Update log shipper docs to ensure that no public access is granted#930
Update log shipper docs to ensure that no public access is granted#930jsierles wants to merge 2 commits into
Conversation
|
Should we mention that if they want only 1 machines, then use the Related: this user PR for apps that do have 2 machines #820 |
|
Yes, actually this may be a related issue. The shipper can operate in HA mode by setting a |
|
#820 mentioned above was merged. this added info about QUEUE env var to the docs |
|
@jsierles Should we still ship this docs change or did it get fixed in flyctl? |
|
Thanks for this, and sorry it sat so long! The file moved since, so I've re-applied the fix (remove the public services section, deploy with |
* Secure log shipper docs: no public services or IPs The log shipper guide told users to keep a [[services]] section on port 8686, which exposed Vector's unauthenticated GraphQL API publicly (reported at community.fly.io/t/14836). Vector pulls logs from the internal stream and needs no inbound access, so remove the service section and deploy with --no-public-ips. Also note how to release IPs on already-exposed deployments. Supersedes #930. * Match http_service section name to what fly launch generates * Add Datadog to Vale vocabulary * Add health check section for the Log Shipper
A customer pointed out that our log shipper could expose its GraphQL API. We want standard shipper deployments to have no services nor IPs.
Note:
--no-public-ipsfails when an HTTP service is setup by default byfly launch.