipedia.org/wiki/TLS_termination_proxy). + which are intended for serving public requests and performing authorization with [TLS termination](https://en.wikipedia.org/wiki/TLS_termination_proxy). - All the requests from untrusted networks to VictoriaMetrics components must go through auth proxy such as [vmauth](https://docs.victoriametrics.com/vmauth/) or [vmgateway](https://docs.victoriametrics.com/vmgateway/). The proxy must be set up with proper authentication and authorization. - Prefer using lists of allowed API endpoints, while disallowing access to other endpoints when configuring [vmauth](https://docs.victoriametrics.com/vmauth/) @@ -2165,7 +2165,7 @@ All the VictoriaMetrics [Enterprise](https://docs.victoriametrics.com/enterprise via [Let's Encrypt service](https://letsencrypt.org/). The following command-line flags must be set in order to enable automatic issuing of TLS certificates: - `-httpListenAddr` must be set for listening TCP port `443`. For example, `-httpListenAddr=:443`. This port must be accessible by the [Let's Encrypt service](https://letsencrypt.org/). -- `-tls` must be set in order to accept HTTPS requests at `-httpListenAddr`. +- `-tls` must be set in order to accept HTTPS requests at `-httpListenAddr`. Note that `-tlcCertFile` and `-tlsKeyFile` aren't needed when automatic TLS certificate issuing is enabled. - `-tlsAutocertHosts` must be set to comma-separated list of hosts, which can be reached via `-httpListenAddr`. TLS certificates are automatically issued for these hosts. - `-tlsAutocertEmail` must be set to contact email for the issued TLS certificates. - `-tlsAutocertCacheDir` may be set to the directory path for persisting the issued TLS certificates between VictoriaMetrics restarts. If this flag isn't set, @@ -2173,6 +2173,9 @@ via [Let's Encrypt service](https://letsencrypt.org/). The following command-lin This functionality can be evaluated for free according to [these docs](https://docs.victoriametrics.com/enterprise/). +See also [security recommendations](#security). + + ## Tuning * No need in tuning for VictoriaMetrics - it uses reasonable defaults for command-line flags, diff --git a/docs/README.md b/docs/README.md index 2dfdf9c9e..7db75c0a4 100644 --- a/docs/README.md +++ b/docs/README.md @@ -2126,7 +2126,7 @@ General security recommendations: - All the VictoriaMetrics components must run in protected private networks without direct access from untrusted networks such as Internet. The exception is [vmauth](https://docs.victoriametrics.com/vmauth/) and [vmgateway](https://docs.victoriametrics.com/vmgateway/), - which are indended for serving public requests and performing authorization with [TLS termination](https://en.wikipedia.org/wiki/TLS_termination_proxy). + which are intended for serving public requests and performing authorization with [TLS termination](https://en.wikipedia.org/wiki/TLS_termination_proxy). - All the requests from untrusted networks to VictoriaMetrics components must go through auth proxy such as [vmauth](https://docs.victoriametrics.com/vmauth/) or [vmgateway](https://docs.victoriametrics.com/vmgateway/). The proxy must be set up with proper authentication and authorization. - Prefer using lists of allowed API endpoints, while disallowing access to other endpoints when configuring [vmauth](https://docs.victoriametrics.com/vmauth/) @@ -2168,7 +2168,7 @@ All the VictoriaMetrics [Enterprise](https://docs.victoriametrics.com/enterprise via [Let's Encrypt service](https://letsencrypt.org/). The following command-line flags must be set in order to enable automatic issuing of TLS certificates: - `-httpListenAddr` must be set for listening TCP port `443`. For example, `-httpListenAddr=:443`. This port must be accessible by the [Let's Encrypt service](https://letsencrypt.org/). -- `-tls` must be set in order to accept HTTPS requests at `-httpListenAddr`. +- `-tls` must be set in order to accept HTTPS requests at `-httpListenAddr`. Note that `-tlcCertFile` and `-tlsKeyFile` aren't needed when automatic TLS certificate issuing is enabled. - `-tlsAutocertHosts` must be set to comma-separated list of hosts, which can be reached via `-httpListenAddr`. TLS certificates are automatically issued for these hosts. - `-tlsAutocertEmail` must be set to contact email for the issued TLS certificates. - `-tlsAutocertCacheDir` may be set to the directory path for persisting the issued TLS certificates between VictoriaMetrics restarts. If this flag isn't set, @@ -2176,6 +2176,9 @@ via [Let's Encrypt service](https://letsencrypt.org/). The following command-lin This functionality can be evaluated for free according to [these docs](https://docs.victoriametrics.com/enterprise/). +See also [security recommendations](#security). + + ## Tuning * No need in tuning for VictoriaMetrics - it uses reasonable defaults for command-line flags, diff --git a/docs/Single-server-VictoriaMetrics.md b/docs/Single-server-VictoriaMetrics.md index b6d05f045..9e45193ff 100644 --- a/docs/Single-server-VictoriaMetrics.md +++ b/docs/Single-server-VictoriaMetrics.md @@ -2134,7 +2134,7 @@ General security recommendations: - All the VictoriaMetrics components must run in protected private networks without direct access from untrusted networks such as Internet. The exception is [vmauth](https://docs.victoriametrics.com/vmauth/) and [vmgateway](https://docs.victoriametrics.com/vmgateway/), - which are indended for serving public requests and performing authorization with [TLS termination](https://en.wikipedia.org/wiki/TLS_termination_proxy). + which are intended for serving public requests and performing authorization with [TLS termination](https://en.wikipedia.org/wiki/TLS_termination_proxy). - All the requests from untrusted networks to VictoriaMetrics components must go through auth proxy such as [vmauth](https://docs.victoriametrics.com/vmauth/) or [vmgateway](https://docs.victoriametrics.com/vmgateway/). The proxy must be set up with proper authentication and authorization. - Prefer using lists of allowed API endpoints, while disallowing access to other endpoints when configuring [vmauth](https://docs.victoriametrics.com/vmauth/) @@ -2176,7 +2176,7 @@ All the VictoriaMetrics [Enterprise](https://docs.victoriametrics.com/enterprise via [Let's Encrypt service](https://letsencrypt.org/). The following command-line flags must be set in order to enable automatic issuing of TLS certificates: - `-httpListenAddr` must be set for listening TCP port `443`. For example, `-httpListenAddr=:443`. This port must be accessible by the [Let's Encrypt service](https://letsencrypt.org/). -- `-tls` must be set in order to accept HTTPS requests at `-httpListenAddr`. +- `-tls` must be set in order to accept HTTPS requests at `-httpListenAddr`. Note that `-tlcCertFile` and `-tlsKeyFile` aren't needed when automatic TLS certificate issuing is enabled. - `-tlsAutocertHosts` must be set to comma-separated list of hosts, which can be reached via `-httpListenAddr`. TLS certificates are automatically issued for these hosts. - `-tlsAutocertEmail` must be set to contact email for the issued TLS certificates. - `-tlsAutocertCacheDir` may be set to the directory path for persisting the issued TLS certificates between VictoriaMetrics restarts. If this flag isn't set, @@ -2184,6 +2184,9 @@ via [Let's Encrypt service](https://letsencrypt.org/). The following command-lin This functionality can be evaluated for free according to [these docs](https://docs.victoriametrics.com/enterprise/). +See also [security recommendations](#security). + + ## Tuning * No need in tuning for VictoriaMetrics - it uses reasonable defaults for command-line flags,