You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@skywalking.apache.org by wu...@apache.org on 2018/04/02 01:57:49 UTC

[incubator-skywalking] 01/01: Provide document for TLS

This is an automated email from the ASF dual-hosted git repository.

wusheng pushed a commit to branch document/advanced
in repository https://gitbox.apache.org/repos/asf/incubator-skywalking.git

commit 6f210830aa95f73afdc3a4e4773be2d7e7a71a31
Author: wu-sheng <wu...@foxmail.com>
AuthorDate: Mon Apr 2 09:57:19 2018 +0800

    Provide document for TLS
---
 docs/README.md           |  4 ++++
 docs/en/TLS.md           | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 docs/en/direct-uplink.md |  0
 3 files changed, 50 insertions(+)

diff --git a/docs/README.md b/docs/README.md
index 22e5489..4d48c5f 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -5,6 +5,10 @@
     * [Quick start](en/Quick-start.md)
     * [Supported middlewares, frameworks and libraries](Supported-list.md)
       * [How to disable plugins?](en/How-to-disable-plugin.md)
+  * Advanced Features
+    * [Direct uplink and disable naming discovery](en/direct-uplink.md)
+    * [Open TLS](en/TLS.md)
+    * Namespace Isolation
   * Application Toolkit
     * [Overview](en/Applicaton-toolkit.md)
     * [OpenTracing Tracer](en/Opentracing.md)
diff --git a/docs/en/TLS.md b/docs/en/TLS.md
new file mode 100644
index 0000000..81400da
--- /dev/null
+++ b/docs/en/TLS.md
@@ -0,0 +1,46 @@
+# Support Transport Layer Security (TLS)
+Transport Layer Security (TLS) is a very common security way when transport data through Internet.
+In some use cases, end users report the background:
+
+> Target(under monitoring) applications are in a region, which also named VPC,
+at the same time, the SkyWalking backend is in another region (VPC).
+> 
+> Because of that, security requirement is very obvious.
+
+## Requirement
+Enable **direct uplink**, by following this [document](direct-uplink.md).
+
+Because of uplink through internet, with security concern, the naming mechanism didn't fit. 
+So we didn't support TLS in naming service of HTTP service.
+
+## Supported version
+5.0.0-beta +
+
+## Mutual Auth
+Only support **no mutual auth**.
+- Use this [script](../../tools/TLS/tls_key_generate.sh) if you are not familiar with how to generate key files.
+- Find `ca.srt`, and use it at client side
+- Find `server.crt` and `server.pem`. Use them at server side.
+
+## Open and config TLS
+
+### Agent config
+- Place `ca.srt` into `/ca` folder in agent package. Notice, `/ca` is not created in distribution, please create it by yourself.
+
+Agent open TLS automatically after the `/ca/ca.srt` file detected.
+
+### Collector config
+Module `agent_gRPC/gRPC` supports TLS. And only this module for now.
+
+- Uncomment the `ssl_cert_chain_file` and `ssl_private_key_file` settings in `application.yml`
+- `ssl_cert_chain_file` value is the absolute path of `server.crt`
+- `ssl_private_key_file` value is the absolute path of `server.pem`
+
+## Avoid port share
+In most cases, we recommend sharing port for all gRPC services in `agent_gRPC/gRPC` and `remote/gRPC` modules.
+But don't do this when you open TLS in `agent_gRPC/gRPC`, the obvious reason is you can't listen a port with and without TLS.
+
+The solution is, change the `remote/gRPC/port`.
+
+## How about other listening ports
+Please use other security ways to make sure can't access other ports out of region (VPC), such as firewall, proxy.
\ No newline at end of file
diff --git a/docs/en/direct-uplink.md b/docs/en/direct-uplink.md
new file mode 100644
index 0000000..e69de29

-- 
To stop receiving notification emails like this one, please contact
wusheng@apache.org.