Access 


https://docs.victoriametrics.com/victorialogs/security-and-lb/
https://docs.victoriametrics.com/victorialogs/querying/
https://docs.victoriametrics.com/victorialogs/data-ingestion/
https://docs.victoriametrics.com/victoriametrics/vmauth/

1. Important Points#

VictoriaLogs 的访问控制最好分成三层看:

network:
    只在 private network 暴露
    不要把 ingest/query 端点直接裸露到公网

auth:
    最简单是 Basic Auth
    更稳妥是 vmauth 作为统一入口
    enterprise 场景可考虑 mTLS

surface separation:
    ingest endpoint 和 query/UI endpoint 最好分开
    生产上常见做法是只让 vmauth 暴露给用户和客户端

官方建议里,vmauth 适合放在 vlinsertvlselect 前面做认证、路由和负载均衡。对于不可信网络,还可以关闭不该暴露的 API:

on vlinsert:
    disable read API with -select.disable

on vlselect:
    disable write API with -insert.disable

2. UI Access#

VictoriaLogs Web UI 的常用入口是:

/select/vmui/

典型访问方式:

direct:
    http://victorialogs.internal:9428/select/vmui/

behind vmauth:
    https://logs.example.com/select/vmui/

behind reverse proxy:
    https://logs.example.com/select/vmui/

如果前面放了 vmauth,UI、查询和写入通常都走同一个入口,再由路径和凭证控制权限。

如果你是单节点直连,也可以直接让 VictoriaLogs 自己做 Basic Auth:

victoria-logs-prod \
  -httpAuth.username logs-admin \
  -httpAuth.password 'change-me'

3. Authentication Options#

Basic Auth#

适合大多数自建部署的起点。

use when:
    small to medium self-hosted deployment
    one or a few client types
    you want simple user/password protection

vmauth#

vmauth 适合把认证和路由集中起来,前面接 ingress / ALB / NLB / reverse proxy,后面分流到 VictoriaLogs 的 ingest / query 组件。

use when:
    you want one auth layer in front of many VictoriaMetrics-family endpoints
    you want path-based routing for UI/query/ingestion
    you want different clients to hit different backends

mTLS#

这是更强的认证方式,但通常需要 Enterprise binaries。

use when:
    you control client certificate lifecycle
    you need strong client identity
    you can operate cert rotation and expiry monitoring

4. Minimal vmauth Pattern#

下面是一个常见思路,不把 VictoriaLogs 直接暴露出去,而是只暴露 vmauth

users:
  - username: logs-admin
    password: change-me
    url_map:
      - src_paths: ["/select/.*"]
        url_prefix:
          - http://victorialogs-internal:9428
      - src_paths: ["/insert/.*"]
        url_prefix:
          - http://victorialogs-internal:9428
notes:
    上面是思路示例,不是完整生产模板
    生产上通常会按路径、用户和后端拆得更细
    如果只允许查询,不要把 insert 路径也路由给同一用户

5. Verification#

curl -u logs-admin:change-me \
  http://vmauth.internal:8427/select/vmui/

curl -u logs-admin:change-me \
  'http://vmauth.internal:8427/select/logsql/query?query=*'

6. Access Checklist#

1. VictoriaLogs 不直接暴露公网
2. UI / query / ingest 走同一个受控入口或者同一组受控入口
3. Basic Auth 或 vmauth 至少选一个
4. 如果是 untrusted network,再加 TLS
5. ingest 端和 query 端不要给同一批人无差别权限
6. 记录审计日志,能追踪到谁在查、谁在写
Setup Forward