| title | aliases | |
|---|---|---|
Use TiDB Dashboard behind a Reverse Proxy |
|
You can use a reverse proxy to safely expose the TiDB Dashboard service from the internal network to the external.
When multiple PD instances are deployed in the cluster, only one of the PD instances actually runs TiDB Dashboard. Therefore, you need to ensure that the upstream of the reverse proxy points to the correct address. For details of this mechanism, see Deployment with multiple PD instances.
When you use the TiUP tool for deployment, execute the following command to get the actual TiDB Dashboard address (replace CLUSTER_NAME with your cluster name):
{{< copyable "shell-regular" >}}
tiup cluster display CLUSTER_NAME --dashboardThe output is the actual TiDB Dashboard address. A sample is as follows:
http://192.168.0.123:2379/dashboard/Note:
This feature is available only in the later version of the
tiup clusterdeployment tool (v1.0.3 or later). You can upgradetiup clusterwith the following commands:{{< copyable "shell-regular" >}}
tiup update --self tiup update cluster --force
When you use NGINX as the reverse proxy, take the following steps:
-
Use reverse proxy for TiDB Dashboard on the
80port (for example). In the NGINX configuration file, add the following configuration:{{< copyable "" >}}
server { listen 80; location /dashboard/ { proxy_pass http://192.168.0.123:2379/dashboard/; } }
Configure the URL filled in
proxy_passto be the actual address of the TiDB Dashboard obtained in Step 1.Warning:
You must keep the
/dashboard/path in theproxy_passdirective to ensure that only the services under this path are reverse proxied. Otherwise, security risks will be introduced. See Secure TiDB Dashboard. -
Restart NGINX for the configuration to take effect.
-
Test whether the reverse proxy is effective: access the
/dashboard/address on the80port of the machine where NGINX is located (such ashttp://example.com/dashboard/) to access TiDB Dashboard.
TiDB Dashboard provides services by default in the /dashboard/ path, such as http://example.com/dashboard/, which is the case even for reverse proxies. To configure the reverse proxy to provide the TiDB Dashboard service with a non-default path, such as http://example.com/foo or http://example.com/, take the following steps.
Modify the public-path-prefix configuration item in the [dashboard] category of the PD configuration to specify the path prefix of the TiDB Dashboard service. After this item is modified, restart the PD instance for the modification to take effect.
For example, if the cluster is deployed using TiUP and you want the service to run on http://example.com/foo, you can specify the following configuration:
{{< copyable "" >}}
server_configs:
pd:
dashboard.public-path-prefix: /fooIf you are deploying a new cluster, you can add the configuration above to the topology.yaml TiUP topology file and deploy the cluster. For specific instruction, see TiUP deployment document.
For a deployed cluster:
-
Open the configuration file of the cluster in the edit mode (replace
CLUSTER_NAMEwith the cluster name).{{< copyable "shell-regular" >}}
tiup cluster edit-config CLUSTER_NAME
-
Modify or add configuration items under the
pdconfiguration ofserver_configs. If noserver_configsexists, add it at the top level:{{< copyable "" >}}
monitored: ... server_configs: tidb: ... tikv: ... pd: dashboard.public-path-prefix: /foo ...
The configuration file after the modification is similar to the following file:
{{< copyable "" >}}
monitored: ... server_configs: tidb: ... tikv: ... pd: dashboard.public-path-prefix: /foo ...
Or
{{< copyable "" >}}
monitored: ... server_configs: tidb: ... tikv: ... pd: dashboard.public-path-prefix: /foo
-
Perform a rolling restart to all PD instances for the modified configuration to take effect (replace
CLUSTER_NAMEwith your cluster name):{{< copyable "shell-regular" >}}
tiup cluster reload CLUSTER_NAME -R pd
See Common TiUP Operations - Modify the configuration for details.
If you want that the TiDB Dashboard service is run in the root path (such as http://example.com/), use the following configuration:
{{< copyable "" >}}
server_configs:
pd:
dashboard.public-path-prefix: /Warning:
After the modified and customized path prefix takes effect, you cannot directly access TiDB Dashboard. You can only access TiDB Dashboard through a reverse proxy that matches the path prefix.
Taking http://example.com/foo as an example, the corresponding NGINX configuration is as follows:
{{< copyable "" >}}
server {
listen 80;
location /foo/ {
proxy_pass http://192.168.0.123:2379/dashboard/;
}
}Warning:
Keep the
/dashboard/path in theproxy_passdirective to ensure that only the services under this path are reverse proxied. Otherwise, security risks will be introduced. See Secure TiDB Dashboard.
Change http://192.168.0.123:2379/dashboard/ in the configuration to the actual address of the TiDB Dashboard obtained in Step 1: Get the actual TiDB Dashboard address.
If you want that the TiDB Dashboard service is run in the root path (such as http://example.com/), use the following configuration:
{{< copyable "" >}}
server {
listen 80;
location / {
proxy_pass http://192.168.0.123:2379/dashboard/;
}
}Modify the configuration and restart NGINX for the modified configuration to take effect.