Ansible 部署方案（强烈推荐） 离线 Ansible 部署方案 Docker 部署方案 Docker Compose 部署方案 跨机房部署方案 配置集群 参数解释 TiDB 配置项解释 开启 TLS 验证 生成自签名证书 监控集群 整体监控框架概述 重要监控指标详解 组件状态 API & 监控 扩容缩容 集群扩容缩容方案 使用 Ansible 扩容缩容 升级 升级组件版本 TiDB 2.0 升级操作指南 Compose 部署方案 跨机房部署方案 配置集群 参数解释 README - 8 - 本文档使用 书栈(BookStack.CN) 构建 TiDB 配置项解释 使用 Ansible 变更组件配置 开启 TLS 验证 生成自签名证书 监控集群 整体监控框架概述 重要监控指标详解 组件状态 API & 监控 扩容缩容 集群扩容缩容方案 使用 Ansible 扩容缩容 升级 升级组件版本 TiDB 2.0 升级操作指南 keepalive 默认: false PEM 格式的 SSL 证书文件路径 默认: “” 当同时设置了该选项和 --ssl-key 选项时，TiDB 将接受（但不强制）客户端使用 TLS 安全地连接到 TiDB。 若指定的证书或私钥无效，则 TiDB 会照常启动，但无法接受安全连接。 PEM 格式的 SSL 证书密钥文件路径，即 --ssl-cert 所指定的证书的私钥 默认: “” 目前 TiDB

victim (often a guessable private IP address such as 127.0.0.1 or 192.168.1.1). Applications that use TLS are not vulnerable to this attack (because the browser will display certificate mismatch warnings that target site). 6.1. User’s guide 35Tornado Documentation, Release 6.5.1 Applications that cannot use TLS and rely on network-level access controls (for example, assuming that a server on 127.0.0.1 can only 6.2. Web framework 53Tornado Documentation, Release 6.5.1 Warning: Applications that do not use TLS may be vulnerable to DNS rebinding attacks. This attack is especially relevant to applications that

that use TLS are not vulnerable to this attack (because the browser will display certificate mismatch warnings that block automated access to the target site). Applications that cannot use TLS and rely parameter value is matched against host regular expressions. Warning Applications that do not use TLS may be vulnerable to DNS rebinding attacks. This attack is especially relevant to applications that HTTPServerRequest.cookies HTTPServerRequest.full_url() HTTPServerRequest.request_time() HTTPServerRequest.get_ssl_certificate() HTTPInputError HTTPOutputError HTTPServerConnectionDelegate HTTPServerConnectionDelegate

Spanner LVS(四层负载) DNS 网络控制面 LDC1 Spanner Spanner APP APP APP APP Keycenter HTTP1 TLS1.2 MMTP Mtls MQTT HTTP2 TLS1.3 QUIC 国密 硬件加速 安全合规 Spanner LVS(四层负载) DNS LDC2 Spanner Spanner APP APP APP APP 百万级每秒推送Spanner 2010 • 自研，网络设备白盒化 • 全面实践全网https 2012 • 首次全流量支撑双十一大促 2013 • 支持蚂蚁LDC架构，三地五中心容灾架构 • 全面上线SSL加速卡，提供软硬件一体加速方案 2015 • All in 无线，通信通道全面升级（MMTP，MTLS协议） 2016 • 安全防护能力提升，WAF，流量镜像 2018至 今 • 通信 压测 • 灰度蚂蚁金服SSL/TLS实践 合规 性能 安全软硬件一体解决方案 Intel QAT Cavium Nitrox软硬件一体解决方案 SSL握手性能 提升3倍 • 对Spanner实现了异步化改造 • 对openssl进行了异步化引擎改造 • 实现多芯片卡的负载均衡协议实现的改造-MTLS MTLS：1) 轻量级TLS库，小于50k；2) 优化的TLS协议 0-RTT •

•网络编程接口 •链接管理 •事件机制 •Metrics 收集 •TCP 代理 •TLS 支持 •TProxy 支持 •平滑 reload •平滑版本升级 多协议 •SOFA RPC •HTTP 1.x (待优化) •HTTP 2 (待优化) •Dubbo (研发中) •HSF (研发中) •On TLS 核心路由 •支持 virtual host 路由 •支持 headers/url/prefix 11 指标\软件 SOFAMosn Envoy QPS峰值 18000 N/A RT(avg) 12.354ms N/A MEM 100m N/A CPU 100% N/AGolang TLS单核性能测试 12 Ø环境 ü CPU： Intel(R) Xeon(R) CPU E5-2430 0 @ 2.20GHz ü 内存： 1.5G Ø软件 ü Nginx-1.13.8 with Case2 ü 证书：ECC p256 ü Cipher： ECDHE-ECDSA-AES256-GCM-SHA384 Ø命令 ü ab -f TLS1.2 -Z $cipher -c 100 -n 200000 https://$ipGolang TLS单核性能测试 13Golang 单核加解密性能分析 14 ØGolang 对 RSA 上没有优化，并且暂无优化计划 ØGolang 对 p256

and RDP5.1 use Standard RDP Security. VRDP server supports Enhanced RDP Security with TLS protocol and, as a part of TLS handshake, sends the server certificate to the client. The Security/Method VRDE property Enhanced (TLS) and Standard RDP Security connections are al- lowed. The security method is negotiated with the client. This is the default setting. • RDP - only Standard RDP Security is accepted. • TLS - only only Enhanced RDP Security is accepted. The client must support TLS. 102 7 Remote virtual machines For example the following command allows a client to use either Standard or Enhanced RDP Security connection:

RDP5.1 use Standard RDP Security. The VRDP server supports Enhanced RDP Security with TLS protocol and, as a part of TLS handshake, sends the server certificate to the client. The Security/Method VRDE property Enhanced (TLS) and Standard RDP Security connections are al- lowed. The security method is negotiated with the client. This is the default setting. • RDP - only Standard RDP Security is accepted. • TLS - only only Enhanced RDP Security is accepted. The client must support TLS. For example the following command allows a client to use either Standard or Enhanced RDP Security connection: vboxmanage modifyvm "VM

RDP5.1 use Standard RDP Security. The VRDP server supports Enhanced RDP Security with TLS protocol and, as a part of TLS handshake, sends the server certificate to the client. The Security/Method VRDE property Enhanced (TLS) and Standard RDP Security connections are al- lowed. The security method is negotiated with the client. This is the default setting. • RDP - only Standard RDP Security is accepted. • TLS - only only Enhanced RDP Security is accepted. The client must support TLS. For example the following command allows a client to use either Standard or Enhanced RDP Security connection: vboxmanage modifyvm "VM

RDP5.1 use Standard RDP Security. The VRDP server supports Enhanced RDP Security with TLS protocol and, as a part of TLS handshake, sends the server certificate to the client. The Security/Method VRDE property Enhanced (TLS) and Standard RDP Security connections are al- lowed. The security method is negotiated with the client. This is the default setting. • RDP - only Standard RDP Security is accepted. • TLS - only only Enhanced RDP Security is accepted. The client must support TLS. 106 7 Remote virtual machines For example the following command allows a client to use either Standard or Enhanced RDP Security connection:

RDP5.1 use Standard RDP Security. The VRDP server supports Enhanced RDP Security with TLS protocol and, as a part of TLS handshake, sends the server certificate to the client. The Security/Method VRDE property Enhanced (TLS) and Standard RDP Security connections are al- lowed. The security method is negotiated with the client. This is the default setting. • RDP - only Standard RDP Security is accepted. • TLS - only only Enhanced RDP Security is accepted. The client must support TLS. For example the following command allows a client to use either Standard or Enhanced RDP Security connection: vboxmanage modifyvm "VM