summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/_static/images/uefi_secureboot_01.pngbin0 -> 60527 bytes
-rw-r--r--docs/_static/images/uefi_secureboot_02.pngbin0 -> 14091 bytes
-rw-r--r--docs/_static/images/uefi_secureboot_03.pngbin0 -> 14760 bytes
-rw-r--r--docs/_static/images/uefi_secureboot_04.pngbin0 -> 7349 bytes
-rw-r--r--docs/_static/images/uefi_secureboot_05.pngbin0 -> 6636 bytes
-rw-r--r--docs/_static/images/uefi_secureboot_06.pngbin0 -> 7102 bytes
-rw-r--r--docs/_static/images/uefi_secureboot_07.pngbin0 -> 12622 bytes
-rw-r--r--docs/cli.rst34
-rw-r--r--docs/configuration/loadbalancing/haproxy.rst (renamed from docs/configuration/loadbalancing/reverse-proxy.rst)210
-rw-r--r--docs/configuration/loadbalancing/index.rst2
-rw-r--r--docs/index.rst21
-rw-r--r--docs/installation/bare-metal.rst (renamed from docs/installation/vyos-on-baremetal.rst)2
-rw-r--r--docs/installation/cloud/index.rst10
-rw-r--r--docs/installation/index.rst5
-rw-r--r--docs/installation/secure-boot.rst116
-rw-r--r--docs/installation/virtual/index.rst6
16 files changed, 256 insertions, 150 deletions
diff --git a/docs/_static/images/uefi_secureboot_01.png b/docs/_static/images/uefi_secureboot_01.png
new file mode 100644
index 00000000..02ec56b0
--- /dev/null
+++ b/docs/_static/images/uefi_secureboot_01.png
Binary files differ
diff --git a/docs/_static/images/uefi_secureboot_02.png b/docs/_static/images/uefi_secureboot_02.png
new file mode 100644
index 00000000..336d654d
--- /dev/null
+++ b/docs/_static/images/uefi_secureboot_02.png
Binary files differ
diff --git a/docs/_static/images/uefi_secureboot_03.png b/docs/_static/images/uefi_secureboot_03.png
new file mode 100644
index 00000000..ff126842
--- /dev/null
+++ b/docs/_static/images/uefi_secureboot_03.png
Binary files differ
diff --git a/docs/_static/images/uefi_secureboot_04.png b/docs/_static/images/uefi_secureboot_04.png
new file mode 100644
index 00000000..90242299
--- /dev/null
+++ b/docs/_static/images/uefi_secureboot_04.png
Binary files differ
diff --git a/docs/_static/images/uefi_secureboot_05.png b/docs/_static/images/uefi_secureboot_05.png
new file mode 100644
index 00000000..b08cb946
--- /dev/null
+++ b/docs/_static/images/uefi_secureboot_05.png
Binary files differ
diff --git a/docs/_static/images/uefi_secureboot_06.png b/docs/_static/images/uefi_secureboot_06.png
new file mode 100644
index 00000000..784f0eed
--- /dev/null
+++ b/docs/_static/images/uefi_secureboot_06.png
Binary files differ
diff --git a/docs/_static/images/uefi_secureboot_07.png b/docs/_static/images/uefi_secureboot_07.png
new file mode 100644
index 00000000..6ff450b4
--- /dev/null
+++ b/docs/_static/images/uefi_secureboot_07.png
Binary files differ
diff --git a/docs/cli.rst b/docs/cli.rst
index 8169cbd5..65de0537 100644
--- a/docs/cli.rst
+++ b/docs/cli.rst
@@ -329,7 +329,7 @@ configured, changes are added through a collection of :cfgcmd:`set` and
Both these ``show`` commands should be executed when in operational
mode, they do not work directly in configuration mode. There is a
-special way on how to :ref:`run_opmode_from_config_mode`.
+special way on how to :ref:run_opmode_from_config_mode.
.. hint:: Use the ``show configuration commands | strip-private``
command when you want to hide private data. You may want to do so if
@@ -528,7 +528,7 @@ mode using :cfgcmd:`show | commands`
set address dhcp
set hw-id 00:53:ad:44:3b:03
-These commands are also relative to the level you are inside and only
+These commands are also relative to the level you are inside and only
relevant configuration blocks will be displayed when entering a
sub-level.
@@ -620,7 +620,7 @@ different levels in the hierarchy.
Use this command to preserve configuration changes upon reboot. By
default it is stored at */config/config.boot*. In the case you want
to store the configuration file somewhere else, you can add a local
- path, a SCP address, a FTP address or a TFTP address.
+ path, a SCP address, a FTP address or a TFTP address.
.. code-block:: none
@@ -675,13 +675,13 @@ different levels in the hierarchy.
system will reboot into previous config revision.
.. code-block:: none
-
+
vyos@router# set firewall interface eth0 local name FromWorld
- vyos@router# commit-confirm
+ vyos@router# commit-confirm
commit confirm will be automatically reboot in 10 minutes unless confirmed
Proceed? [confirm]y
[edit]
- vyos@router# confirm
+ vyos@router# confirm
[edit]
@@ -703,8 +703,8 @@ different levels in the hierarchy.
.. code-block:: none
-
- vyos@router# show firewall name FromWorld
+
+ vyos@router# show firewall name FromWorld
default-action drop
rule 10 {
action accept
@@ -713,7 +713,7 @@ different levels in the hierarchy.
}
}
[edit]
- vyos@router# edit firewall name FromWorld
+ vyos@router# edit firewall name FromWorld
[edit firewall name FromWorld]
vyos@router# copy rule 10 to rule 20
[edit firewall name FromWorld]
@@ -730,7 +730,7 @@ different levels in the hierarchy.
You can also rename config subtrees:
.. code-block:: none
-
+
vyos@router# rename rule 10 to rule 5
[edit firewall name FromWorld]
vyos@router# commit
@@ -741,8 +741,8 @@ different levels in the hierarchy.
with no parameters.
.. code-block:: none
-
- vyos@router# show
+
+ vyos@router# show
default-action drop
rule 5 {
action accept
@@ -791,11 +791,6 @@ different levels in the hierarchy.
firewall` command would return starting after the ``firewall
{`` line, hiding the comment.
-
-
-
-
-
.. _run_opmode_from_config_mode:
Access opmode from config mode
@@ -1018,7 +1013,7 @@ to load it with the ``load`` command:
.. code-block:: none
- vyos@vyos# load
+ vyos@vyos# load
Possible completions:
<Enter> Load from system config file
<file> Load from file on local machine
@@ -1028,7 +1023,7 @@ to load it with the ``load`` command:
http://<host>/<file> Load from file on remote machine
https://<host>/<file> Load from file on remote machine
tftp://<host>/<file> Load from file on remote machine
-
+
Restore Default
@@ -1051,4 +1046,3 @@ configuration too.
.. note:: If you are remotely connected, you will lose your connection.
You may want to copy first the config, edit it to ensure
connectivity, and load the edited config.
-
diff --git a/docs/configuration/loadbalancing/reverse-proxy.rst b/docs/configuration/loadbalancing/haproxy.rst
index 32be85c8..3ce59b35 100644
--- a/docs/configuration/loadbalancing/reverse-proxy.rst
+++ b/docs/configuration/loadbalancing/haproxy.rst
@@ -1,11 +1,11 @@
#############
-Reverse-proxy
+Haproxy
#############
.. include:: /_include/need_improvement.txt
-VyOS reverse-proxy is balancer and proxy server that provides
+Haproxy is a balancer and proxy server that provides
high-availability, load balancing and proxying for TCP (level 4)
and HTTP-based (level 7) applications.
@@ -20,37 +20,37 @@ to be applied and specifies the real servers to be utilized.
Service
-------
-.. cfgcmd:: set load-balancing reverse-proxy service <name> listen-address
+.. cfgcmd:: set load-balancing haproxy service <name> listen-address
<address>
Set service to bind on IP address, by default listen on any IPv4 and IPv6
-.. cfgcmd:: set load-balancing reverse-proxy service <name> port
+.. cfgcmd:: set load-balancing haproxy service <name> port
<port>
Create service `<name>` to listen on <port>
-.. cfgcmd:: set load-balancing reverse-proxy service <name> mode
+.. cfgcmd:: set load-balancing haproxy service <name> mode
<tcp|http>
Configure service `<name>` mode TCP or HTTP
-.. cfgcmd:: set load-balancing reverse-proxy service <name> backend
+.. cfgcmd:: set load-balancing haproxy service <name> backend
<name>
Configure service `<name>` to use the backend <name>
-.. cfgcmd:: set load-balancing reverse-proxy service <name> ssl
+.. cfgcmd:: set load-balancing haproxy service <name> ssl
certificate <name>
Set SSL certificate <name> for service <name>
-.. cfgcmd:: set load-balancing reverse-proxy service <name>
+.. cfgcmd:: set load-balancing haproxy service <name>
http-response-headers <header-name> value <header-value>
Set custom HTTP headers to be included in all responses
-.. cfgcmd:: set load-balancing reverse-proxy service <name> logging facility
+.. cfgcmd:: set load-balancing haproxy service <name> logging facility
<facility> level <level>
Specify facility and level for logging.
@@ -64,12 +64,12 @@ Rules allow to control and route incoming traffic to specific backend based
on predefined conditions. Rules allow to define matching criteria and
perform action accordingly.
-.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule>
+.. cfgcmd:: set load-balancing haproxy service <name> rule <rule>
domain-name <name>
Match domain name
-.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule>
+.. cfgcmd:: set load-balancing haproxy service <name> rule <rule>
ssl <sni>
SSL match Server Name Indication (SNI) option:
@@ -79,7 +79,7 @@ perform action accordingly.
Indication
-.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule>
+.. cfgcmd:: set load-balancing haproxy service <name> rule <rule>
url-path <match> <url>
Allows to define URL path matching rules for a specific service.
@@ -92,12 +92,12 @@ perform action accordingly.
* ``end`` Matches the end of the URL path.
* ``exact`` Requires an exactly match of the URL path
-.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule>
+.. cfgcmd:: set load-balancing haproxy service <name> rule <rule>
set backend <name>
Assign a specific backend to a rule
-.. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule>
+.. cfgcmd:: set load-balancing haproxy service <name> rule <rule>
redirect-location <url>
Redirect URL to a new location
@@ -106,7 +106,7 @@ perform action accordingly.
Backend
-------
-.. cfgcmd:: set load-balancing reverse-proxy backend <name> balance
+.. cfgcmd:: set load-balancing haproxy backend <name> balance
<balance>
Load-balancing algorithms to be used for distributed requests among the
@@ -120,54 +120,54 @@ Backend
* ``least-connection`` Distributes requests to the server with the fewest
active connections
-.. cfgcmd:: set load-balancing reverse-proxy backend <name> mode
+.. cfgcmd:: set load-balancing haproxy backend <name> mode
<mode>
Configure backend `<name>` mode TCP or HTTP
-.. cfgcmd:: set load-balancing reverse-proxy backend <name> server
+.. cfgcmd:: set load-balancing haproxy backend <name> server
<name> address <x.x.x.x>
Set the address of the backend server to which the incoming traffic will
be forwarded
-.. cfgcmd:: set load-balancing reverse-proxy backend <name> server
+.. cfgcmd:: set load-balancing haproxy backend <name> server
<name> port <port>
Set the address of the backend port
-.. cfgcmd:: set load-balancing reverse-proxy backend <name> server
+.. cfgcmd:: set load-balancing haproxy backend <name> server
<name> check
Active health check backend server
-.. cfgcmd:: set load-balancing reverse-proxy backend <name> server
+.. cfgcmd:: set load-balancing haproxy backend <name> server
<name> send-proxy
Send a Proxy Protocol version 1 header (text format)
-.. cfgcmd:: set load-balancing reverse-proxy backend <name> server
+.. cfgcmd:: set load-balancing haproxy backend <name> server
<name> send-proxy-v2
Send a Proxy Protocol version 2 header (binary format)
-.. cfgcmd:: set load-balancing reverse-proxy backend <name> ssl
+.. cfgcmd:: set load-balancing haproxy backend <name> ssl
ca-certificate <ca-certificate>
Configure requests to the backend server to use SSL encryption and
authenticate backend against <ca-certificate>
-.. cfgcmd:: set load-balancing reverse-proxy backend <name> ssl no-verify
+.. cfgcmd:: set load-balancing haproxy backend <name> ssl no-verify
Configure requests to the backend server to use SSL encryption without
validating server certificate
-.. cfgcmd:: set load-balancing reverse-proxy backend <name>
+.. cfgcmd:: set load-balancing haproxy backend <name>
http-response-headers <header-name> value <header-value>
Set custom HTTP headers to be included in all responses using the backend
-.. cfgcmd:: set load-balancing reverse-proxy backend <name> logging facility
+.. cfgcmd:: set load-balancing haproxy backend <name> logging facility
<facility> level <level>
Specify facility and level for logging.
@@ -180,22 +180,22 @@ Global
Global parameters
-.. cfgcmd:: set load-balancing reverse-proxy global-parameters max-connections
+.. cfgcmd:: set load-balancing haproxy global-parameters max-connections
<num>
Limit maximum number of connections
-.. cfgcmd:: set load-balancing reverse-proxy global-parameters ssl-bind-ciphers
+.. cfgcmd:: set load-balancing haproxy global-parameters ssl-bind-ciphers
<ciphers>
Limit allowed cipher algorithms used during SSL/TLS handshake
-.. cfgcmd:: set load-balancing reverse-proxy global-parameters tls-version-min
+.. cfgcmd:: set load-balancing haproxy global-parameters tls-version-min
<version>
Specify the minimum required TLS version 1.2 or 1.3
-.. cfgcmd:: set load-balancing reverse-proxy global-parameters logging
+.. cfgcmd:: set load-balancing haproxy global-parameters logging
facility <facility> level <level>
Specify facility and level for logging.
@@ -212,22 +212,22 @@ HTTP checks
For web application providing information about their state HTTP health
checks can be used to determine their availability.
-.. cfgcmd:: set load-balancing reverse-proxy backend <name> http-check
+.. cfgcmd:: set load-balancing haproxy backend <name> http-check
Enables HTTP health checks using OPTION HTTP requests against '/' and
expecting a successful response code in the 200-399 range.
-.. cfgcmd:: set load-balancing reverse-proxy backend <name> http-check
+.. cfgcmd:: set load-balancing haproxy backend <name> http-check
method <method>
Sets the HTTP method to be used, can be either: option, get, post, put
-.. cfgcmd:: set load-balancing reverse-proxy backend <name> http-check
+.. cfgcmd:: set load-balancing haproxy backend <name> http-check
uri <path>
Sets the endpoint to be used for health checks
-.. cfgcmd:: set load-balancing reverse-proxy backend <name> http-check
+.. cfgcmd:: set load-balancing haproxy backend <name> http-check
expect <condition>
Sets the expected result condition for considering a server healthy.
@@ -244,7 +244,7 @@ TCP checks
Health checks can also be configured for TCP mode backends. You can configure
protocol aware checks for a range of Layer 7 protocols:
-.. cfgcmd:: set load-balancing reverse-proxy backend <name> health-check <protocol>
+.. cfgcmd:: set load-balancing haproxy backend <name> health-check <protocol>
Available health check protocols:
* ``ldap`` LDAP protocol check.
@@ -261,15 +261,15 @@ protocol aware checks for a range of Layer 7 protocols:
Redirect HTTP to HTTPS
======================
-Configure the load-balancing reverse-proxy service for HTTP.
+Configure the load-balancing haproxy service for HTTP.
This configuration listen on port 80 and redirect incoming
requests to HTTPS:
.. code-block:: none
- set load-balancing reverse-proxy service http port '80'
- set load-balancing reverse-proxy service http redirect-http-to-https
+ set load-balancing haproxy service http port '80'
+ set load-balancing haproxy service http redirect-http-to-https
The name of the service can be different, in this example it is only for
convenience.
@@ -287,17 +287,17 @@ servers (srv01 and srv02) using the round-robin load-balancing algorithm.
.. code-block:: none
- set load-balancing reverse-proxy service my-tcp-api backend 'bk-01'
- set load-balancing reverse-proxy service my-tcp-api mode 'tcp'
- set load-balancing reverse-proxy service my-tcp-api port '8888'
+ set load-balancing haproxy service my-tcp-api backend 'bk-01'
+ set load-balancing haproxy service my-tcp-api mode 'tcp'
+ set load-balancing haproxy service my-tcp-api port '8888'
- set load-balancing reverse-proxy backend bk-01 balance 'round-robin'
- set load-balancing reverse-proxy backend bk-01 mode 'tcp'
+ set load-balancing haproxy backend bk-01 balance 'round-robin'
+ set load-balancing haproxy backend bk-01 mode 'tcp'
- set load-balancing reverse-proxy backend bk-01 server srv01 address '192.0.2.11'
- set load-balancing reverse-proxy backend bk-01 server srv01 port '8881'
- set load-balancing reverse-proxy backend bk-01 server srv02 address '192.0.2.12'
- set load-balancing reverse-proxy backend bk-01 server srv02 port '8882'
+ set load-balancing haproxy backend bk-01 server srv01 address '192.0.2.11'
+ set load-balancing haproxy backend bk-01 server srv01 port '8881'
+ set load-balancing haproxy backend bk-01 server srv02 address '192.0.2.12'
+ set load-balancing haproxy backend bk-01 server srv02 port '8882'
Balancing based on domain name
@@ -315,23 +315,23 @@ to the backend ``bk-api-02``
.. code-block:: none
- set load-balancing reverse-proxy service http description 'bind app listen on 443 port'
- set load-balancing reverse-proxy service http mode 'tcp'
- set load-balancing reverse-proxy service http port '80'
+ set load-balancing haproxy service http description 'bind app listen on 443 port'
+ set load-balancing haproxy service http mode 'tcp'
+ set load-balancing haproxy service http port '80'
- set load-balancing reverse-proxy service http rule 10 domain-name 'node1.example.com'
- set load-balancing reverse-proxy service http rule 10 set backend 'bk-api-01'
- set load-balancing reverse-proxy service http rule 20 domain-name 'node2.example.com'
- set load-balancing reverse-proxy service http rule 20 set backend 'bk-api-02'
+ set load-balancing haproxy service http rule 10 domain-name 'node1.example.com'
+ set load-balancing haproxy service http rule 10 set backend 'bk-api-01'
+ set load-balancing haproxy service http rule 20 domain-name 'node2.example.com'
+ set load-balancing haproxy service http rule 20 set backend 'bk-api-02'
- set load-balancing reverse-proxy backend bk-api-01 description 'My API-1'
- set load-balancing reverse-proxy backend bk-api-01 mode 'tcp'
- set load-balancing reverse-proxy backend bk-api-01 server api01 address '127.0.0.1'
- set load-balancing reverse-proxy backend bk-api-01 server api01 port '4431'
- set load-balancing reverse-proxy backend bk-api-02 description 'My API-2'
- set load-balancing reverse-proxy backend bk-api-02 mode 'tcp'
- set load-balancing reverse-proxy backend bk-api-02 server api01 address '127.0.0.2'
- set load-balancing reverse-proxy backend bk-api-02 server api01 port '4432'
+ set load-balancing haproxy backend bk-api-01 description 'My API-1'
+ set load-balancing haproxy backend bk-api-01 mode 'tcp'
+ set load-balancing haproxy backend bk-api-01 server api01 address '127.0.0.1'
+ set load-balancing haproxy backend bk-api-01 server api01 port '4431'
+ set load-balancing haproxy backend bk-api-02 description 'My API-2'
+ set load-balancing haproxy backend bk-api-02 mode 'tcp'
+ set load-balancing haproxy backend bk-api-02 server api01 address '127.0.0.2'
+ set load-balancing haproxy backend bk-api-02 server api01 port '4432'
Terminate SSL
@@ -357,30 +357,30 @@ connection limit of 4000 and a minimum TLS version of 1.3.
.. code-block:: none
- set load-balancing reverse-proxy service http description 'Force redirect to HTTPS'
- set load-balancing reverse-proxy service http port '80'
- set load-balancing reverse-proxy service http redirect-http-to-https
+ set load-balancing haproxy service http description 'Force redirect to HTTPS'
+ set load-balancing haproxy service http port '80'
+ set load-balancing haproxy service http redirect-http-to-https
- set load-balancing reverse-proxy service https backend 'bk-default'
- set load-balancing reverse-proxy service https description 'listen on 443 port'
- set load-balancing reverse-proxy service https mode 'http'
- set load-balancing reverse-proxy service https port '443'
- set load-balancing reverse-proxy service https ssl certificate 'cert'
- set load-balancing reverse-proxy service https http-response-headers Strict-Transport-Security value 'max-age=31536000'
+ set load-balancing haproxy service https backend 'bk-default'
+ set load-balancing haproxy service https description 'listen on 443 port'
+ set load-balancing haproxy service https mode 'http'
+ set load-balancing haproxy service https port '443'
+ set load-balancing haproxy service https ssl certificate 'cert'
+ set load-balancing haproxy service https http-response-headers Strict-Transport-Security value 'max-age=31536000'
- set load-balancing reverse-proxy service https rule 10 url-path exact '/.well-known/xxx'
- set load-balancing reverse-proxy service https rule 10 set redirect-location '/certs/'
- set load-balancing reverse-proxy service https rule 20 url-path end '/mail'
- set load-balancing reverse-proxy service https rule 20 url-path exact '/email/bar'
- set load-balancing reverse-proxy service https rule 20 set redirect-location '/postfix/'
+ set load-balancing haproxy service https rule 10 url-path exact '/.well-known/xxx'
+ set load-balancing haproxy service https rule 10 set redirect-location '/certs/'
+ set load-balancing haproxy service https rule 20 url-path end '/mail'
+ set load-balancing haproxy service https rule 20 url-path exact '/email/bar'
+ set load-balancing haproxy service https rule 20 set redirect-location '/postfix/'
- set load-balancing reverse-proxy backend bk-default description 'Default backend'
- set load-balancing reverse-proxy backend bk-default mode 'http'
- set load-balancing reverse-proxy backend bk-default server sr01 address '192.0.2.23'
- set load-balancing reverse-proxy backend bk-default server sr01 port '80'
+ set load-balancing haproxy backend bk-default description 'Default backend'
+ set load-balancing haproxy backend bk-default mode 'http'
+ set load-balancing haproxy backend bk-default server sr01 address '192.0.2.23'
+ set load-balancing haproxy backend bk-default server sr01 port '80'
- set load-balancing reverse-proxy global-parameters max-connections '4000'
- set load-balancing reverse-proxy global-parameters tls-version-min '1.3'
+ set load-balancing haproxy global-parameters max-connections '4000'
+ set load-balancing haproxy global-parameters tls-version-min '1.3'
SSL Bridging
@@ -402,17 +402,17 @@ and checks backend server has a valid certificate trusted by CA ``cacert``
.. code-block:: none
- set load-balancing reverse-proxy service https backend 'bk-bridge-ssl'
- set load-balancing reverse-proxy service https description 'listen on 443 port'
- set load-balancing reverse-proxy service https mode 'http'
- set load-balancing reverse-proxy service https port '443'
- set load-balancing reverse-proxy service https ssl certificate 'cert'
+ set load-balancing haproxy service https backend 'bk-bridge-ssl'
+ set load-balancing haproxy service https description 'listen on 443 port'
+ set load-balancing haproxy service https mode 'http'
+ set load-balancing haproxy service https port '443'
+ set load-balancing haproxy service https ssl certificate 'cert'
- set load-balancing reverse-proxy backend bk-bridge-ssl description 'SSL backend'
- set load-balancing reverse-proxy backend bk-bridge-ssl mode 'http'
- set load-balancing reverse-proxy backend bk-bridge-ssl ssl ca-certificate 'cacert'
- set load-balancing reverse-proxy backend bk-bridge-ssl server sr01 address '192.0.2.23'
- set load-balancing reverse-proxy backend bk-bridge-ssl server sr01 port '443'
+ set load-balancing haproxy backend bk-bridge-ssl description 'SSL backend'
+ set load-balancing haproxy backend bk-bridge-ssl mode 'http'
+ set load-balancing haproxy backend bk-bridge-ssl ssl ca-certificate 'cacert'
+ set load-balancing haproxy backend bk-bridge-ssl server sr01 address '192.0.2.23'
+ set load-balancing haproxy backend bk-bridge-ssl server sr01 port '443'
Balancing with HTTP health checks
@@ -422,21 +422,21 @@ This configuration enables HTTP health checks on backend servers.
.. code-block:: none
- set load-balancing reverse-proxy service my-tcp-api backend 'bk-01'
- set load-balancing reverse-proxy service my-tcp-api mode 'tcp'
- set load-balancing reverse-proxy service my-tcp-api port '8888'
+ set load-balancing haproxy service my-tcp-api backend 'bk-01'
+ set load-balancing haproxy service my-tcp-api mode 'tcp'
+ set load-balancing haproxy service my-tcp-api port '8888'
- set load-balancing reverse-proxy backend bk-01 balance 'round-robin'
- set load-balancing reverse-proxy backend bk-01 mode 'tcp'
+ set load-balancing haproxy backend bk-01 balance 'round-robin'
+ set load-balancing haproxy backend bk-01 mode 'tcp'
- set load-balancing reverse-proxy backend bk-01 http-check method 'get'
- set load-balancing reverse-proxy backend bk-01 http-check uri '/health'
- set load-balancing reverse-proxy backend bk-01 http-check expect 'status 200'
+ set load-balancing haproxy backend bk-01 http-check method 'get'
+ set load-balancing haproxy backend bk-01 http-check uri '/health'
+ set load-balancing haproxy backend bk-01 http-check expect 'status 200'
- set load-balancing reverse-proxy backend bk-01 server srv01 address '192.0.2.11'
- set load-balancing reverse-proxy backend bk-01 server srv01 port '8881'
- set load-balancing reverse-proxy backend bk-01 server srv01 check
- set load-balancing reverse-proxy backend bk-01 server srv02 address '192.0.2.12'
- set load-balancing reverse-proxy backend bk-01 server srv02 port '8882'
- set load-balancing reverse-proxy backend bk-01 server srv02 check
+ set load-balancing haproxy backend bk-01 server srv01 address '192.0.2.11'
+ set load-balancing haproxy backend bk-01 server srv01 port '8881'
+ set load-balancing haproxy backend bk-01 server srv01 check
+ set load-balancing haproxy backend bk-01 server srv02 address '192.0.2.12'
+ set load-balancing haproxy backend bk-01 server srv02 port '8882'
+ set load-balancing haproxy backend bk-01 server srv02 check
diff --git a/docs/configuration/loadbalancing/index.rst b/docs/configuration/loadbalancing/index.rst
index 382bd0d7..92dcc622 100644
--- a/docs/configuration/loadbalancing/index.rst
+++ b/docs/configuration/loadbalancing/index.rst
@@ -9,4 +9,4 @@ Load-balancing
:includehidden:
wan
- reverse-proxy
+ haproxy
diff --git a/docs/index.rst b/docs/index.rst
index 4db014a9..69768eb8 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -5,22 +5,21 @@ VyOS User Guide
###############
-
.. grid:: 3
:gutter: 2
-
+
.. grid-item-card:: Get / Build VyOS
-
+
Quickly :ref:`Build<contributing/build-vyos:build vyos>` your own Image or take a look at how to :ref:`download<installation/install:download>` a free or supported version.
-
+
.. grid-item-card:: Install VyOS
Read about how to install VyOS on :ref:`Bare Metal<installation/install:installation>` or in a
- :ref:`Virtual Environment<installation/virtual/index:running vyos in virtual environments>` and
- how to use an image with the usual :ref:`cloud<installation/cloud/index:running VyOS in Cloud Environments>` providers
-
+ :ref:`Virtual Environment<installation/virtual/index:Virtual Environments>` and
+ how to use an image with the usual :ref:`cloud<installation/cloud/index:Cloud Environments>` providers
+
.. grid-item-card:: Configuration and Operation
@@ -28,20 +27,20 @@ VyOS User Guide
set up :ref:`advanced routing<configuration/protocols/index:protocols>`,
:ref:`VRFs<configuration/vrf/index:vrf>`, or
:ref:`VPNs<configuration/vpn/index:vpn>` for example.
-
+
.. grid-item-card:: Automate
- Integrate VyOS in your automation Workflow with
+ Integrate VyOS in your automation Workflow with
:ref:`Ansible<vyos-ansible>`,
have your own :ref:`local scripts<command-scripting>`, or configure VyOS with the :ref:`HTTPS-API<vyosapi>`.
-
+
.. grid-item-card:: Examples
Get some inspiration from the :ref:`Configuration Blueprints<configexamples/index:Configuration Blueprints>`
to build your infrastructure.
-
+
.. grid-item-card:: Contribute and Community
diff --git a/docs/installation/vyos-on-baremetal.rst b/docs/installation/bare-metal.rst
index 7d843521..6578f84e 100644
--- a/docs/installation/vyos-on-baremetal.rst
+++ b/docs/installation/bare-metal.rst
@@ -1,7 +1,7 @@
.. _vyosonbaremetal:
#####################
-Running on Bare Metal
+Bare Metal Deployment
#####################
Supermicro A2SDi (Atom C3000)
diff --git a/docs/installation/cloud/index.rst b/docs/installation/cloud/index.rst
index 5236f092..a76dba4c 100644
--- a/docs/installation/cloud/index.rst
+++ b/docs/installation/cloud/index.rst
@@ -1,8 +1,6 @@
-##################################
-Running VyOS in Cloud Environments
-##################################
-
-
+##################
+Cloud Environments
+##################
.. toctree::
:caption: Content
@@ -10,4 +8,4 @@ Running VyOS in Cloud Environments
aws
azure
gcp
- oracel \ No newline at end of file
+ oracel
diff --git a/docs/installation/index.rst b/docs/installation/index.rst
index 435a16cd..9ab43b0e 100644
--- a/docs/installation/index.rst
+++ b/docs/installation/index.rst
@@ -2,8 +2,6 @@
Installation and Image Management
#################################
-
-
.. toctree::
:maxdepth: 2
:caption: Content
@@ -11,7 +9,8 @@ Installation and Image Management
install
virtual/index
cloud/index
- vyos-on-baremetal
+ bare-metal
update
image
+ secure-boot
migrate-from-vyatta
diff --git a/docs/installation/secure-boot.rst b/docs/installation/secure-boot.rst
new file mode 100644
index 00000000..07fdfbf4
--- /dev/null
+++ b/docs/installation/secure-boot.rst
@@ -0,0 +1,116 @@
+.. _secure_boot:
+
+###########
+Secure Boot
+###########
+
+Initial UEFI secure boot support is available (:vytask:`T861`). We utilize
+``shim`` from Debian 12 (Bookworm) which is properly signed by the UEFI
+SecureBoot key from Microsoft.
+
+.. note:: There is yet no signed version of ``shim`` for VyOS, thus we
+ provide no signed image for secure boot yet. If you are interested in
+ secure boot you can build an image on your own.
+
+To generate a custom ISO with your own secure boot keys, run the following
+commands prior to your ISO image build:
+
+.. code-block:: bash
+
+ cd vyos-build
+ openssl req -new -x509 -newkey rsa:4096 \
+ -keyout data/live-build-config/includes.chroot/var/lib/shim-signed/mok/MOK.key \
+ -outform DER -out MOK.der -days 36500 -subj "/CN=MyMOK/" -nodes
+ openssl x509 -inform der \
+ -in data/live-build-config/includes.chroot/var/lib/shim-signed/mok/MOK.der \
+ -out MOK.pem
+
+************
+Installation
+************
+
+As our version of ``shim`` is not signed by Microsoft we need to enroll the
+previously generated :abbr:`MOK (Machine Owner Key)` to the system.
+
+First of all you will need to disable UEFI secure boot for the installation.
+
+.. figure:: /_static/images/uefi_secureboot_01.png
+ :alt: Disable UEFI secure boot
+
+Proceed with the regular VyOS :ref:`installation <permanent_installation>` on
+your system, but instead of the final ``reboot`` we will enroll the
+:abbr:`MOK (Machine Owner Key)`.
+
+.. code-block:: none
+
+ vyos@vyos:~$ install mok
+ input password:
+ input password again:
+
+The requested ``input password`` can be user chosen and is only needed after
+rebooting the system into MOK Manager to permanently install the keys.
+
+With the next reboot, MOK Manager will automatically launch
+
+.. figure:: /_static/images/uefi_secureboot_02.png
+ :alt: Disable UEFI secure boot
+
+Select ``Enroll MOK``
+
+.. figure:: /_static/images/uefi_secureboot_03.png
+ :alt: Disable UEFI secure boot
+
+You can now view the key to be installed and ``continue`` with the Key installation
+
+.. figure:: /_static/images/uefi_secureboot_04.png
+ :alt: Disable UEFI secure boot
+
+.. figure:: /_static/images/uefi_secureboot_05.png
+ :alt: Disable UEFI secure boot
+
+Now you will need the password previously defined
+
+.. figure:: /_static/images/uefi_secureboot_06.png
+ :alt: Disable UEFI secure boot
+
+Now reboot and re-enable UEFI secure boot.
+
+.. figure:: /_static/images/uefi_secureboot_07.png
+ :alt: Disable UEFI secure boot
+
+VyOS will now launch in UEFI secure boot mode. This can be double-checked by running
+either one of the commands:
+
+.. code-block:: none
+
+ vyos@vyos:~$ show secure-boot
+ SecureBoot enabled
+
+.. code-block:: none
+
+ vyos@vyos:~$ show log kernel | match Secure
+ Oct 08 19:15:41 kernel: Secure boot enabled
+
+.. code-block:: none
+
+ vyos@vyos:~$ show version
+ Version: VyOS 1.5-secureboot
+ Release train: current
+ Release flavor: generic
+
+ Built by: autobuild@vyos.net
+ Built on: Tue 08 Oct 2024 18:00 UTC
+ Build UUID: 5702ca38-e6f4-470f-b89e-ffc29baee474
+ Build commit ID: 9eb61d3b6cf426
+
+ Architecture: x86_64
+ Boot via: installed image
+ System type: KVM guest
+ Secure Boot: enabled <-- UEFI secure boot indicator
+
+ Hardware vendor: QEMU
+ Hardware model: Standard PC (i440FX + PIIX, 1996)
+ Hardware S/N:
+ Hardware UUID: 1f6e7f5c-fb52-4c33-96c9-782fbea36436
+
+ Copyright: VyOS maintainers and contributors
diff --git a/docs/installation/virtual/index.rst b/docs/installation/virtual/index.rst
index 8b088598..1654ff9e 100644
--- a/docs/installation/virtual/index.rst
+++ b/docs/installation/virtual/index.rst
@@ -1,6 +1,6 @@
-####################################
-Running VyOS in Virtual Environments
-####################################
+####################
+Virtual Environments
+####################
.. toctree::
:caption: Content
generated by cgit v1.2.3 (git 2.39.1) at 2025-10-31 20:51:10 +0000