skywalking-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [incubator-skywalking] 01/01: Provide document for TLS
Date Mon, 02 Apr 2018 01:57:49 GMT
This is an automated email from the ASF dual-hosted git repository.

wusheng pushed a commit to branch document/advanced
in repository

commit 6f210830aa95f73afdc3a4e4773be2d7e7a71a31
Author: wu-sheng <>
AuthorDate: Mon Apr 2 09:57:19 2018 +0800

    Provide document for TLS
 docs/           |  4 ++++
 docs/en/           | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 docs/en/ |  0
 3 files changed, 50 insertions(+)

diff --git a/docs/ b/docs/
index 22e5489..4d48c5f 100644
--- a/docs/
+++ b/docs/
@@ -5,6 +5,10 @@
     * [Quick start](en/
     * [Supported middlewares, frameworks and libraries](
       * [How to disable plugins?](en/
+  * Advanced Features
+    * [Direct uplink and disable naming discovery](en/
+    * [Open TLS](en/
+    * Namespace Isolation
   * Application Toolkit
     * [Overview](en/
     * [OpenTracing Tracer](en/
diff --git a/docs/en/ b/docs/en/
new file mode 100644
index 0000000..81400da
--- /dev/null
+++ b/docs/en/
@@ -0,0 +1,46 @@
+# Support Transport Layer Security (TLS)
+Transport Layer Security (TLS) is a very common security way when transport data through
+In some use cases, end users report the background:
+> Target(under monitoring) applications are in a region, which also named VPC,
+at the same time, the SkyWalking backend is in another region (VPC).
+> Because of that, security requirement is very obvious.
+## Requirement
+Enable **direct uplink**, by following this [document](
+Because of uplink through internet, with security concern, the naming mechanism didn't fit.

+So we didn't support TLS in naming service of HTTP service.
+## Supported version
+5.0.0-beta +
+## Mutual Auth
+Only support **no mutual auth**.
+- Use this [script](../../tools/TLS/ if you are not familiar with how
to generate key files.
+- Find ``, and use it at client side
+- Find `server.crt` and `server.pem`. Use them at server side.
+## Open and config TLS
+### Agent config
+- Place `` into `/ca` folder in agent package. Notice, `/ca` is not created in distribution,
please create it by yourself.
+Agent open TLS automatically after the `/ca/` file detected.
+### Collector config
+Module `agent_gRPC/gRPC` supports TLS. And only this module for now.
+- Uncomment the `ssl_cert_chain_file` and `ssl_private_key_file` settings in `application.yml`
+- `ssl_cert_chain_file` value is the absolute path of `server.crt`
+- `ssl_private_key_file` value is the absolute path of `server.pem`
+## Avoid port share
+In most cases, we recommend sharing port for all gRPC services in `agent_gRPC/gRPC` and `remote/gRPC`
+But don't do this when you open TLS in `agent_gRPC/gRPC`, the obvious reason is you can't
listen a port with and without TLS.
+The solution is, change the `remote/gRPC/port`.
+## How about other listening ports
+Please use other security ways to make sure can't access other ports out of region (VPC),
such as firewall, proxy.
\ No newline at end of file
diff --git a/docs/en/ b/docs/en/
new file mode 100644
index 0000000..e69de29

To stop receiving notification emails like this one, please contact

View raw message