From c96964aa623c500040064cc0ffa47ff69e1e047e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Fri, 3 Oct 2025 09:39:16 +0200 Subject: [PATCH 1/6] tiproxy: info about API access restrictions --- tiproxy/tiproxy-api.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tiproxy/tiproxy-api.md b/tiproxy/tiproxy-api.md index ee05aea62ab25..14ece5e64a6d4 100644 --- a/tiproxy/tiproxy-api.md +++ b/tiproxy/tiproxy-api.md @@ -126,3 +126,10 @@ The output is as follows: ```bash curl http://127.0.0.1:3080/metrics/ ``` + +## Access control + +TiProxy API access can be restricted by enabling TLS via [`server-tls`](/tiproxy/tiproxy-configuration.md#server-tls). The common name in the client certificate is used to check access. + +If TLS is not used access can be controlled with firewall rules. + From 02760f097425a0ff2ca23e5ce56f749000dd95c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Fri, 3 Oct 2025 09:45:04 +0200 Subject: [PATCH 2/6] Apply suggestion from @gemini-code-assist[bot] Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- tiproxy/tiproxy-api.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tiproxy/tiproxy-api.md b/tiproxy/tiproxy-api.md index 14ece5e64a6d4..fafd835eb2d71 100644 --- a/tiproxy/tiproxy-api.md +++ b/tiproxy/tiproxy-api.md @@ -129,7 +129,5 @@ curl http://127.0.0.1:3080/metrics/ ## Access control -TiProxy API access can be restricted by enabling TLS via [`server-tls`](/tiproxy/tiproxy-configuration.md#server-tls). The common name in the client certificate is used to check access. - -If TLS is not used access can be controlled with firewall rules. +You can restrict access to the TiProxy API by enabling TLS via [`server-http-tls`](/tiproxy/tiproxy-configuration.md#server-http-tls). TiProxy then uses the common name in the client certificate to verify access. Alternatively, if you do not use TLS, you can control access using firewall rules. From 34aba372df6f12b0c559554976dbaaa5cea4ba16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Fri, 3 Oct 2025 09:49:48 +0200 Subject: [PATCH 3/6] fixup --- tiproxy/tiproxy-api.md | 1 - 1 file changed, 1 deletion(-) diff --git a/tiproxy/tiproxy-api.md b/tiproxy/tiproxy-api.md index fafd835eb2d71..a7ab861fb0063 100644 --- a/tiproxy/tiproxy-api.md +++ b/tiproxy/tiproxy-api.md @@ -130,4 +130,3 @@ curl http://127.0.0.1:3080/metrics/ ## Access control You can restrict access to the TiProxy API by enabling TLS via [`server-http-tls`](/tiproxy/tiproxy-configuration.md#server-http-tls). TiProxy then uses the common name in the client certificate to verify access. Alternatively, if you do not use TLS, you can control access using firewall rules. - From 3f9ffa4ba70b7141ac990d50be82792c27da96c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Tue, 7 Oct 2025 11:10:58 -0700 Subject: [PATCH 4/6] Update and extend --- tiproxy/tiproxy-api.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tiproxy/tiproxy-api.md b/tiproxy/tiproxy-api.md index a7ab861fb0063..632c28a2ff1e1 100644 --- a/tiproxy/tiproxy-api.md +++ b/tiproxy/tiproxy-api.md @@ -129,4 +129,4 @@ curl http://127.0.0.1:3080/metrics/ ## Access control -You can restrict access to the TiProxy API by enabling TLS via [`server-http-tls`](/tiproxy/tiproxy-configuration.md#server-http-tls). TiProxy then uses the common name in the client certificate to verify access. Alternatively, if you do not use TLS, you can control access using firewall rules. +You can restrict access to the TiProxy API by enabling TLS via [`server-http-tls`](/tiproxy/tiproxy-configuration.md#server-http-tls) and setting the `cert-allowed-cn` setting in the `server-tls` subsection that is part of the [`security`](/tiproxy/tiproxy-configuration.md#security) section. TiProxy then uses the common name in the client certificate to [verify the identity of the caller](/enable-tls-between-components.md#verify-component-callers-identity). Alternatively, if you do not use TLS, you can control access using firewall rules. From 6e9e7b85549ab58e20fbbbe051ac827c302794b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Wed, 8 Oct 2025 15:04:27 +0200 Subject: [PATCH 5/6] Update tiproxy/tiproxy-api.md Co-authored-by: djshow832 --- tiproxy/tiproxy-api.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tiproxy/tiproxy-api.md b/tiproxy/tiproxy-api.md index 632c28a2ff1e1..ceb8d578e5877 100644 --- a/tiproxy/tiproxy-api.md +++ b/tiproxy/tiproxy-api.md @@ -129,4 +129,4 @@ curl http://127.0.0.1:3080/metrics/ ## Access control -You can restrict access to the TiProxy API by enabling TLS via [`server-http-tls`](/tiproxy/tiproxy-configuration.md#server-http-tls) and setting the `cert-allowed-cn` setting in the `server-tls` subsection that is part of the [`security`](/tiproxy/tiproxy-configuration.md#security) section. TiProxy then uses the common name in the client certificate to [verify the identity of the caller](/enable-tls-between-components.md#verify-component-callers-identity). Alternatively, if you do not use TLS, you can control access using firewall rules. +You can restrict access to the TiProxy API by enabling TLS via [`server-http-tls`](/tiproxy/tiproxy-configuration.md#server-http-tls) and setting the `cert-allowed-cn` setting in the `server-http-tls` subsection that is part of the [`security`](/tiproxy/tiproxy-configuration.md#security) section. TiProxy then uses the common name in the client certificate to [verify the identity of the caller](/enable-tls-between-components.md#verify-component-callers-identity). Alternatively, if you do not use TLS, you can control access using firewall rules. From 05172cbb538ec50d501d27a63883ab5554058e42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Mon, 13 Oct 2025 09:16:05 +0200 Subject: [PATCH 6/6] Update tiproxy/tiproxy-api.md Co-authored-by: xixirangrang --- tiproxy/tiproxy-api.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tiproxy/tiproxy-api.md b/tiproxy/tiproxy-api.md index ceb8d578e5877..8bc96ce0e8daa 100644 --- a/tiproxy/tiproxy-api.md +++ b/tiproxy/tiproxy-api.md @@ -129,4 +129,6 @@ curl http://127.0.0.1:3080/metrics/ ## Access control -You can restrict access to the TiProxy API by enabling TLS via [`server-http-tls`](/tiproxy/tiproxy-configuration.md#server-http-tls) and setting the `cert-allowed-cn` setting in the `server-http-tls` subsection that is part of the [`security`](/tiproxy/tiproxy-configuration.md#security) section. TiProxy then uses the common name in the client certificate to [verify the identity of the caller](/enable-tls-between-components.md#verify-component-callers-identity). Alternatively, if you do not use TLS, you can control access using firewall rules. +You can restrict access to the TiProxy API by enabling TLS through [`server-http-tls`](/tiproxy/tiproxy-configuration.md#server-http-tls) and configuring the `cert-allowed-cn` option in the `server-http-tls` subsection under the [security](/tiproxy/tiproxy-configuration.md#security) section. TiProxy then uses the common name (CN) in the client certificate to [verify component caller's identity](/enable-tls-between-components.md#verify-component-callers-identity). + +If TLS is not enabled, you can control access using firewall rules instead.