Add faq, intro, deploy, secure and reverse proxy for TiDB Dashboard #2737
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TomShawn
added
translation/from-docs-cn
ran-huang
reviewed
Jun 9, 2020
Co-authored-by: Ran <huangran@pingcap.com>
CaitinChen
reviewed
Jun 9, 2020
breezewish
reviewed
Jun 9, 2020
Co-authored-by: Caitin <34535727+CaitinChen@users.noreply.github.com>
Co-authored-by: Caitin <34535727+CaitinChen@users.noreply.github.com>
Contributor
Author
|
@CaitinChen @breeswish Thanks very much for your comments! PTAL again. |
5 tasks
ran-huang
reviewed
Jun 9, 2020
TomShawn
commented
Jun 9, 2020
Co-authored-by: Caitin <34535727+CaitinChen@users.noreply.github.com> Co-authored-by: Ran <huangran@pingcap.com>
TomShawn
commented
Jun 9, 2020
ran-huang
approved these changes
Jun 9, 2020
yikeke
approved these changes
Jun 10, 2020
Contributor
yikeke
left a comment
yikeke
left a comment
There was a problem hiding this comment.
dashboard/dashboard-ops-reverse-proxy.md LGTM
Contributor
|
/merge |
sre-bot
added
the
status/can-merge
Contributor
|
/run-all-tests |
sre-bot
pushed a commit
to sre-bot/docs
that referenced
this pull request
Jun 10, 2020
Signed-off-by: sre-bot <sre-bot@pingcap.com>
5 tasks
Contributor
|
cherry pick to release-4.0 in PR #2764 |
breezewish
reviewed
Jun 10, 2020
|
|
||
| - See [TiDB Dashboard Multi-PD Instance Deployment](/dashboard/dashboard-ops-deploy.md#) to learn the working principle of TiDB Dashboard with multiple PD instances. | ||
| - See [Use TiDB Dashboard through a Reverse Proxy](/dashboard/dashboard-ops-reverse-proxy.md) to learn how to correctly configure a reverse proxy. | ||
| - See [Improve TiDB Dashboard Security](/dashboard/dashboard-ops-security.md) to learn how to correctly configure the firewall. |
Contributor
Author
There was a problem hiding this comment.
I'll create another PR to address the comments.
|
|
||
| For security reasons, TiDB Dashboard on PD only monitors the IP addresses specified during deployment (that is, it only listens on one NIC), not on `0.0.0.0`. Therefore, when multiple NICs are installed on the host, you cannot access TiDB Dashboard using another NIC. | ||
|
|
||
| If you have deployed TiDB using the `tiup cluster` or `tiup playground` command, currently this problem cannot be solved. It is recommended that you use a reverse proxy to safely expose TiDB Dashboard to another NIC. For details, see [Use TiDB Dashboard through Reverse Proxy](/dashboard/dashboard-ops-reverse-proxy.md). |
Member
There was a problem hiding this comment.
Use TiDB Dashboard behind a Reverse Proxy
| > | ||
| > TiDB, TiKV, and other components need to communicate with the PD component through the PD client port, so do not block access to the internal network between components. Otherwise, the cluster will become unavailable. | ||
|
|
||
| + See [Use TiDB Dashboard through Reverse Proxy](/dashboard/dashboard-ops-reverse-proxy.md) to learn how to configure the reverse proxy to safely provide the TiDB Dashboard service on another port to the external network. |
Member
There was a problem hiding this comment.
Use TiDB Dashboard behind a Reverse Proxy
|
|
||
| As mentioned in [Use a firewall to block untrusted access](#use-a-firewall-to-block-untrusted access), the services provided under the PD client port include not only TiDB Dashboard (located at <http://IP:2379/dashboard/>), but also other privileged interfaces in PD (such as <http://IP:2379/pd/api/v1/members>). Therefore, when using a reverse proxy to provide TiDB Dashboard to the external network, ensure that the services **ONLY** with the `/dashboard` prefix are provided (**NOT** all services under the port) to avoid that the external network can access the privileged interface in PD through the reverse proxy. | ||
|
|
||
| It is recommended that you see [Use TiDB Dashboard through Reverse Proxy](/dashboard/dashboard-ops-reverse-proxy.md) to learn a safe and recommended reverse proxy configuration. |
Member
There was a problem hiding this comment.
Use TiDB Dashboard behind a Reverse Proxy
|
|
||
| - To learn how to access and log into the TiDB Dashboard UI, see [Access TiDB Dashboard](/dashboard/dashboard-access.md). | ||
|
|
||
| - To learn how to enhance the security of TiDB Dashboard, such as configuring a firewall, see [Improve TiDB Dashboard Security](/dashboard/dashboard-ops-security.md). |
|
|
||
| > **Warning:** | ||
| > | ||
| > You must keep the `/dashboard/` path in the `proxy_pass` directive to ensure that only the services under this path are reverse proxied. Otherwise, security risks will be introduced. See [Improve TiDB Dashboard Security](/dashboard/dashboard-ops-security.md). |
|
|
||
| > **Warning:** | ||
| > | ||
| > Keep the `/dashboard/` path in the `proxy_pass` directive to ensure that only the services under this path are reverse proxied. Otherwise, security risks will be introduced. See [Improve TiDB Dashboard Security](/dashboard/dashboard-ops-security.md). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What is changed, added or deleted? (Required)
Which TiDB version(s) do your changes apply to? (Required)
If you select two or more versions from above, to trigger the bot to cherry-pick this PR to your desired release version branch(es), you must add corresponding labels such as needs-cherry-pick-4.0, needs-cherry-pick-3.1, needs-cherry-pick-3.0, and needs-cherry-pick-2.1.
What is the related PR or file link(s)?