TLS

Links#

https://docs.victoriametrics.com/victorialogs/security-and-lb/
https://docs.victoriametrics.com/victorialogs/cluster/
https://docs.victoriametrics.com/victorialogs/data-ingestion/
https://docs.victoriametrics.com/vmauth/

1. Important Points#

VictoriaLogs 的 TLS 目标很直接：

inbound:
    客户端到 VictoriaLogs 或 vmauth 的连接要加密

auth:
    TLS 解决链路加密
    Basic Auth / mTLS 解决身份识别

production:
    使用 CA 验证和 hostname 验证
    不要把证书校验关掉

官方安全文档提到：

use private network where possible
protect exposed components with Basic Auth + TLS or mTLS
disable read API on insert nodes when appropriate
disable write API on query nodes when appropriate

2. Server Configuration#

单节点 VictoriaLogs 常见 TLS 启动方式：

victoria-logs \
  -httpListenAddr=:9428 \
  -tls \
  -tlsCertFile=/etc/victorialogs/tls/server.crt \
  -tlsKeyFile=/etc/victorialogs/tls/server.key

如果你要做 mTLS：

victoria-logs \
  -httpListenAddr=:9428 \
  -tls \
  -tlsCertFile=/etc/victorialogs/tls/server.crt \
  -tlsKeyFile=/etc/victorialogs/tls/server.key \
  -mtls \
  -mtlsCAFile=/etc/victorialogs/tls/client-ca.crt

important:
    mTLS requires Enterprise binaries for VictoriaLogs / vlagent
    certificate files should live outside the image and be mounted at runtime

推荐文件布局：

/etc/victorialogs/tls/
    server.crt
    server.key
    ca.crt
    client-ca.crt

permissions:
    server.key should be readable only by the service account
    cert and CA files should not be world-writable

3. Client Configuration / Verify#

基本 TLS 校验：

curl --cacert /etc/ssl/company-ca.pem \
  https://victorialogs.example.com/health

查询 UI：

curl --cacert /etc/ssl/company-ca.pem \
  https://victorialogs.example.com/select/vmui/

带 Basic Auth：

curl --cacert /etc/ssl/company-ca.pem \
  -u logs-admin:change-me \
  'https://victorialogs.example.com/select/logsql/query?query=*'

4. Java#

// Use a JVM truststore that contains your CA.
// Keep hostname verification on.

5. Python#

import requests

resp = requests.get(
    "https://victorialogs.example.com/select/logsql/query",
    params={"query": "*"},
    verify="/etc/ssl/company-ca.pem",
    timeout=5,
)
resp.raise_for_status()
print(resp.text)

6. Go#

// Build a tls.Config with RootCAs and ServerName.
// Do not set InsecureSkipVerify in production.

7. Node.js#

import fs from "node:fs";
import https from "node:https";

const req = https.request({
  hostname: "victorialogs.example.com",
  path: "/select/logsql/query?query=*",
  method: "GET",
  ca: fs.readFileSync("/etc/ssl/company-ca.pem"),
  rejectUnauthorized: true
});