add configuration description about isolation-read.engines & proxy-pr… (

#9689) (#10024)
pingcap · Aug 16, 2022 · 4cf4856 · 4cf4856
1 parent 7c4949e
commit 4cf4856
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 0 deletions.
diff --git a/best-practices/haproxy-best-practices.md b/best-practices/haproxy-best-practices.md
@@ -204,6 +204,18 @@ listen tidb-cluster                        # Database load balancing.
    server tidb-3 10.9.64.166:4000 check inter 2000 rise 2 fall 3
 ```
 
+To check the source IP address using `SHOW PROCESSLIST`, you need to configure the [PROXY protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) to connect to TiDB.
+
+```yaml
+   server tidb-1 10.9.18.229:4000 send-proxy check inter 2000 rise 2 fall 3       
+   server tidb-2 10.9.39.208:4000 send-proxy check inter 2000 rise 2 fall 3
+   server tidb-3 10.9.64.166:4000 send-proxy check inter 2000 rise 2 fall 3
+```
+
+> **Note:**
+>
+> Before using the PROXY protocol, you need to configure [`proxy-protocol.networks`](/tidb-configuration-file.md#networks) in the configuration file of the TiDB server.
+
 ### Start HAProxy
 
 To start HAProxy, run `haproxy`. `/etc/haproxy/haproxy.cfg` is read by default (recommended).

diff --git a/tidb-configuration-file.md b/tidb-configuration-file.md
@@ -718,6 +718,31 @@ For pessimistic transaction usage, refer to [TiDB Pessimistic Transaction Mode](
 + Controls whether the [`INFORMATION_SCHEMA.DEADLOCKS`](/information-schema/information-schema-deadlocks.md) table collects the information of retryable deadlock errors. For the description of retryable deadlock errors, see [Retryable deadlock errors](/information-schema/information-schema-deadlocks.md#retryable-deadlock-errors).
 + Default value: `false`
 
+## isolation-read
+
+Configuration items related to read isolation.
+
+### `engines`
+
+- Controls from which engine TiDB allows to read data.
+- Default value: ["tikv", "tiflash", "tidb"], indicating that the engine is automatically selected by the optimizer.
+- Value options: Any combinations of "tikv", "tiflash", and "tidb", for example, ["tikv", "tidb"] or ["tiflash", "tidb"]
+
+## proxy-protocol
+
+Configuration items related to the PROXY protocol.
+
+### `networks`
+
+- The list of proxy server's IP addresses allowed to connect to TiDB using the [PROXY protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
+- Default value: ""
+- In general cases, when you access TiDB behind a reverse proxy, TiDB takes the IP address of the reverse proxy server as the IP address of the client. By enabling the PROXY protocol, reverse proxies that support this protocol, such as HAProxy, can pass the real client IP address to TiDB.
+- After configuring this parameter, TiDB allows the configured source IP address to connect to TiDB using the PROXY protocol; if a protocol other than PROXY is used, this connection will be denied. If this parameter is left empty, no IP address can connect to TiDB using the PROXY protocol. The value can be an IP address (192.168.1.50) or CIDR (192.168.1.0/24) with `,` as the separator. `*` means any IP addresses.
+
+> **Warning:**
+>
+> Use `*` with caution because it might introduce security risks by allowing a client of any IP address to report its IP address. In addition, using `*` might also cause the internal component that directly connects to TiDB (such as TiDB Dashboard) to be unavailable.
+
 ## experimental
 
 The `experimental` section, introduced in v3.1.0, describes the configurations related to the experimental features of TiDB.