diff options
Diffstat (limited to 'web/server/README.md')
-rw-r--r-- | web/server/README.md | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/web/server/README.md b/web/server/README.md index 30cb0069..9f47cb8d 100644 --- a/web/server/README.md +++ b/web/server/README.md @@ -33,7 +33,7 @@ The ports to bind are controlled via `[web].bind to`, like this: ``` [web] default port = 19999 - bind to = 127.0.0.1=dashboard^SSL=optional 10.1.1.1:19998=management|netdata.conf hostname:19997=badges [::]:19996=streaming^SSL=force localhost:19995=registry *:http=dashboard unix:/tmp/netdata.sock + bind to = 127.0.0.1=dashboard^SSL=optional 10.1.1.1:19998=management|netdata.conf hostname:19997=badges [::]:19996=streaming^SSL=force localhost:19995=registry *:http=dashboard unix:/run/netdata/netdata.sock ``` Using the above, Netdata will bind to: @@ -44,7 +44,7 @@ Using the above, Netdata will bind to: - All IPv6 IPs at port 19996. Only metric streaming requests from other Netdata agents will be accepted on this port. Only encrypted streams will be allowed (i.e. slaves also need to be [configured for TLS](../../streaming). - All the IPs `localhost` resolves to (both IPv4 and IPv6 depending the resolved IPs) at port 19996. This port will only accept registry API requests. - All IPv4 and IPv6 IPs at port `http` as set in `/etc/services`. Only the UI (dashboard) and the read API will be accessible on this port. -- Unix domain socket `/tmp/netdata.sock`. All requests are serviceable on this socket. +- Unix domain socket `/run/netdata/netdata.sock`. All requests are serviceable on this socket. Note that in some OSs like Fedora, every service sees a different `/tmp`, so don't create a Unix socket under `/tmp`. `/run` or `/var/run` is suggested. The option `[web].default port` is used when an entries in `[web].bind to` do not specify a port. @@ -79,14 +79,14 @@ Both files must be readable by the `netdata` user. If either of these files do n For test purposes, you can generate self-signed certificates with the following command: ```bash -$ openssl req -newkey rsa:2048 -nodes -sha512 -x509 -days 365 -keyout key.pem -out cert.pem +openssl req -newkey rsa:2048 -nodes -sha512 -x509 -days 365 -keyout key.pem -out cert.pem ``` !!! note If you use 4096 bits for your key and the certificate, Netdata will need more CPU to process the communication. `rsa4096` can be up to 4 times slower than `rsa2048`, so we recommend using 2048 bits. You can verify the difference by running: ```sh -$ openssl speed rsa2048 rsa4096 +openssl speed rsa2048 rsa4096 ``` #### TLS/SSL enforcement @@ -98,11 +98,11 @@ When the certificates are defined and unless any other options are provided, a N To change this behavior, you need to modify the `bind to` setting in the `[web]` section of `netdata.conf`. At the end of each port definition, you can append `^SSL=force` or `^SSL=optional`. What happens with these settings differs, depending on whether the port is used for HTTP/S requests, or for streaming. -|SSL setting|HTTP requests|HTTPS requests|Unencrypted Streams|Encrypted Streams| +| SSL setting | HTTP requests|HTTPS requests|Unencrypted Streams|Encrypted Streams| |:---------:|:-----------:|:------------:|:-----------------:|:----------------| -|none|Redirected to HTTPS|Accepted|Accepted|Accepted| -|`force`|Redirected to HTTPS|Accepted|Denied|Accepted| -|`optional`|Accepted|Accepted|Accepted|Accepted| +| none | Redirected to HTTPS|Accepted|Accepted|Accepted| +| `force`| Redirected to HTTPS|Accepted|Denied|Accepted| +| `optional`| Accepted|Accepted|Accepted|Accepted| Example: |