Skip to content

tiproxy: info about API access restrictions #21865

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Oct 15, 2025
Merged

tiproxy: info about API access restrictions #21865

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
d3b671a
tiproxy: info about API access restrictions
dveeden Oct 3, 2025
7a2a7da
Apply suggestion from @gemini-code-assist[bot]
dveeden Oct 3, 2025
75f8cb5
fixup
dveeden Oct 3, 2025
a9c33f1
Update and extend
dveeden Oct 7, 2025
45889f7
Update tiproxy/tiproxy-api.md
dveeden Oct 8, 2025
0bce2ee
Update tiproxy/tiproxy-api.md
dveeden Oct 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions tiproxy/tiproxy-api.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,3 +126,9 @@ The output is as follows:
```bash
curl http://127.0.0.1:3080/metrics/
```

## Access control

You can restrict access to the TiProxy API by enabling TLS through [`server-http-tls`](/tiproxy/tiproxy-configuration.md#server-http-tls) and configuring the `cert-allowed-cn` option in the `server-http-tls` subsection under the [security](/tiproxy/tiproxy-configuration.md#security) section. TiProxy then uses the common name (CN) in the client certificate to [verify component caller's identity](/enable-tls-between-components.md#verify-component-callers-identity).
If TLS is not enabled, you can control access using firewall rules instead.