From bfec8a375174f6d7f9a70dad79e60addab9980d3 Mon Sep 17 00:00:00 2001 From: Aliaksandr Valialkin <valyala@victoriametrics.com> Date: Sat, 11 Nov 2023 12:46:57 +0100 Subject: [PATCH] app/vmauth: improve docs a bit after 323f3720ed33a834ce32c2a6b95101aad2e5042c Updates https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5240 --- app/vmauth/README.md | 7 +++---- app/vmauth/example_config.yml | 9 +++++++++ docs/CHANGELOG.md | 2 +- docs/vmauth.md | 7 +++---- 4 files changed, 16 insertions(+), 9 deletions(-) diff --git a/app/vmauth/README.md b/app/vmauth/README.md index 5d5a1e8752..cfaeaf44d9 100644 --- a/app/vmauth/README.md +++ b/app/vmauth/README.md @@ -182,12 +182,12 @@ users: url_prefix: "http://localhost:8428?extra_label=team=dev" # All the requests to http://vmauth:8427 with the given Basic Auth (username:password) - # are proxied to http://localhost:8428 with extra_label=team=dev query arg. - # For example, http://vmauth:8427/api/v1/query is routed to https://localhost/api/v1/query?extra_label=team=dev + # are proxied to https://localhost:8428. + # For example, http://vmauth:8427/api/v1/query is routed to https://localhost/api/v1/query # TLS verification is skipped for https://localhost. - username: "local-single-node-with-tls" password: "***" - url_prefix: "https://localhost?extra_label=team=test" + url_prefix: "https://localhost" tls_insecure_skip_verify: true # All the requests to http://vmauth:8427 with the given Basic Auth (username:password) @@ -266,7 +266,6 @@ unauthorized_user: - http://vmselect-az1/?deny_partial_response=1 - http://vmselect-az2/?deny_partial_response=1 retry_status_codes: [503, 500] - tls_insecure_skip_verify: true ip_filters: allow_list: ["1.2.3.0/24", "127.0.0.1"] diff --git a/app/vmauth/example_config.yml b/app/vmauth/example_config.yml index 023adb9918..55d9d4d20c 100644 --- a/app/vmauth/example_config.yml +++ b/app/vmauth/example_config.yml @@ -42,6 +42,15 @@ users: password: "***" url_prefix: "http://localhost:8428?extra_label=team=dev" + # All the requests to http://vmauth:8427 with the given Basic Auth (username:password) + # are proxied to https://localhost:8428 + # For example, http://vmauth:8427/api/v1/query is routed to https://localhost/api/v1/query + # TLS verification is ignored for https://localhost. +- username: "local-single-node-with-tls" + password: "***" + url_prefix: "https://localhost" + tls_insecure_skip_verify: true + # All the requests to http://vmauth:8427 with the given Basic Auth (username:password) # are load-balanced among http://vmselect1:8481/select/123/prometheus and http://vmselect2:8481/select/123/prometheus # For example, http://vmauth:8427/api/v1/query is proxied to the following urls in a round-robin manner: diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index fe3b2f2e9f..b2012f6ff0 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -79,7 +79,7 @@ The sandbox cluster installation is running under the constant load generated by * FEATURE: [vmalert-tool](https://docs.victoriametrics.com/#vmalert-tool): add `unittest` command to run unittest for alerting and recording rules. See [this pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/4789) for details. * FEATURE: dashboards/vmalert: add new panel `Missed evaluations` for indicating alerting groups that miss their evaluations. * FEATURE: all: track requests with wrong auth key and wrong basic auth at `vm_http_request_errors_total` [metric](https://docs.victoriametrics.com/#monitoring) with `reason="wrong_auth_key"` and `reason="wrong_basic_auth"`. See [this issue](https://github.com/victoriaMetrics/victoriaMetrics/issues/4590). Thanks to @venkatbvc for the [pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/5166). -* FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth.html): add `tls_insecure_skip_verify` parameter which allows to disable TLS verification for backend connection. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5240). +* FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth.html): add `tls_insecure_skip_verify` parameter which can be set on a per-user level to disable TLS verification for backend connections. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5240). * FEATURE: `vmstorage`: add `-blockcache.missesBeforeCaching` command-line flag, which can be used for fine-tuning RAM usage for `indexdb/dataBlocks` cache when queries touching big number of time series are executed. * FEATURE: add `-loggerMaxArgLen` command-line flag for fine-tuning the maximum lengths of logged args. diff --git a/docs/vmauth.md b/docs/vmauth.md index ade90019c6..a156742b8c 100644 --- a/docs/vmauth.md +++ b/docs/vmauth.md @@ -193,12 +193,12 @@ users: url_prefix: "http://localhost:8428?extra_label=team=dev" # All the requests to http://vmauth:8427 with the given Basic Auth (username:password) - # are proxied to http://localhost:8428 with extra_label=team=dev query arg. - # For example, http://vmauth:8427/api/v1/query is routed to https://localhost/api/v1/query?extra_label=team=dev + # are proxied to https://localhost:8428. + # For example, http://vmauth:8427/api/v1/query is routed to https://localhost/api/v1/query # TLS verification is skipped for https://localhost. - username: "local-single-node-with-tls" password: "***" - url_prefix: "https://localhost?extra_label=team=test" + url_prefix: "https://localhost" tls_insecure_skip_verify: true # All the requests to http://vmauth:8427 with the given Basic Auth (username:password) @@ -277,7 +277,6 @@ unauthorized_user: - http://vmselect-az1/?deny_partial_response=1 - http://vmselect-az2/?deny_partial_response=1 retry_status_codes: [503, 500] - tls_insecure_skip_verify: true ip_filters: allow_list: ["1.2.3.0/24", "127.0.0.1"]