Changeset View
Changeset View
Standalone View
Standalone View
src/docs/user/cluster/cluster_repositories.diviner
Show First 20 Lines • Show All 52 Lines • ▼ Show 20 Lines | |||||
Before responding to a read, replicas make sure their version of the repository | Before responding to a read, replicas make sure their version of the repository | ||||
is up to date (no node in the cluster has a newer version of the repository). | is up to date (no node in the cluster has a newer version of the repository). | ||||
If it isn't, they block the read until they can complete a fetch. | If it isn't, they block the read until they can complete a fetch. | ||||
Before responding to a write, replicas obtain a global lock, perform the same | Before responding to a write, replicas obtain a global lock, perform the same | ||||
version check and fetch if necessary, then allow the write to continue. | version check and fetch if necessary, then allow the write to continue. | ||||
HTTP vs HTTPS | |||||
============= | |||||
Intracluster requests (from the daemons to repository servers, or from | |||||
webservers to repository servers) are permitted to use HTTP, even if you have | |||||
set `security.require-https` in your configuration. | |||||
It is common to terminate SSL at a load balancer and use plain HTTP beyond | |||||
that, and the `security.require-https` feature is primarily focused on making | |||||
client browser behavior more convenient for users, so it does not apply to | |||||
intracluster traffic. | |||||
Using HTTP within the cluster leaves you vulnerable to attackers who can | |||||
observe traffic within a datacenter, or observe traffic between datacenters. | |||||
This is normally very difficult, but within reach for state-level adversaries | |||||
like the NSA. | |||||
If you are concerned about these attackers, you can terminate HTTPS on | |||||
repository hosts and bind to them with the "https" protocol. Just be aware that | |||||
the `security.require-https` setting won't prevent you from making | |||||
configuration mistakes, as it doesn't cover intracluster traffic. | |||||
Other mitigations are possible, but securing a network against the NSA and | |||||
similar agents of other rogue nations is beyond the scope of this document. | |||||
Backups | Backups | ||||
====== | ====== | ||||
Even if you configure clustering, you should still consider retaining separate | Even if you configure clustering, you should still consider retaining separate | ||||
backup snapshots. Replicas protect you from data loss if you lose a host, but | backup snapshots. Replicas protect you from data loss if you lose a host, but | ||||
they do not let you rewind time to recover from data mutation mistakes. | they do not let you rewind time to recover from data mutation mistakes. | ||||
If something issues a `--force` push that destroys branch heads, the mutation | If something issues a `--force` push that destroys branch heads, the mutation | ||||
Show All 18 Lines |