mirror of
https://github.com/VictoriaMetrics/VictoriaMetrics.git
synced 2025-01-20 07:19:17 +01:00
update wiki pages
parent
506579de65
commit
a43108eaca
@ -35,6 +35,7 @@ The sandbox cluster installation is running under the constant load generated by
|
|||||||
* FEATURE: all VictoriaMetrics components: add support for accepting http requests over multiple distinct TCP addresses by starting VictoriaMetrics component with multiple `-httpListenAddr` command-line flags. For example, `./victoria-metrics -httpListenAddr=some-host:12345 -httpListenAddr=localhost:8428` starts VictoriaMetrics, which accepts incoming http requests at both `some-host:12345` and `localhost:8428`. See [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/1470).
|
* FEATURE: all VictoriaMetrics components: add support for accepting http requests over multiple distinct TCP addresses by starting VictoriaMetrics component with multiple `-httpListenAddr` command-line flags. For example, `./victoria-metrics -httpListenAddr=some-host:12345 -httpListenAddr=localhost:8428` starts VictoriaMetrics, which accepts incoming http requests at both `some-host:12345` and `localhost:8428`. See [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/1470).
|
||||||
* FEATURE: all VictoriaMetrics components: add support for empty command flag values in short array notation. For example, `-remoteWrite.sendTimeout=',20s,'` specifies three `-remoteWrite.sendTimeout` values - the first and the last ones are default values (`30s` in this case), while the second one is `20s`.
|
* FEATURE: all VictoriaMetrics components: add support for empty command flag values in short array notation. For example, `-remoteWrite.sendTimeout=',20s,'` specifies three `-remoteWrite.sendTimeout` values - the first and the last ones are default values (`30s` in this case), while the second one is `20s`.
|
||||||
* FEATURE: all VictoriaMetrics components: do not close connections to `-httpListenAddr` every 2 minutes. This behavior didn't help spreading load among multiple backend servers behind load-balancing TCP proxy. Instead, it could lead to hard-to-debug issues like [this one](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/1304#issuecomment-1636997037). If you still need periodically closing client connections because of some reason, then pass the desired timeout to `-http.connTimeout` command-line flag.
|
* FEATURE: all VictoriaMetrics components: do not close connections to `-httpListenAddr` every 2 minutes. This behavior didn't help spreading load among multiple backend servers behind load-balancing TCP proxy. Instead, it could lead to hard-to-debug issues like [this one](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/1304#issuecomment-1636997037). If you still need periodically closing client connections because of some reason, then pass the desired timeout to `-http.connTimeout` command-line flag.
|
||||||
|
* FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth.html): add support for [mTLS](https://en.wikipedia.org/wiki/Mutual_authentication)-based request routing to different backends depending on the subject of the TLS certificate provided by the client. See [these docs](https://docs.victoriametrics.com/vmauth.html#mtls-based-request-routing). See [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/1547).
|
||||||
* FEATURE: [vmagent](https://docs.victoriametrics.com/vmagent.html) and [single-node VictoriaMetrics](https://docs.victoriametrics.com): add support for data ingestion via [DataDog lambda extension](https://docs.datadoghq.com/serverless/libraries_integrations/extension/) aka `/api/beta/sketches` endpoint. See [these docs](https://docs.victoriametrics.com/#how-to-send-data-from-datadog-agent) and [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/3091). Thanks to @AndrewChubatiuk for [the pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/5584).
|
* FEATURE: [vmagent](https://docs.victoriametrics.com/vmagent.html) and [single-node VictoriaMetrics](https://docs.victoriametrics.com): add support for data ingestion via [DataDog lambda extension](https://docs.datadoghq.com/serverless/libraries_integrations/extension/) aka `/api/beta/sketches` endpoint. See [these docs](https://docs.victoriametrics.com/#how-to-send-data-from-datadog-agent) and [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/3091). Thanks to @AndrewChubatiuk for [the pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/5584).
|
||||||
* FEATURE: [VictoriaMetrics cluster](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html): add `-disableReroutingOnUnavailable` command-line flag to `vminsert`, which can be used for reducing resource usage spikes at `vmstorage` nodes during rolling restart. See [these docs](https://docs.victoriametrics.com/cluster-victoriametrics/#improving-re-routing-performance-during-restart). Thanks to @Muxa1L for [the pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/5713).
|
* FEATURE: [VictoriaMetrics cluster](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html): add `-disableReroutingOnUnavailable` command-line flag to `vminsert`, which can be used for reducing resource usage spikes at `vmstorage` nodes during rolling restart. See [these docs](https://docs.victoriametrics.com/cluster-victoriametrics/#improving-re-routing-performance-during-restart). Thanks to @Muxa1L for [the pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/5713).
|
||||||
* FEATURE: add `-search.resetRollupResultCacheOnStartup` command-line flag for resetting [query cache](https://docs.victoriametrics.com/#rollup-result-cache) on startup. See [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/834).
|
* FEATURE: add `-search.resetRollupResultCacheOnStartup` command-line flag for resetting [query cache](https://docs.victoriametrics.com/#rollup-result-cache) on startup. See [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/834).
|
||||||
|
@ -60,6 +60,7 @@ On top of this, Enterprise package of VictoriaMetrics includes the following fea
|
|||||||
- [Advanced auth and rate limiter](https://docs.victoriametrics.com/vmgateway.html).
|
- [Advanced auth and rate limiter](https://docs.victoriametrics.com/vmgateway.html).
|
||||||
- [mTLS for all the VictoriaMetrics components](https://docs.victoriametrics.com/#mtls-protection).
|
- [mTLS for all the VictoriaMetrics components](https://docs.victoriametrics.com/#mtls-protection).
|
||||||
- [mTLS for communications between cluster components](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html#mtls-protection).
|
- [mTLS for communications between cluster components](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html#mtls-protection).
|
||||||
|
- [mTLS-based request routing](https://docs.victoriametrics.com/vmauth.html#mtls-based-request-routing).
|
||||||
- [Kafka integration](https://docs.victoriametrics.com/vmagent.html#kafka-integration).
|
- [Kafka integration](https://docs.victoriametrics.com/vmagent.html#kafka-integration).
|
||||||
- [Google PubSub integration](https://docs.victoriametrics.com/vmagent.html#google-pubsub-integration).
|
- [Google PubSub integration](https://docs.victoriametrics.com/vmagent.html#google-pubsub-integration).
|
||||||
- [Multitenant support in vmalert](https://docs.victoriametrics.com/vmalert.html#multitenancy).
|
- [Multitenant support in vmalert](https://docs.victoriametrics.com/vmalert.html#multitenancy).
|
||||||
|
25
vmauth.md
25
vmauth.md
@ -58,6 +58,7 @@ accounting and rate limiting such as [vmgateway](https://docs.victoriametrics.co
|
|||||||
* [Basic Auth proxy](#basic-auth-proxy)
|
* [Basic Auth proxy](#basic-auth-proxy)
|
||||||
* [Bearer Token auth proxy](#bearer-token-auth-proxy)
|
* [Bearer Token auth proxy](#bearer-token-auth-proxy)
|
||||||
* [Per-tenant authorization](#per-tenant-authorization)
|
* [Per-tenant authorization](#per-tenant-authorization)
|
||||||
|
* [mTLS-based request routing](#mtls-based-request-routing)
|
||||||
* [Enforcing query args](#enforcing-query-args)
|
* [Enforcing query args](#enforcing-query-args)
|
||||||
|
|
||||||
### Simple HTTP proxy
|
### Simple HTTP proxy
|
||||||
@ -274,6 +275,28 @@ users:
|
|||||||
url_prefix: "http://vmselect-backend:8481/select/2/prometheus/"
|
url_prefix: "http://vmselect-backend:8481/select/2/prometheus/"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### mTLS-based request routing
|
||||||
|
|
||||||
|
[Enterprise version of `vmauth`](https://docs.victoriametrics.com/enterprise.html) can be configured for routing requests
|
||||||
|
to different backends depending on the following [subject fields](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields) in the TLS certificate provided by client:
|
||||||
|
|
||||||
|
* `organizational_unit` aka `OU`
|
||||||
|
* `organization` aka `O`
|
||||||
|
* `common_name` aka `CN`
|
||||||
|
|
||||||
|
For example, the following [`-auth.config`](#auth-config) routes requests from clients with `organizational_unit: finance` TLS certificates
|
||||||
|
to `http://victoriametrics-finance:8428` backend:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
users:
|
||||||
|
- mtls:
|
||||||
|
organizational_unit: finance
|
||||||
|
url_prefix: "http://victoriametrics-finance:8428"
|
||||||
|
```
|
||||||
|
|
||||||
|
[mTLS protection](#mtls-protection) must be enabled for mTLS-based routing.
|
||||||
|
|
||||||
|
|
||||||
### Enforcing query args
|
### Enforcing query args
|
||||||
|
|
||||||
`vmauth` can be configured for adding some mandatory query args before proxying requests to backends.
|
`vmauth` can be configured for adding some mandatory query args before proxying requests to backends.
|
||||||
@ -678,6 +701,8 @@ requests at this port, by specifying `-tls` and `-mtls` command-line flags. For
|
|||||||
By default system-wide [TLS Root CA](https://en.wikipedia.org/wiki/Root_certificate) is used for verifying client certificates if `-mtls` command-line flag is specified.
|
By default system-wide [TLS Root CA](https://en.wikipedia.org/wiki/Root_certificate) is used for verifying client certificates if `-mtls` command-line flag is specified.
|
||||||
It is possible to specify custom TLS Root CA via `-mtlsCAFile` command-line flag.
|
It is possible to specify custom TLS Root CA via `-mtlsCAFile` command-line flag.
|
||||||
|
|
||||||
|
See also [mTLS-based request routing](#mtls-based-request-routing)
|
||||||
|
|
||||||
## Security
|
## Security
|
||||||
|
|
||||||
It is expected that all the backend services protected by `vmauth` are located in an isolated private network, so they can be accessed by external users only via `vmauth`.
|
It is expected that all the backend services protected by `vmauth` are located in an isolated private network, so they can be accessed by external users only via `vmauth`.
|
||||||
|
Loading…
Reference in New Issue
Block a user