Connection settings: update per review

andreyaksenov · andreyaksenov · commit 766f226591f3 · 2024-01-18T17:40:53.000+03:00
diff --git a/doc/concepts/configuration/configuration_connections.rst b/doc/concepts/configuration/configuration_connections.rst
@@ -72,7 +72,7 @@ In this case, this port is used for all IP addresses the server listens on.
 SSL parameters
 ~~~~~~~~~~~~~~
 
-You can enable :ref:`traffic encryption <configuration_connections_ssl>` for a connection using the ``params`` section of the specified URI:
+In the Enterprise Edition, you can enable :ref:`traffic encryption <configuration_connections_ssl>` for a connection using the ``params`` section of the specified URI:
 
 ..  literalinclude:: /code_snippets/snippets/replication/instances.enabled/ssl_without_ca/config.yaml
     :language: yaml
@@ -102,15 +102,17 @@ For local development, you can enable communication between cluster members by u
 Advertise settings
 ------------------
 
-Advertise settings (:ref:`iproto.advertise.* <configuration_reference_iproto_advertise>`) let other cluster members or clients know how to connect to the current Tarantool instance.
-These settings might include the credentials required to connect to this instance, a URI used to listen for incoming requests, and SSL settings.
+Advertise settings (:ref:`iproto.advertise.* <configuration_reference_iproto_advertise>`) let other cluster members or clients know how to connect to the current Tarantool instance:
 
-If an advertise URI is not specified explicitly, a :ref:`listen URI <configuration_connections_listen_uri>` of this instance is used.
-In this case, you need at least to specify credentials for connecting to this instance.
+-   ``iproto.advertise.peer`` specifies how to advertise the instance to other cluster members.
+-   ``iproto.advertise.sharding`` specifies how to advertise the instance to a router and rebalancer.
+-   ``iproto.advertise.client`` accepts a URI used to advertise the instance to clients.
+
+``iproto_advertise.<peer_or_sharding>`` might include the credentials required to connect to this instance, a URI used to listen for incoming requests, and SSL settings.
 
-..  NOTE::
+If ``iproto_advertise.<peer_or_sharding>.uri`` is not specified explicitly, a :ref:`listen URI <configuration_connections_listen_uri>` of this instance is used.
+In this case, you need at least to specify credentials for connecting to this instance.
 
-    If several listen URIs are specified, the first one is used as an advertise URI.
 
 .. _configuration_connections_advertise_credentials:
 
@@ -160,55 +162,9 @@ The ``iproto_advertise.<peer_or_sharding>.uri`` option can also accept an FQDN i
           peer:
             uri: 'server001.example.com:3301'
 
+To learn about the specifics of configuring an advertise URI’s SSL settings, see :ref:`configuration_connections_ssl_advertise_uri`.
 
-.. _configuration_connections_advertise_uri_ssl:
-
-SSL parameters
-~~~~~~~~~~~~~~
-
-:ref:`SSL parameters <configuration_connections_ssl>` for an advertise URI should be set only if this :ref:`advertise URI is specified explicitly <configuration_connections_advertise_explicitly>`.
-Otherwise, SSL parameters of a listen URI are used and no additional configuration is required.
-
-Configuring an advertise URI's SSL options depends on whether a trusted certificate authorities (CA) file is set or not.
-Without the CA file, you only need to set ``iproto_advertise.<peer_or_sharding>.params.transport`` to ``ssl`` as shown below:
-
-..  code-block:: yaml
-
-    instance001:
-      iproto:
-        listen:
-        - uri: '192.168.0.101:3301'
-          params:
-            transport: 'ssl'
-            ssl_cert_file: 'certs/server.crt'
-            ssl_key_file: 'certs/server.key'
-        advertise:
-          peer:
-            uri: 'server.example.com:3301'
-            params:
-              transport: 'ssl'
-
-
-If the CA file is specified for a listen URI, you also need to configure ``ssl_cert_file`` and ``ssl_key_file`` for this advertise URI:
-
-..  code-block:: yaml
 
-    instance001:
-      iproto:
-        listen:
-        - uri: '192.168.0.101:3301'
-          params:
-            transport: 'ssl'
-            ssl_ca_file: 'certs/root_ca.crt'
-            ssl_cert_file: 'certs/instance001/server001.crt'
-            ssl_key_file: 'certs/instance001/server001.key'
-        advertise:
-          peer:
-            uri: 'server001.example.com:3301'
-            params:
-              transport: 'ssl'
-              ssl_cert_file: 'certs/instance001/server001.crt'
-              ssl_key_file: 'certs/instance001/server001.key'
 
 
 .. _configuration_connections_ssl:
@@ -226,9 +182,6 @@ Securing connections with SSL
 Tarantool supports the use of SSL connections to encrypt client-server communications for increased security.
 To enable SSL, use the :ref:`<uri>.params.* <configuration_reference_iproto_uri_params>` options, which can be applied to both listen and advertise URIs.
 
-This section shows how to configure SSL settings for a listen URI.
-To learn about the specifics of configuring an advertise URI's SSL settings, see :ref:`SSL parameters <configuration_connections_advertise_uri_ssl>`.
-
 
 .. _configuration_connections_ssl_without_ca:
 
@@ -238,8 +191,8 @@ Without CA
 The example below demonstrates how to enable traffic encryption by using a self-signed server certificate.
 The following parameters are specified for each instance:
 
--   ``ssl_cert_file``: a path to an SSL certificate file.
--   ``ssl_key_file``: a path to a private SSL key file.
+-   :ref:`ssl_cert_file <configuration_reference_iproto_uri_params_ssl_cert_file>`: a path to an SSL certificate file.
+-   :ref:`ssl_key_file <configuration_reference_iproto_uri_params_ssl_key_file>`: a path to a private SSL key file.
 
 ..  literalinclude:: /code_snippets/snippets/replication/instances.enabled/ssl_without_ca/config.yaml
     :language: yaml
@@ -259,12 +212,12 @@ In this case, all replica set peers verify each other for authenticity.
 
 The following parameters are specified for each instance:
 
--   ``ssl_ca_file``: a path to a trusted certificate authorities (CA) file.
--   ``ssl_cert_file``: a path to an SSL certificate file.
--   ``ssl_key_file``: a path to a private SSL key file.
--   ``ssl_password`` (``instance001``): a password for an encrypted private SSL key.
--   ``ssl_password_file`` (``instance002`` and ``instance003``): a text file containing passwords for encrypted SSL keys.
--   ``ssl_ciphers``: a colon-separated list of SSL cipher suites the connection can use.
+-   :ref:`ssl_ca_file <configuration_reference_iproto_uri_params_ssl_ca_file>`: a path to a trusted certificate authorities (CA) file.
+-   :ref:`ssl_cert_file <configuration_reference_iproto_uri_params_ssl_cert_file>`: a path to an SSL certificate file.
+-   :ref:`ssl_key_file <configuration_reference_iproto_uri_params_ssl_key_file>`: a path to a private SSL key file.
+-   :ref:`ssl_password <configuration_reference_iproto_uri_params_ssl_password>` (``instance001``): a password for an encrypted private SSL key.
+-   :ref:`ssl_password_file <configuration_reference_iproto_uri_params_ssl_password_file>` (``instance002`` and ``instance003``): a text file containing passwords for encrypted SSL keys.
+-   :ref:`ssl_ciphers <configuration_reference_iproto_uri_params_ssl_ciphers>`: a colon-separated list of SSL cipher suites the connection can use.
 
 ..  literalinclude:: /code_snippets/snippets/replication/instances.enabled/ssl_with_ca/config.yaml
     :language: yaml
@@ -275,6 +228,56 @@ The following parameters are specified for each instance:
 You can find the full example here: `ssl_with_ca <https://github.com/tarantool/doc/tree/latest/doc/code_snippets/snippets/replication/instances.enabled/ssl_with_ca>`_.
 
 
+.. _configuration_connections_ssl_advertise_uri:
+
+Advertise URI specifics
+~~~~~~~~~~~~~~~~~~~~~~~
+
+SSL parameters for an advertise URI should be set only if this :ref:`advertise URI is specified explicitly <configuration_connections_advertise_explicitly>`.
+Otherwise, SSL parameters of a listen URI are used and no additional configuration is required.
+
+Configuring an advertise URI's SSL options depends on whether a trusted certificate authorities (CA) file is set or not.
+Without the CA file, you only need to set ``iproto_advertise.<peer_or_sharding>.params.transport`` to ``ssl`` as shown below:
+
+..  code-block:: yaml
+
+    instance001:
+      iproto:
+        listen:
+        - uri: '192.168.0.101:3301'
+          params:
+            transport: 'ssl'
+            ssl_cert_file: 'certs/server.crt'
+            ssl_key_file: 'certs/server.key'
+        advertise:
+          peer:
+            uri: 'server.example.com:3301'
+            params:
+              transport: 'ssl'
+
+
+If the CA file is specified for a listen URI, you also need to configure ``ssl_cert_file`` and ``ssl_key_file`` for this advertise URI:
+
+..  code-block:: yaml
+
+    instance001:
+      iproto:
+        listen:
+        - uri: '192.168.0.101:3301'
+          params:
+            transport: 'ssl'
+            ssl_ca_file: 'certs/root_ca.crt'
+            ssl_cert_file: 'certs/instance001/server001.crt'
+            ssl_key_file: 'certs/instance001/server001.key'
+        advertise:
+          peer:
+            uri: 'server001.example.com:3301'
+            params:
+              transport: 'ssl'
+              ssl_cert_file: 'certs/instance001/server001.crt'
+              ssl_key_file: 'certs/instance001/server001.key'
+
+
 
 .. _configuration_connections_ssl_reloading_certificates:
 
