From d3b671a62ebf5da6a05877ac816987dc6d3ecea0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Fri, 3 Oct 2025 09:39:16 +0200 Subject: [PATCH 1/6] tiproxy: info about API access restrictions --- tiproxy/tiproxy-api.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tiproxy/tiproxy-api.md b/tiproxy/tiproxy-api.md index ee05aea62ab25..14ece5e64a6d4 100644 --- a/tiproxy/tiproxy-api.md +++ b/tiproxy/tiproxy-api.md @@ -126,3 +126,10 @@ The output is as follows: ```bash curl http://127.0.0.1:3080/metrics/ ``` + +## Access control + +TiProxy API access can be restricted by enabling TLS via [`server-tls`](/tiproxy/tiproxy-configuration.md#server-tls). The common name in the client certificate is used to check access. + +If TLS is not used access can be controlled with firewall rules. + From 7a2a7daf857ddc1457f940d17b835ad0dfcc733c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Fri, 3 Oct 2025 09:45:04 +0200 Subject: [PATCH 2/6] Apply suggestion from @gemini-code-assist[bot] Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- tiproxy/tiproxy-api.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tiproxy/tiproxy-api.md b/tiproxy/tiproxy-api.md index 14ece5e64a6d4..fafd835eb2d71 100644 --- a/tiproxy/tiproxy-api.md +++ b/tiproxy/tiproxy-api.md @@ -129,7 +129,5 @@ curl http://127.0.0.1:3080/metrics/ ## Access control -TiProxy API access can be restricted by enabling TLS via [`server-tls`](/tiproxy/tiproxy-configuration.md#server-tls). The common name in the client certificate is used to check access. - -If TLS is not used access can be controlled with firewall rules. +You can restrict access to the TiProxy API by enabling TLS via [`server-http-tls`](/tiproxy/tiproxy-configuration.md#server-http-tls). TiProxy then uses the common name in the client certificate to verify access. Alternatively, if you do not use TLS, you can control access using firewall rules. From 75f8cb50b3e03105a91a3b12fe3e4368c6feaac4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Fri, 3 Oct 2025 09:49:48 +0200 Subject: [PATCH 3/6] fixup --- tiproxy/tiproxy-api.md | 1 - 1 file changed, 1 deletion(-) diff --git a/tiproxy/tiproxy-api.md b/tiproxy/tiproxy-api.md index fafd835eb2d71..a7ab861fb0063 100644 --- a/tiproxy/tiproxy-api.md +++ b/tiproxy/tiproxy-api.md @@ -130,4 +130,3 @@ curl http://127.0.0.1:3080/metrics/ ## Access control You can restrict access to the TiProxy API by enabling TLS via [`server-http-tls`](/tiproxy/tiproxy-configuration.md#server-http-tls). TiProxy then uses the common name in the client certificate to verify access. Alternatively, if you do not use TLS, you can control access using firewall rules. - From a9c33f188650b9b7423c2cc3851af4e9d0ed2efd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Tue, 7 Oct 2025 11:10:58 -0700 Subject: [PATCH 4/6] Update and extend --- tiproxy/tiproxy-api.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tiproxy/tiproxy-api.md b/tiproxy/tiproxy-api.md index a7ab861fb0063..632c28a2ff1e1 100644 --- a/tiproxy/tiproxy-api.md +++ b/tiproxy/tiproxy-api.md @@ -129,4 +129,4 @@ curl http://127.0.0.1:3080/metrics/ ## Access control -You can restrict access to the TiProxy API by enabling TLS via [`server-http-tls`](/tiproxy/tiproxy-configuration.md#server-http-tls). TiProxy then uses the common name in the client certificate to verify access. Alternatively, if you do not use TLS, you can control access using firewall rules. +You can restrict access to the TiProxy API by enabling TLS via [`server-http-tls`](/tiproxy/tiproxy-configuration.md#server-http-tls) and setting the `cert-allowed-cn` setting in the `server-tls` subsection that is part of the [`security`](/tiproxy/tiproxy-configuration.md#security) section. TiProxy then uses the common name in the client certificate to [verify the identity of the caller](/enable-tls-between-components.md#verify-component-callers-identity). Alternatively, if you do not use TLS, you can control access using firewall rules. From 45889f73aed9442ec825d4bb615cfd56bdf8ea0b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Wed, 8 Oct 2025 15:04:27 +0200 Subject: [PATCH 5/6] Update tiproxy/tiproxy-api.md Co-authored-by: djshow832 --- tiproxy/tiproxy-api.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tiproxy/tiproxy-api.md b/tiproxy/tiproxy-api.md index 632c28a2ff1e1..ceb8d578e5877 100644 --- a/tiproxy/tiproxy-api.md +++ b/tiproxy/tiproxy-api.md @@ -129,4 +129,4 @@ curl http://127.0.0.1:3080/metrics/ ## Access control -You can restrict access to the TiProxy API by enabling TLS via [`server-http-tls`](/tiproxy/tiproxy-configuration.md#server-http-tls) and setting the `cert-allowed-cn` setting in the `server-tls` subsection that is part of the [`security`](/tiproxy/tiproxy-configuration.md#security) section. TiProxy then uses the common name in the client certificate to [verify the identity of the caller](/enable-tls-between-components.md#verify-component-callers-identity). Alternatively, if you do not use TLS, you can control access using firewall rules. +You can restrict access to the TiProxy API by enabling TLS via [`server-http-tls`](/tiproxy/tiproxy-configuration.md#server-http-tls) and setting the `cert-allowed-cn` setting in the `server-http-tls` subsection that is part of the [`security`](/tiproxy/tiproxy-configuration.md#security) section. TiProxy then uses the common name in the client certificate to [verify the identity of the caller](/enable-tls-between-components.md#verify-component-callers-identity). Alternatively, if you do not use TLS, you can control access using firewall rules. From 0bce2ee162b9c4cb210aab495b877d30f3e77c4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Mon, 13 Oct 2025 09:16:05 +0200 Subject: [PATCH 6/6] Update tiproxy/tiproxy-api.md Co-authored-by: xixirangrang --- tiproxy/tiproxy-api.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tiproxy/tiproxy-api.md b/tiproxy/tiproxy-api.md index ceb8d578e5877..8bc96ce0e8daa 100644 --- a/tiproxy/tiproxy-api.md +++ b/tiproxy/tiproxy-api.md @@ -129,4 +129,6 @@ curl http://127.0.0.1:3080/metrics/ ## Access control -You can restrict access to the TiProxy API by enabling TLS via [`server-http-tls`](/tiproxy/tiproxy-configuration.md#server-http-tls) and setting the `cert-allowed-cn` setting in the `server-http-tls` subsection that is part of the [`security`](/tiproxy/tiproxy-configuration.md#security) section. TiProxy then uses the common name in the client certificate to [verify the identity of the caller](/enable-tls-between-components.md#verify-component-callers-identity). Alternatively, if you do not use TLS, you can control access using firewall rules. +You can restrict access to the TiProxy API by enabling TLS through [`server-http-tls`](/tiproxy/tiproxy-configuration.md#server-http-tls) and configuring the `cert-allowed-cn` option in the `server-http-tls` subsection under the [security](/tiproxy/tiproxy-configuration.md#security) section. TiProxy then uses the common name (CN) in the client certificate to [verify component caller's identity](/enable-tls-between-components.md#verify-component-callers-identity). + +If TLS is not enabled, you can control access using firewall rules instead.