Build on a more expanded reference for using credentials

See: https://github.com/VictoriaMetrics/VictoriaMetrics/issues/11073
2026-06-16 15:23:05 +03:00 · 2026-06-12 18:15:30 +01:00
50 changed files with 334 additions and 496 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -66,8 +66,6 @@ jobs:
    steps:
      - name: Code checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false

      - name: Setup Go
        id: go
--- a/.github/workflows/changelog-linter.yml
+++ b/.github/workflows/changelog-linter.yml
@@ -17,7 +17,6 @@ jobs:
        with:
          # needed for proper diff
          fetch-depth: 0
-          persist-credentials: false

      - name: 'Validate that changelog changes are under ## tip'
        run: |
--- a/.github/workflows/check-commit-signed.yml
+++ b/.github/workflows/check-commit-signed.yml
@@ -15,7 +15,6 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          fetch-depth: 0  # we need full history for commit verification
-          persist-credentials: false

      - name: Check commit signatures
        run: |
--- a/.github/workflows/check-licenses.yml
+++ b/.github/workflows/check-licenses.yml
@@ -18,8 +18,6 @@ jobs:
    steps:
      - name: Code checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false

      - name: Setup Go
        id: go
--- a/.github/workflows/codeql-analysis-go.yml
+++ b/.github/workflows/codeql-analysis-go.yml
@@ -32,8 +32,6 @@ jobs:
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false

      - name: Set up Go
        id: go
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -21,7 +21,6 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          path: __vm
-          persist-credentials: false

      - name: Checkout private code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -29,7 +28,6 @@ jobs:
          repository: VictoriaMetrics/vmdocs
          token: ${{ secrets.VM_BOT_GH_TOKEN }}
          path: __vm-docs
-          persist-credentials: true

      - name: Import GPG key
        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd  # v7.0.0
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -35,8 +35,6 @@ jobs:
    steps:
      - name: Code checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false

      - name: Setup Go
        id: go
@@ -80,8 +78,6 @@ jobs:
    steps:
      - name: Code checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false

      - name: Setup Go
        id: go
@@ -107,8 +103,6 @@ jobs:
    steps:
      - name: Code checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false

      - name: Setup Go
        id: go
--- a/.github/workflows/vmui.yml
+++ b/.github/workflows/vmui.yml
@@ -33,8 +33,6 @@ jobs:
    steps:
      - name: Code checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false

      - name: Cache node_modules
        id: cache
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,18 +1,9 @@
 version: "2"
 linters:
-  enable:
-    - errorlint
  settings:
    errcheck:
      exclude-functions:
        - (net/http.ResponseWriter).Write
-    errorlint:
-      errorf: true
-      # Do not enable `comparison` and `asserts`: they produce false positives,
-      # since many call sites intentionally compare sentinel errors directly (e.g. err == io.EOF)
-      # when the producer is documented to return them unwrapped. See https://github.com/VictoriaMetrics/VictoriaLogs/pull/1490
-      comparison: false
-      asserts: false
  exclusions:
    generated: lax
    presets:
--- a/app/vmctl/auth/auth.go
+++ b/app/vmctl/auth/auth.go
@@ -131,13 +131,16 @@ func (ac *authContext) initFromBasicAuthConfig(ba *BasicAuthConfig) error {
 	if ba.Username == "" {
 		return fmt.Errorf("missing `username` in `basic_auth` section")
 	}
-	ac.getAuthHeader = func() string {
-		// See https://en.wikipedia.org/wiki/Basic_access_authentication
-		token := ba.Username + ":" + ba.Password
-		token64 := base64.StdEncoding.EncodeToString([]byte(token))
-		return "Basic " + token64
+	if ba.Password != "" {
+		ac.getAuthHeader = func() string {
+			// See https://en.wikipedia.org/wiki/Basic_access_authentication
+			token := ba.Username + ":" + ba.Password
+			token64 := base64.StdEncoding.EncodeToString([]byte(token))
+			return "Basic " + token64
+		}
+		ac.authDigest = fmt.Sprintf("basic(username=%q, password=%q)", ba.Username, ba.Password)
+		return nil
 	}
-	ac.authDigest = fmt.Sprintf("basic(username=%q, password=%q)", ba.Username, ba.Password)
 	return nil
 }

--- a/app/vmctl/flags.go
+++ b/app/vmctl/flags.go
@@ -69,8 +69,6 @@ const (
 	vmAddr               = "vm-addr"
 	vmUser               = "vm-user"
 	vmPassword           = "vm-password"
-	vmHeaders            = "vm-headers"
-	vmBearerToken        = "vm-bearer-token"
 	vmAccountID          = "vm-account-id"
 	vmConcurrency        = "vm-concurrency"
 	vmCompress           = "vm-compress"
@@ -114,16 +112,6 @@ var (
 			Usage:   "VictoriaMetrics password for basic auth",
 			EnvVars: []string{"VM_PASSWORD"},
 		},
-		&cli.StringFlag{
-			Name: vmHeaders,
-			Usage: "Optional HTTP headers to send with each request to the corresponding destination address. \n" +
-				"For example, --vm-headers='My-Auth:foobar' would send 'My-Auth: foobar' HTTP header with every request to the corresponding destination address. \n" +
-				"Multiple headers must be delimited by '^^': --vm-headers='header1:value1^^header2:value2'",
-		},
-		&cli.StringFlag{
-			Name:  vmBearerToken,
-			Usage: "Optional bearer auth token to use for the corresponding --vm-addr",
-		},
 		&cli.StringFlag{
 			Name: vmAccountID,
 			Usage: "AccountID is an arbitrary 32-bit integer identifying namespace for data ingestion (aka tenant). \n" +
--- a/app/vmctl/main.go
+++ b/app/vmctl/main.go
@@ -457,7 +457,7 @@ func main() {
 						auth.WithBearer(c.String(vmNativeDstBearerToken)),
 						auth.WithHeaders(c.String(vmNativeDstHeaders)))
 					if err != nil {
-						return fmt.Errorf("error initialize auth config for destination: %s: %w", dstAddr, err)
+						return fmt.Errorf("error initialize auth config for destination: %s", dstAddr)
 					}

 					// create TLS config
@@ -596,18 +596,11 @@ func initConfigVM(c *cli.Context) (vm.Config, error) {
 		return vm.Config{}, fmt.Errorf("failed to create backoff object: %w", err)
 	}

-	authCfg, err := auth.Generate(
-		auth.WithBasicAuth(c.String(vmUser), c.String(vmPassword)),
-		auth.WithBearer(c.String(vmBearerToken)),
-		auth.WithHeaders(c.String(vmHeaders)))
-	if err != nil {
-		return vm.Config{}, fmt.Errorf("error initialize auth config for destination: %s: %w", addr, err)
-	}
-
 	return vm.Config{
 		Addr:               addr,
 		Transport:          tr,
-		AuthCfg:            authCfg,
+		User:               c.String(vmUser),
+		Password:           c.String(vmPassword),
 		Concurrency:        uint8(c.Int(vmConcurrency)),
 		Compress:           c.Bool(vmCompress),
 		AccountID:          c.String(vmAccountID),
--- a/app/vmctl/utils.go
+++ b/app/vmctl/utils.go
@@ -74,9 +74,9 @@ func wrapErr(vmErr *vm.ImportError, verbose bool) error {
 		verboseMsg = "(enable `--verbose` output to get more details)"
 	}
 	if vmErr.Err == nil {
-		return fmt.Errorf("%w\n\tLatest delivered batch for timestamps range %d - %d %s\n%s",
+		return fmt.Errorf("%s\n\tLatest delivered batch for timestamps range %d - %d %s\n%s",
 			vmErr.Err, minTS, maxTS, verboseMsg, errTS)
 	}
-	return fmt.Errorf("%w\n\tImporting batch failed for timestamps range %d - %d %s\n%s",
+	return fmt.Errorf("%s\n\tImporting batch failed for timestamps range %d - %d %s\n%s",
 		vmErr.Err, minTS, maxTS, verboseMsg, errTS)
 }
--- a/app/vmctl/vm/vm.go
+++ b/app/vmctl/vm/vm.go
@@ -12,7 +12,6 @@ import (
 	"sync"
 	"time"

-	"github.com/VictoriaMetrics/VictoriaMetrics/app/vmctl/auth"
 	"github.com/VictoriaMetrics/metrics"

 	"github.com/VictoriaMetrics/VictoriaMetrics/app/vmctl/backoff"
@@ -28,8 +27,6 @@ type Config struct {
 	//   --httpListenAddr value for single node version
 	//   --httpListenAddr value of vmselect  component for cluster version
 	Addr string
-
-	AuthCfg *auth.Config
 	// Transport allows specifying custom http.Transport
 	Transport *http.Transport
 	// Concurrency defines number of worker
@@ -43,6 +40,10 @@ type Config struct {
 	// BatchSize defines how many samples
 	// importer collects before sending the import request
 	BatchSize int
+	// User name for basic auth
+	User string
+	// Password for basic auth
+	Password string
 	// SignificantFigures defines the number of significant figures to leave
 	// in metric values before importing.
 	// Zero value saves all the significant decimal places
@@ -64,10 +65,11 @@ type Config struct {
 // see https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#how-to-import-time-series-data
 type Importer struct {
 	addr       string
-	authCfg    *auth.Config
 	client     *http.Client
 	importPath string
 	compress   bool
+	user       string
+	password   string

 	close  chan struct{}
 	input  chan *TimeSeries
@@ -146,7 +148,8 @@ func NewImporter(ctx context.Context, cfg Config) (*Importer, error) {
 		client:     client,
 		importPath: importPath,
 		compress:   cfg.Compress,
-		authCfg:    cfg.AuthCfg,
+		user:       cfg.User,
+		password:   cfg.Password,
 		rl:         limiter.NewLimiter(cfg.RateLimit),
 		close:      make(chan struct{}),
 		input:      make(chan *TimeSeries, cfg.Concurrency*4),
@@ -301,8 +304,8 @@ func (im *Importer) Ping() error {
 	if err != nil {
 		return fmt.Errorf("cannot create request to %q: %w", im.addr, err)
 	}
-	if im.authCfg != nil {
-		im.authCfg.SetHeaders(req, true)
+	if im.user != "" {
+		req.SetBasicAuth(im.user, im.password)
 	}
 	resp, err := im.client.Do(req)
 	if err != nil {
@@ -331,8 +334,8 @@ func (im *Importer) Import(tsBatch []*TimeSeries) error {
 		im.importRequestsErrorsTotal.Inc()
 		return fmt.Errorf("cannot create request to %q: %w", im.addr, err)
 	}
-	if im.authCfg != nil {
-		im.authCfg.SetHeaders(req, true)
+	if im.user != "" {
+		req.SetBasicAuth(im.user, im.password)
 	}
 	if im.compress {
 		req.Header.Set("Content-Encoding", "gzip")
--- a/app/vmselect/main.go
+++ b/app/vmselect/main.go
@@ -6,6 +6,8 @@ import (
 	"flag"
 	"fmt"
 	"net/http"
+	nethttputil "net/http/httputil"
+	"net/url"
 	"strings"
 	"time"

@@ -27,7 +29,6 @@ import (
 	"github.com/VictoriaMetrics/VictoriaMetrics/lib/promscrape"
 	"github.com/VictoriaMetrics/VictoriaMetrics/lib/querytracer"
 	"github.com/VictoriaMetrics/VictoriaMetrics/lib/timerpool"
-	"github.com/VictoriaMetrics/VictoriaMetrics/lib/vmalertproxy"
 )

 var (
@@ -37,10 +38,7 @@ var (
 	resetCacheAuthKey    = flagutil.NewPassword("search.resetCacheAuthKey", "Optional authKey for resetting rollup cache via /internal/resetRollupResultCache call. It could be passed via authKey query arg. It overrides -httpAuth.*")
 	logSlowQueryDuration = flag.Duration("search.logSlowQueryDuration", 5*time.Second, "Log queries with execution time exceeding this value. Zero disables slow query logging. "+
 		"See also -search.logQueryMemoryUsage")
-
-	vmalertProxyURL = flag.String("vmalert.proxyURL", "", "Optional URL for proxying requests to vmalert. For example, if -vmalert.proxyURL=http://vmalert:8880 , "+
-		"then alerting API requests such as /api/v1/rules from Grafana will be proxied to http://vmalert:8880/api/v1/rules . "+
-		"See https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#vmalert")
+	vmalertProxyURL = flag.String("vmalert.proxyURL", "", "Optional URL for proxying requests to vmalert. For example, if -vmalert.proxyURL=http://vmalert:8880 , then alerting API requests such as /api/v1/rules from Grafana will be proxied to http://vmalert:8880/api/v1/rules")
 )

 var slowQueries = metrics.NewCounter(`vm_slow_queries_total`)
@@ -57,8 +55,8 @@ func Init(vmselectMaxConcurrentRequests int, vmselectMaxQueueDuration time.Durat
 	concurrencyLimitCh = make(chan struct{}, maxConcurrentRequests)

 	initVMUIConfig()
+	initVMAlertProxy()

-	vmalertproxy.Init(*vmalertProxyURL)
 	flagutil.RegisterSecretFlag("vmalert.proxyURL")
 }

@@ -516,11 +514,10 @@ func handleStaticAndSimpleRequests(w http.ResponseWriter, r *http.Request, path
 		if len(*vmalertProxyURL) == 0 {
 			w.WriteHeader(http.StatusBadRequest)
 			w.Header().Set("Content-Type", "application/json")
-			fmt.Fprintf(w, "%s", `{"status":"error","msg":"the '-vmalert.proxyURL' command-line must be configured; `+
-				`see https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#vmalert"}`)
+			fmt.Fprintf(w, "%s", `{"status":"error","msg":"for accessing vmalert flag '-vmalert.proxyURL' must be configured"}`)
 			return true
 		}
-		vmalertproxy.HandleRequest(w, r, path)
+		proxyVMAlertRequests(w, r, path)
 		return true
 	}

@@ -558,7 +555,7 @@ func handleStaticAndSimpleRequests(w http.ResponseWriter, r *http.Request, path
 	case "/api/v1/rules", "/rules":
 		rulesRequests.Inc()
 		if len(*vmalertProxyURL) > 0 {
-			vmalertproxy.HandleRequest(w, r, path)
+			proxyVMAlertRequests(w, r, path)
 			return true
 		}
 		// Return dumb placeholder for https://prometheus.io/docs/prometheus/latest/querying/api/#rules
@@ -568,7 +565,7 @@ func handleStaticAndSimpleRequests(w http.ResponseWriter, r *http.Request, path
 	case "/api/v1/alerts", "/alerts":
 		alertsRequests.Inc()
 		if len(*vmalertProxyURL) > 0 {
-			vmalertproxy.HandleRequest(w, r, path)
+			proxyVMAlertRequests(w, r, path)
 			return true
 		}
 		// Return dumb placeholder for https://prometheus.io/docs/prometheus/latest/querying/api/#alerts
@@ -578,7 +575,7 @@ func handleStaticAndSimpleRequests(w http.ResponseWriter, r *http.Request, path
 	case "/api/v1/notifiers", "/notifiers":
 		notifiersRequests.Inc()
 		if len(*vmalertProxyURL) > 0 {
-			vmalertproxy.HandleRequest(w, r, path)
+			proxyVMAlertRequests(w, r, path)
 			return true
 		}
 		w.Header().Set("Content-Type", "application/json")
@@ -725,7 +722,48 @@ var (
 	metricNamesStatsResetErrors   = metrics.NewCounter(`vm_http_request_errors_total{path="/api/v1/admin/status/metric_names_stats/reset"}`)
 )

-var vmuiConfig string
+func proxyVMAlertRequests(w http.ResponseWriter, r *http.Request, path string) {
+	defer func() {
+		err := recover()
+		if err == nil || err == http.ErrAbortHandler {
+			// Suppress http.ErrAbortHandler panic.
+			// See https://github.com/VictoriaMetrics/VictoriaMetrics/issues/1353
+			return
+		}
+		// Forward other panics to the caller.
+		panic(err)
+	}()
+	req := r.Clone(r.Context())
+	req.URL.Path = strings.TrimPrefix(path, "prometheus")
+	req.Host = vmalertProxyHost
+
+	if strings.HasPrefix(r.Header.Get(`User-Agent`), `Grafana`) {
+		// Grafana currently supports only Prometheus-style alerts. If other alert types
+		// (e.g. logs or traces) are returned, it may fail with "Error loading alerts".
+		//
+		// Grafana queries the vmalert API directly, bypassing the VictoriaMetrics datasource,
+		// so query params (such as datasource_type) cannot be enforced on the Grafana side.
+		//
+		// To ensure compatibility, we detect Grafana requests via the User-Agent and enforce
+		// `datasource_type=prometheus`.
+		//
+		// See:
+		// - https://github.com/VictoriaMetrics/victoriametrics-datasource/issues/329#issuecomment-3847585443
+		// - https://github.com/VictoriaMetrics/victoriametrics-datasource/issues/59
+		q := req.URL.Query()
+		q.Set("datasource_type", "prometheus")
+		req.URL.RawQuery = q.Encode()
+		req.RequestURI = ""
+	}
+
+	vmalertProxy.ServeHTTP(w, req)
+}
+
+var (
+	vmalertProxyHost string
+	vmalertProxy     *nethttputil.ReverseProxy
+	vmuiConfig       string
+)

 func initVMUIConfig() {
 	var cfg struct {
@@ -757,3 +795,16 @@ func initVMUIConfig() {
 	}
 	vmuiConfig = string(data)
 }
+
+// initVMAlertProxy must be called after flag.Parse(), since it uses command-line flags.
+func initVMAlertProxy() {
+	if len(*vmalertProxyURL) == 0 {
+		return
+	}
+	proxyURL, err := url.Parse(*vmalertProxyURL)
+	if err != nil {
+		logger.Fatalf("cannot parse -vmalert.proxyURL=%q: %s", *vmalertProxyURL, err)
+	}
+	vmalertProxyHost = proxyURL.Host
+	vmalertProxy = nethttputil.NewSingleHostReverseProxy(proxyURL)
+}
--- a/app/vmselect/prometheus/prometheus.go
+++ b/app/vmselect/prometheus/prometheus.go
@@ -28,7 +28,6 @@ import (
 	"github.com/VictoriaMetrics/VictoriaMetrics/lib/fasttime"
 	"github.com/VictoriaMetrics/VictoriaMetrics/lib/httpserver"
 	"github.com/VictoriaMetrics/VictoriaMetrics/lib/httputil"
-	"github.com/VictoriaMetrics/VictoriaMetrics/lib/logger"
 	"github.com/VictoriaMetrics/VictoriaMetrics/lib/netutil"
 	"github.com/VictoriaMetrics/VictoriaMetrics/lib/querytracer"
 	"github.com/VictoriaMetrics/VictoriaMetrics/lib/storage"
@@ -526,7 +525,6 @@ func DeleteHandler(startTime time.Time, r *http.Request) error {
 	if deletedCount > 0 {
 		promql.ResetRollupResultCache()
 	}
-	logger.Infof("/api/v1/admin/tsdb/delete_series has been called for %q. Deleted %d series.", sq.FiltersString(), deletedCount)
 	return nil
 }

--- a/app/vmui/packages/vmui/src/components/Chart/ChartTooltip/ChartTooltip.tsx
+++ b/app/vmui/packages/vmui/src/components/Chart/ChartTooltip/ChartTooltip.tsx
@@ -5,7 +5,7 @@ import uPlot from "uplot";
 import Button from "../../Main/Button/Button";
 import { CloseIcon, DragIcon } from "../../Main/Icons";
 import { SeriesItemStatsFormatted } from "../../../types";
-import { STATS_ORDER_TOOLTIP } from "../../../constants/graph";
+import { STATS_ORDER } from "../../../constants/graph";

 export interface ChartTooltipProps {
  u?: uPlot;
@@ -164,7 +164,7 @@ const ChartTooltip: FC<ChartTooltipProps> = ({
      </div>
      {statsFormatted && (
        <table className="vm-chart-tooltip-stats">
-          {STATS_ORDER_TOOLTIP.map((key, i) => (
+          {STATS_ORDER.map((key, i) => (
            <div
              className="vm-chart-tooltip-stats-row"
              key={i}
--- a/app/vmui/packages/vmui/src/components/Chart/Line/Legend/LegendConfigs/LegendConfigs.tsx
+++ b/app/vmui/packages/vmui/src/components/Chart/Line/Legend/LegendConfigs/LegendConfigs.tsx
@@ -61,7 +61,7 @@ const LegendConfigs: FC<Props> = ({ data, isCompact }) => {
      label: "Hide Statistics",
      value: hideStats,
      onChange: onChangeStats,
-      info: "If enabled, hides the display of min, median, max, and last values.",
+      info: "If enabled, hides the display of min, median, and max values.",
    }
  ];

--- a/app/vmui/packages/vmui/src/components/Chart/Line/Legend/LegendItem/LegendItem.tsx
+++ b/app/vmui/packages/vmui/src/components/Chart/Line/Legend/LegendItem/LegendItem.tsx
@@ -5,7 +5,7 @@ import "./style.scss";
 import classNames from "classnames";
 import { getFreeFields } from "./helpers";
 import useCopyToClipboard from "../../../../../hooks/useCopyToClipboard";
-import { STATS_ORDER_LEGEND } from "../../../../../constants/graph";
+import { STATS_ORDER } from "../../../../../constants/graph";
 import { useShowStats } from "../hooks/useShowStats";
 import { useLegendFormat } from "../hooks/useLegendFormat";
 import { getLabelAlias } from "../../../../../utils/metric";
@@ -80,7 +80,7 @@ const LegendItem: FC<LegendItemProps> = ({ legend, onChange, duplicateFields })
      </div>
      {!hideStats && showStats && (
        <div className="vm-legend-item-stats">
-          {STATS_ORDER_LEGEND.map((key, i) => (
+          {STATS_ORDER.map((key, i) => (
            <div
              className="vm-legend-item-stats-row"
              key={i}
--- a/app/vmui/packages/vmui/src/components/Chart/Line/Legend/LegendViews/LegendTable.tsx
+++ b/app/vmui/packages/vmui/src/components/Chart/Line/Legend/LegendViews/LegendTable.tsx
@@ -4,11 +4,11 @@ import "./style.scss";
 import { LegendItemType } from "../../../../../types";
 import { MouseEvent } from "react";
 import classNames from "classnames";
-import { STATS_ORDER_LEGEND } from "../../../../../constants/graph";
+import { STATS_ORDER } from "../../../../../constants/graph";
 import { useShowStats } from "../hooks/useShowStats";
 import { getValueByPath } from "../../../../../utils/object";

-const statsColumns = STATS_ORDER_LEGEND.map(k => ({
+const statsColumns = STATS_ORDER.map(k => ({
  key: `statsFormatted.${k}`,
  title: k
 }));
--- a/app/vmui/packages/vmui/src/constants/graph.ts
+++ b/app/vmui/packages/vmui/src/constants/graph.ts
@@ -26,5 +26,4 @@ export const GRAPH_SIZES: GraphSize[] = [
  },
 ];

-export const STATS_ORDER_LEGEND: (keyof SeriesItemStatsFormatted)[] = ["min", "median", "max", "last"];
-export const STATS_ORDER_TOOLTIP: (keyof SeriesItemStatsFormatted)[] = ["min", "median", "max"];
+export const STATS_ORDER: (keyof SeriesItemStatsFormatted)[] = ["min", "median", "max"];
--- a/app/vmui/packages/vmui/src/types/uplot.ts
+++ b/app/vmui/packages/vmui/src/types/uplot.ts
@@ -4,7 +4,6 @@ export interface SeriesItemStatsFormatted {
    min: string,
    max: string,
    median: string,
-    last: string,
 }

 export interface SeriesItem extends Series {
--- a/app/vmui/packages/vmui/src/utils/uplot/series.ts
+++ b/app/vmui/packages/vmui/src/utils/uplot/series.ts
@@ -53,7 +53,6 @@ const getSeriesStatistics = (d: MetricResult) => {
      min: formatPrettyNumber(min, min, max),
      max: formatPrettyNumber(max, min, max),
      median: formatPrettyNumber(median, min, max),
-      last: formatPrettyNumber(values.at(-1), min, max),
    },
  };
 };
--- a/docs/victoriametrics/CONTRIBUTING.md
+++ b/docs/victoriametrics/CONTRIBUTING.md
@@ -28,7 +28,7 @@ If you like VictoriaMetrics and want to contribute, then it would be great:
 ## Issues

 When making a new issue, make sure to create no duplicates. Use GitHub search to find whether similar issues exist already.
-The new issue should be written in English and contain a concise description of the problem and the environment where it exists.
+The new issue should be written in English and contain concise description of the problem and environment where it exists.
 We'd very much prefer to have a specific use-case included in the description, since it could have workaround or alternative solutions.

 When looking for an issue to contribute, always prefer working on [bugs](https://github.com/VictoriaMetrics/VictoriaMetrics/issues?q=is%3Aopen+is%3Aissue+label%3Abug)
@@ -48,7 +48,7 @@ We use [labels](https://docs.github.com/en/issues/using-labels-and-milestones-to
 1. `need more info`, assigned to issues that require elaboration from the issue creator.
  For example, if we weren't able to reproduce the reported bug based on the ticket description then we ask additional
  questions which could help to reproduce the issue and add `need more info` label. This label helps other maintainers
-  to understand that this issue wasn't forgotten but waits for the feedback from the user.
+  to understand that this issue wasn't forgotten but waits for the feedback from user.
 1. `completed`, assigned to issues that required code changes and those changes were merged to upstream, but not released yet.
  Once a release is made, maintainers go through all labeled issues, leave a comment about the new release, and close the issue.
 1. `vmui`, assigned to issues related to [vmui](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#vmui) or [VictoriaLogs webui](https://docs.victoriametrics.com/victorialogs/querying/#web-ui)
@@ -63,31 +63,32 @@ Pull requests requirements:
 1. Don't use `master` branch for making PRs, as it makes it impossible for reviewers to modify the changes.
 1. All commits need to be [signed](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits).
 1. Pull request title should be prefixed with `<dir>/<component>:` to show what component has been changed, i.e. `app/vmalert: fix...`.
-   Pull request description should contain a clear and concise description of what was done, why it is needed and for what purpose.
+   Pull request description should contain clear and concise description of what was done, why it is needed and for what purpose.
   Use clear language, so reviewers can quickly understand the change and its impact.
 1. A link to the issue(s) related to the change, if any. Use `Fixes [issue link]` if the PR resolves the issue, or `Related to [issue link]` for reference.
 1. Tests proving that the change is effective. Tests are expected for non-trivial new functionality or non-trivial modifications.
   Bug fixes must include tests unless a maintainer explicitly agrees otherwise.
-   See [this style guide](https://itnext.io/f-tests-as-a-replacement-for-table-driven-tests-in-go-8814a8b19e9e) for tests. See [this section](#testing) for how to run tests.
+   See [this style guide](https://itnext.io/f-tests-as-a-replacement-for-table-driven-tests-in-go-8814a8b19e9e) for tests.
+   To run tests and code checks locally, execute commands `make test-full` and `make check-all`.
 1. Try to not extend the scope of the pull requests outside the issue, do not make unrelated changes.
-1. Update [docs](https://github.com/VictoriaMetrics/VictoriaMetrics/tree/master/docs) if needed. For example, adding a new flag or changing the behavior of existing flags or features
+1. Update [docs](https://github.com/VictoriaMetrics/VictoriaMetrics/tree/master/docs) if needed. For example, adding a new flag or changing behavior of existing flags or features
   requires reflecting these changes in the documentation. For new features add `{{%/* available_from "#" */%}}` shortcode to the documentation.
   It will be later automatically replaced with an actual release version.
 1. A line in the [changelog](https://docs.victoriametrics.com/victoriametrics/changelog/#tip) mentioning the change and related issue in a way
   that would be clear to other readers even if they don't have the full context.
-1. Avoid modifying code in the `/vendor` folder manually, even when the vendored package originates from the VictoriaMetrics GitHub organization.
+1. Avoid modifying code in the `/vendor` folder manually, even when the vendored package originates are from the VictoriaMetrics GitHub organization.
   For instance, VictoriaLogs vendors packages under the `/lib` folder from VictoriaMetrics, and VictoriaTraces vendors the `/lib/logstorage` package from VictoriaLogs.
-   Submit a pull request to the upstream repository first. Afterward, a separate pull request can be opened to update the version of the vendored folder in the downstream repository.
+   Submit a pull request to the upstream repository first. Afterward, a separate pull request can be opened to update the version of the vendored folder in downstream repository.
   * For common packages, the vendored package can be updated with this command: `go get <dependency>@vX.Y.Z`.  
   * For VictoriaMetrics packages, use `go get <dependency>@canonical_commit_hash`. 
   Finally, run `go mod tidy` and `go mod vendor` to update `go.mod`, `go.sum`, and `/vendor`.
 1. Ping reviewers who you think have the best expertise on the matter.

-See a good example of a [pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/6487).
+See good example of a [pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/6487).

 ## Merging Pull Request

-The person who merges the Pull Request is responsible for satisfying the requirements below:
+The person who merges the Pull Request is responsible for satisfying requirements below:

 1. Make sure that PR satisfies [Pull Request checklist](https://docs.victoriametrics.com/victoriametrics/contributing/#pull-request-checklist),
   it is approved by at least one reviewer, all CI checks are green.
@@ -96,9 +97,9 @@ The person who merges the Pull Request is responsible for satisfying the require
 1. If applicable, cherry-pick the change to [LTS release lines](https://docs.victoriametrics.com/victoriametrics/lts-releases/)
   and mention in the PR comment what was or wasn't cherry-picked.
 1. Update related issues with a meaningful message of what has changed and when it will be
-   released. _This helps users to understand the change without reading the PR._
+   released. _This helps users to understand the change without reading PR._
 1. Add label `completed` to related issues.
-1. Do not close related tickets until the release is made. If the ticket was auto-closed by GitHub or a user - re-open it.
+1. Do not close related tickets until release is made. If ticket was auto-closed by GitHub or user - re-open it.

 ## KISS principle

@@ -114,9 +115,9 @@ We are open to third-party pull requests provided they follow [KISS design princ
 - Minimize the number of moving parts in the distributed system.
 - Avoid automated decisions, which may hurt cluster availability, consistency, performance or debuggability.

-Adhering to the `KISS` principle, simplifies the resulting code and architecture so it can be reviewed, understood and debugged by a wider audience.
+Adhering to `KISS` principle, simplifies the resulting code and architecture so it can be reviewed, understood and debugged by a wider audience.

-Due to `KISS`, [cluster version of VictoriaMetrics](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/) has none of the following "features" popular in distributed computing:
+Due to `KISS`, [cluster version of VictoriaMetrics](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/) has none of the following "features" popular in distributed computing world:

 - Fragile gossip protocols. See [failed attempt in Thanos](https://github.com/improbable-eng/thanos/blob/030bc345c12c446962225221795f4973848caab5/docs/proposals/completed/201809_gossip-removal.md).
 - Hard-to-understand-and-implement-properly [Paxos protocols](https://www.quora.com/In-distributed-systems-what-is-a-simple-explanation-of-the-Paxos-algorithm).
@@ -125,17 +126,3 @@ Due to `KISS`, [cluster version of VictoriaMetrics](https://docs.victoriametrics
 - Automatic cluster resizing, which may cost you a lot of money if improperly configured.
 - Automatic discovering and addition of new nodes in the cluster, which may mix data between dev and prod clusters :)
 - Automatic leader election, which may result in split brain disaster on network errors.
-
-## Testing
-
-We recommend running the following sequence of checks and tests before submitting a pull request:
-```sh
-# run static checks
-make check-all
-
-# run unit test
-make test-full
-
-# run integration tests
-make apptest
-```
--- a/docs/victoriametrics/changelog/CHANGELOG.md
+++ b/docs/victoriametrics/changelog/CHANGELOG.md
@@ -26,14 +26,7 @@ See also [LTS releases](https://docs.victoriametrics.com/victoriametrics/lts-rel

 ## tip

-* FEATURE: all VictoriaMetrics components: add `-http.header.disableServerHostname` command-line flag for disabling the `X-Server-Hostname` HTTP response header. See [#11067](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/11067). Thanks to @zasdaym for contribution.
-* FEATURE: [vmsingle](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/) and `vmselect` in [VictoriaMetrics cluster](https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/): log calls to [/api/v1/admin/tsdb/delete_series](https://docs.victoriametrics.com/victoriametrics/url-examples/#apiv1admintsdbdelete_series) API handler. This should help to identify events of metrics deletion from the database. See [#11104](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/11104).
-* FEATURE: [vmctl](https://docs.victoriametrics.com/victoriametrics/vmctl/): add `-vm-headers` and `-vm-bearer-token` flags for authenticating requests to the VictoriaMetrics import destination. The flags are available in `opentsdb`, `influx`, `remote-read`, `prometheus`, `mimir`, and `thanos` vmctl sub-commands. See [#8897](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/8897).
-* FEATURE: [vmui](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#vmui): add the `last` value to graph legend statistics. See [#10759](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/10759).
-* FEATURE: [vmagent](https://docs.victoriametrics.com/victoriametrics/vmagent/): add `-promscrape.cluster.shardByLabels` command-line flag for selecting target labels used for sharding scrape targets among `vmagent` instances in cluster mode. See [#11044](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/11044).
-
-* BUGFIX: [stream aggregation](https://docs.victoriametrics.com/victoriametrics/stream-aggregation/): fix issue with producing aggregated samples with identical timestamps between flushes. See [#10808](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/10808).
-* BUGFIX: [vmbackup](https://docs.victoriametrics.com/vmbackup/), [vmbackupmanager](https://docs.victoriametrics.com/victoriametrics/vmbackupmanager/): do not fail backup list if directory is absent while using `fs://` destination to align with other protocols. See [6c3c548](https://github.com/VictoriaMetrics/VictoriaMetrics/commit/6c3c548ddb0385b749e731f52276f130e2a4e4a8)
+* BUGFIX: [stream aggregation](https://docs.victoriametrics.com/victoriametrics/stream-aggregation/): fix issue with producing aggregated samples with identical timestamps between flushes. See PR [#10808](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/10808) for details.

 ## [v1.145.0](https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.145.0)

--- a/docs/victoriametrics/victoria_metrics_common_flags.md
+++ b/docs/victoriametrics/victoria_metrics_common_flags.md
@@ -95,8 +95,6 @@ See the docs at https://docs.victoriametrics.com/victoriametrics/
     Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth
  -http.header.csp string
     Value for 'Content-Security-Policy' header, recommended: "default-src 'self'"
-  -http.header.disableServerHostname
-     Whether to disable 'X-Server-Hostname' header in HTTP responses
  -http.header.frameOptions string
     Value for 'X-Frame-Options' header
  -http.header.hsts string
@@ -623,7 +621,7 @@ See the docs at https://docs.victoriametrics.com/victoriametrics/
  -version
     Show VictoriaMetrics version
  -vmalert.proxyURL string
-     Optional URL for proxying requests to vmalert. For example, if -vmalert.proxyURL=http://vmalert:8880 , then alerting API requests such as /api/v1/rules from Grafana will be proxied to http://vmalert:8880/api/v1/rules . See https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#vmalert
+     Optional URL for proxying requests to vmalert. For example, if -vmalert.proxyURL=http://vmalert:8880 , then alerting API requests such as /api/v1/rules from Grafana will be proxied to http://vmalert:8880/api/v1/rules
  -vmui.customDashboardsPath string
     Optional path to vmui dashboards. See https://github.com/VictoriaMetrics/VictoriaMetrics/tree/master/app/vmui/packages/vmui/public/dashboards
  -vmui.defaultTimezone string
--- a/docs/victoriametrics/vmagent.md
+++ b/docs/victoriametrics/vmagent.md
@@ -797,13 +797,6 @@ For example, the following commands spread scrape targets among a cluster of two
 The `-promscrape.cluster.memberNum` can be set to a StatefulSet pod name when `vmagent` runs in Kubernetes.
 The pod name must end with a number in the range `0 ... promscrape.cluster.membersCount-1`. For example, `-promscrape.cluster.memberNum=vmagent-0`.

-By default, targets are sharded among `vmagent` instances by all target labels after relabeling.
-Use `-promscrape.cluster.shardByLabels` to shard targets by specified labels instead.
-For example, `-promscrape.cluster.shardByLabels=service,pod` keeps targets with the same `service` and `pod` label value on the same `vmagent` instance.
-
-If some of the specified labels are present on a target, then only the present labels are used for sharding.
-If none of the specified labels are present, then all target labels are used for sharding.
-
 By default, each scrape target is scraped only by a single `vmagent` instance in the cluster. If there is a need for replicating scrape targets among multiple `vmagent` instances,
 then `-promscrape.cluster.replicationFactor` command-line flag must be set to the desired number of replicas. For example, the following commands
 start a cluster of three `vmagent` instances, where two `vmagent` instances scrape each target:
--- a/docs/victoriametrics/vmagent_common_flags.md
+++ b/docs/victoriametrics/vmagent_common_flags.md
@@ -74,8 +74,6 @@ See the docs at https://docs.victoriametrics.com/victoriametrics/vmagent/ .
     Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth
  -http.header.csp string
     Value for 'Content-Security-Policy' header, recommended: "default-src 'self'"
-  -http.header.disableServerHostname
-     Whether to disable 'X-Server-Hostname' header in HTTP responses
  -http.header.frameOptions string
     Value for 'X-Frame-Options' header
  -http.header.hsts string
--- a/docs/victoriametrics/vmalert.md
+++ b/docs/victoriametrics/vmalert.md
@@ -546,7 +546,7 @@ tags at [Docker Hub](https://hub.docker.com/r/victoriametrics/vmalert/tags) and

 ## Reading rules from object storage

-[Enterprise version](https://docs.victoriametrics.com/victoriametrics/enterprise/) of `vmalert` may read alerting and recording rules
+The [Enterprise version](https://docs.victoriametrics.com/victoriametrics/enterprise/) of `vmalert` may read alerting and recording rules
 from object storage:

 * `./bin/vmalert -rule=s3://bucket/dir/alert.rules` would read rules from the given path at S3 bucket
@@ -563,6 +563,8 @@ The following [command-line flags](#flags) can be used for fine-tuning access to
 * `-s3.customEndpoint` - custom S3 endpoint for use with S3-compatible storages (e.g. MinIO). S3 is used if not set.
 * `-s3.forcePathStyle` - prefixing endpoint with bucket name when set false, true by default.

+See [providing credentials as a file](https://docs.victoriametrics.com/victoriametrics/vmbackup/#providing-credentials-as-a-file) for details on how to create and use credentials to access S3-compatible buckets and Google Cloud Storage.
+
 ## Topology examples

 The following sections are showing how `vmalert` may be used and configured
--- a/docs/victoriametrics/vmalert_common_flags.md
+++ b/docs/victoriametrics/vmalert_common_flags.md
@@ -115,8 +115,6 @@ See the docs at https://docs.victoriametrics.com/victoriametrics/vmalert/ .
     Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth
  -http.header.csp string
     Value for 'Content-Security-Policy' header, recommended: "default-src 'self'"
-  -http.header.disableServerHostname
-     Whether to disable 'X-Server-Hostname' header in HTTP responses
  -http.header.frameOptions string
     Value for 'X-Frame-Options' header
  -http.header.hsts string
--- a/docs/victoriametrics/vmauth_common_flags.md
+++ b/docs/victoriametrics/vmauth_common_flags.md
@@ -59,8 +59,6 @@ See the docs at https://docs.victoriametrics.com/victoriametrics/vmauth/ .
     Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth
  -http.header.csp string
     Value for 'Content-Security-Policy' header, recommended: "default-src 'self'"
-  -http.header.disableServerHostname
-     Whether to disable 'X-Server-Hostname' header in HTTP responses
  -http.header.frameOptions string
     Value for 'X-Frame-Options' header
  -http.header.hsts string
--- a/docs/victoriametrics/vmbackup.md
+++ b/docs/victoriametrics/vmbackup.md
@@ -204,38 +204,80 @@ See [this article](https://medium.com/@valyala/speeding-up-backups-for-big-time-

 ### Providing credentials as a file

-Obtaining credentials from a file.
+`vmbackup`, `vmbackupmanager`, and [`vmalert`](https://docs.victoriametrics.com/victoriametrics/vmalert/) can load credentials from a file via the `-credsFilePath` flag to access remote S3-compatible buckets and Google Cloud Storage.

-Add flag `-credsFilePath=/etc/credentials` with the following content:
+To use a credential file, add the flag:

-* for S3 (AWS, MinIO or other S3 compatible storages):
+```sh
+-credsFilePath=/etc/credentials
+```

-     ```sh
-     [default]
-     aws_access_key_id=theaccesskey
-     aws_secret_access_key=thesecretaccesskeyvalue
-    ```
+The argument should point to a file with one of the formats below, depending on the storage provider.

-* for GCP cloud storage:
+#### S3 (AWS and S3-compatible)

-    ```json
-    {
-           "type": "service_account",
-           "project_id": "project-id",
-           "private_key_id": "key-id",
-           "private_key": "-----BEGIN PRIVATE KEY-----\nprivate-key\n-----END PRIVATE KEY-----\n",
-           "client_email": "service-account-email",
-           "client_id": "client-id",
-           "auth_uri": "https://accounts.google.com/o/oauth2/auth",
-           "token_uri": "https://accounts.google.com/o/oauth2/token",
-           "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
-           "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
-    }
-    ```
+1. In AWS, [create an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) or role with permissions to read and write the target bucket.
+2. [Create an access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) for that IAM identity and copy the **Access key** and **Secret access key** values
+3. On the machine running `vmbackup`, create a credentials file with the following content and point `-credsFilePath` to it:
+
+   ```ini
+   [default]
+   aws_access_key_id=YOUR_AWS_ACCESS_KEY
+   aws_secret_access_key=YOUR_AWS_SECRET_ACCESS_KEY
+   ```
+
+This format matches the standard shared AWS credentials file used by the [AWS CLI](https://docs.aws.amazon.com/cli/v1/userguide/cli-configure-files.html) and [AWS SDKs](https://docs.aws.amazon.com/sdkref/latest/guide/file-format.html).
+
+For S3-compatible backends such as [MinIO](https://www.min.io/) or [Ceph](https://ceph.io/), create access keys in the respective
+system and use the same file format and set a custom endpoint with `-customS3Endpoint`. 
+
+For example:
+
+```sh
+vmbackup \
+  -storageDataPath=/data \
+  -snapshot.createURL=http://localhost:8428/snapshot/create \
+  -dst=s3://victoriametrics-backup/backup01 \
+  -customS3Endpoint=http://minio.example.local:9000 \
+  -credsFilePath=/etc/credentials
+```
+
+#### Google Cloud Storage (GCS)
+
+To create an IAM user and download the credential file, follow these steps:
+
+1. Open the Google Cloud Console and go to **IAM & Admin → Service Accounts**.
+2. Click **Create service account**.
+3. Enter a service account name.
+4. Assign the role the account needs to access Google Cloud Storage. See [IAM permissions for JSON methods](https://docs.cloud.google.com/storage/docs/access-control/iam-json) for more details.
+5. Open the service account, go to **Keys**, then click **Add key → Create new key**.
+6. Choose **JSON** as the key type
+7. Save the downloaded JSON file on the machine running `vmbackup` and point `-credsFilePath` to it. The file contents look similar to:
+
+   ```json
+   {
+     "type": "service_account",
+     "project_id": "project-id",
+     "private_key_id": "key-id",
+     "private_key": "-----BEGIN PRIVATE KEY-----\nprivate-key\n-----END PRIVATE KEY-----\n",
+     "client_email": "service-account-email",
+     "client_id": "client-id",
+     "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+     "token_uri": "https://accounts.google.com/o/oauth2/token",
+     "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+     "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
+   }
+   ```
+
+This JSON is the standard service account key format defined by [Google Cloud IAM](https://developers.google.com/workspace/guides/create-credentials) and is used by Google client libraries and tools.
+
+#### Azure Blob Storage
+
+Azure Blob Storage uses environment variables rather than `-credsFilePath` in `vmbackup`. See [providing credentials via env variables](https://docs.victoriametrics.com/victoriametrics/vmbackup/#providing-credentials-via-env-variables) for details.

 ### Providing credentials via env variables

-Obtaining credentials from env variables.
+Obtaining credentials from environment variables.

 * For AWS S3 compatible storages set env variable `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`.
  Also you can set env variable `AWS_SHARED_CREDENTIALS_FILE` with path to credentials file.
@@ -400,8 +442,6 @@ Run `vmbackup -help` in order to see all the available options:
     Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth
  -http.header.csp string
     Value for 'Content-Security-Policy' header, recommended: "default-src 'self'"
-  -http.header.disableServerHostname
-     Whether to disable 'X-Server-Hostname' header in HTTP responses
  -http.header.frameOptions string
     Value for 'X-Frame-Options' header
  -http.header.hsts string
--- a/docs/victoriametrics/vmbackupmanager.md
+++ b/docs/victoriametrics/vmbackupmanager.md
@@ -575,8 +575,6 @@ command-line flags:
     Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth
  -http.header.csp string
     Value for 'Content-Security-Policy' header, recommended: "default-src 'self'"
-  -http.header.disableServerHostname
-     Whether to disable 'X-Server-Hostname' header in HTTP responses
  -http.header.frameOptions string
     Value for 'X-Frame-Options' header
  -http.header.hsts string
--- a/docs/victoriametrics/vmgateway.md
+++ b/docs/victoriametrics/vmgateway.md
@@ -496,8 +496,6 @@ Below is the list of configuration flags (it can be viewed by running `./vmgatew
     Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth
  -http.header.csp string
     Value for 'Content-Security-Policy' header, recommended: "default-src 'self'"
-  -http.header.disableServerHostname
-     Whether to disable 'X-Server-Hostname' header in HTTP responses
  -http.header.frameOptions string
     Value for 'X-Frame-Options' header
  -http.header.hsts string
--- a/docs/victoriametrics/vminsert_common_flags.md
+++ b/docs/victoriametrics/vminsert_common_flags.md
@@ -76,8 +76,6 @@ See the docs at https://docs.victoriametrics.com/victoriametrics/cluster-victori
     Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth
  -http.header.csp string
     Value for 'Content-Security-Policy' header, recommended: "default-src 'self'"
-  -http.header.disableServerHostname
-     Whether to disable 'X-Server-Hostname' header in HTTP responses
  -http.header.frameOptions string
     Value for 'X-Frame-Options' header
  -http.header.hsts string
--- a/docs/victoriametrics/vmrestore.md
+++ b/docs/victoriametrics/vmrestore.md
@@ -102,8 +102,6 @@ Run `vmrestore -help` in order to see all the available options:
     Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth
  -http.header.csp string
     Value for 'Content-Security-Policy' header, recommended: "default-src 'self'"
-  -http.header.disableServerHostname
-     Whether to disable 'X-Server-Hostname' header in HTTP responses
  -http.header.frameOptions string
     Value for 'X-Frame-Options' header
  -http.header.hsts string
--- a/docs/victoriametrics/vmselect_common_flags.md
+++ b/docs/victoriametrics/vmselect_common_flags.md
@@ -75,8 +75,6 @@ See the docs at https://docs.victoriametrics.com/victoriametrics/cluster-victori
     Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth
  -http.header.csp string
     Value for 'Content-Security-Policy' header, recommended: "default-src 'self'"
-  -http.header.disableServerHostname
-     Whether to disable 'X-Server-Hostname' header in HTTP responses
  -http.header.frameOptions string
     Value for 'X-Frame-Options' header
  -http.header.hsts string
@@ -325,7 +323,7 @@ See the docs at https://docs.victoriametrics.com/victoriametrics/cluster-victori
  -version
     Show VictoriaMetrics version
  -vmalert.proxyURL string
-     Optional URL for proxying requests to vmalert. For example, if -vmalert.proxyURL=http://vmalert:8880 , then alerting API requests such as /api/v1/rules from Grafana will be proxied to http://vmalert:8880/api/v1/rules . See https://docs.victoriametrics.com/victoriametrics/cluster-victoriametrics/#vmalert
+     Optional URL for proxying requests to vmalert. For example, if -vmalert.proxyURL=http://vmalert:8880 , then alerting API requests such as /api/v1/rules from Grafana will be proxied to http://vmalert:8880/api/v1/rules
  -vmstorageDialTimeout duration
     Timeout for establishing RPC connections from vmselect to vmstorage. See also -vmstorageUserTimeout (default 3s)
  -vmstorageUserTimeout duration
--- a/docs/victoriametrics/vmstorage_common_flags.md
+++ b/docs/victoriametrics/vmstorage_common_flags.md
@@ -68,8 +68,6 @@ See the docs at https://docs.victoriametrics.com/victoriametrics/cluster-victori
     Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth
  -http.header.csp string
     Value for 'Content-Security-Policy' header, recommended: "default-src 'self'"
-  -http.header.disableServerHostname
-     Whether to disable 'X-Server-Hostname' header in HTTP responses
  -http.header.frameOptions string
     Value for 'X-Frame-Options' header
  -http.header.hsts string
--- a/lib/httpserver/httpserver.go
+++ b/lib/httpserver/httpserver.go
@@ -64,10 +64,9 @@ var (
 	connTimeout                 = flag.Duration("http.connTimeout", 2*time.Minute, "Incoming connections to -httpListenAddr are closed after the configured timeout. "+
 		"This may help evenly spreading load among a cluster of services behind TCP-level load balancer. Zero value disables closing of incoming connections")

-	headerHSTS                  = flag.String("http.header.hsts", "", "Value for 'Strict-Transport-Security' header, recommended: 'max-age=31536000; includeSubDomains'")
-	headerFrameOptions          = flag.String("http.header.frameOptions", "", "Value for 'X-Frame-Options' header")
-	headerCSP                   = flag.String("http.header.csp", "", `Value for 'Content-Security-Policy' header, recommended: "default-src 'self'"`)
-	headerDisableServerHostname = flag.Bool("http.header.disableServerHostname", false, "Whether to disable 'X-Server-Hostname' header in HTTP responses")
+	headerHSTS         = flag.String("http.header.hsts", "", "Value for 'Strict-Transport-Security' header, recommended: 'max-age=31536000; includeSubDomains'")
+	headerFrameOptions = flag.String("http.header.frameOptions", "", "Value for 'X-Frame-Options' header")
+	headerCSP          = flag.String("http.header.csp", "", `Value for 'Content-Security-Policy' header, recommended: "default-src 'self'"`)

 	disableCORS = flag.Bool("http.disableCORS", false, `Disable CORS for all origins (*)`)
 )
@@ -330,9 +329,7 @@ func handlerWrapper(w http.ResponseWriter, r *http.Request, rh RequestHandler) {
 	if *headerCSP != "" {
 		h.Add("Content-Security-Policy", *headerCSP)
 	}
-	if !*headerDisableServerHostname {
-		h.Add("X-Server-Hostname", hostname)
-	}
+	h.Add("X-Server-Hostname", hostname)
 	requestsTotal.Inc()
 	if whetherToCloseConn(r) {
 		connTimeoutClosedConns.Inc()
--- a/lib/httpserver/httpserver_test.go
+++ b/lib/httpserver/httpserver_test.go
@@ -228,30 +228,4 @@ func TestHandlerWrapper(t *testing.T) {
 	if got := h.Get("Content-Security-Policy"); got != cspHeader {
 		t.Fatalf("unexpected CSP header; got %q; want %q", got, cspHeader)
 	}
-	if got := h.Get("X-Server-Hostname"); got != hostname {
-		t.Fatalf("unexpected X-Server-Hostname header; got %q; want %q", got, hostname)
-	}
-}
-
-func TestHandlerWrapperDisableServerHostnameHeader(t *testing.T) {
-	origDisableServerHostname := *headerDisableServerHostname
-	*headerDisableServerHostname = true
-	defer func() {
-		*headerDisableServerHostname = origDisableServerHostname
-	}()
-
-	req, _ := http.NewRequest("GET", "/health", nil)
-
-	srv := &server{s: &http.Server{}}
-	w := &httptest.ResponseRecorder{}
-
-	handlerWrapper(w, req, func(w http.ResponseWriter, r *http.Request) bool {
-		return builtinRoutesHandler(srv, r, w, func(_ http.ResponseWriter, _ *http.Request) bool {
-			return true
-		})
-	})
-
-	if got := w.Header().Get("X-Server-Hostname"); got != "" {
-		t.Fatalf("unexpected X-Server-Hostname header; got %q; want empty value", got)
-	}
 }
--- a/lib/httputil/time_test.go
+++ b/lib/httputil/time_test.go
@@ -52,9 +52,6 @@ func TestGetTimeSuccess(t *testing.T) {
 	f("292277025-08-18T07:12:54.999999999Z", maxTimeMsecs)
 	f("1562529662.324", 1562529662324)
 	f("1223372036.855", 1223372036855)
-
-	// relative duration that resolves to a timestamp before 1970
-	f("-9223372036.854", minTimeMsecs)
 }

 func TestGetTimeError(t *testing.T) {
@@ -66,8 +63,8 @@ func TestGetTimeError(t *testing.T) {
 			t.Fatalf("unexpected error in NewRequest: %s", err)
 		}

-		if msec, err := GetTime(r, "s", 123); err == nil {
-			t.Fatalf("expecting non-nil error in GetTime(%q); got %d", s, msec)
+		if _, err := GetTime(r, "s", 123); err == nil {
+			t.Fatalf("expecting non-nil error in GetTime(%q)", s)
 		}
 	}

@@ -87,6 +84,7 @@ func TestGetTimeError(t *testing.T) {
 	f("123md")
 	f("-12.3md")

-	// relative duration outside the allowed range
+	// relative duration that resolves to a timestamp before 1970
+	f("-9223372036.854")
 	f("-9223372036.855")
 }
--- a/lib/mergeset/table_search_timing_test.go
+++ b/lib/mergeset/table_search_timing_test.go
@@ -94,7 +94,7 @@ func benchmarkTableSearchKeysExt(b *testing.B, tb *Table, keys [][]byte, stripSu
 				}
 				ts.Seek(searchKey)
 				if !ts.NextItem() {
-					panic(fmt.Errorf("BUG: NextItem must return true for searchKeys[%d]=%q; err=%w", i, searchKey, ts.Error()))
+					panic(fmt.Errorf("BUG: NextItem must return true for searchKeys[%d]=%q; err=%v", i, searchKey, ts.Error()))
 				}
 				if !bytes.HasPrefix(ts.Item, searchKey) {
 					panic(fmt.Errorf("BUG: unexpected item found for searchKey[%d]=%q; got %q; want %q", i, searchKey, ts.Item, key))
--- a/lib/promscrape/config.go
+++ b/lib/promscrape/config.go
@@ -76,9 +76,6 @@ var (
 		"Every %d occurrence in the template is substituted with -promscrape.cluster.memberNum at urls to vmagent instances responsible for scraping the given target "+
 		"at /service-discovery page. For example -promscrape.cluster.memberURLTemplate='http://vmagent-%d:8429/targets'. "+
 		"See https://docs.victoriametrics.com/victoriametrics/vmagent/#scraping-big-number-of-targets for more details")
-	clusterShardByLabels = flagutil.NewArrayString("promscrape.cluster.shardByLabels", "Optional list of target labels, which will be used for sharding targets among cluster members "+
-		"if -promscrape.cluster.membersCount is greater than 1. If none of the specified labels are found in a target, then all the target labels will be used for sharding. "+
-		"See https://docs.victoriametrics.com/victoriametrics/vmagent/#scraping-big-number-of-targets for more info")
 	clusterReplicationFactor = flag.Int("promscrape.cluster.replicationFactor", 1, "The number of members in the cluster, which scrape the same targets. "+
 		"If the replication factor is greater than 1, then the deduplication must be enabled at remote storage side. "+
 		"See https://docs.victoriametrics.com/victoriametrics/vmagent/#scraping-big-number-of-targets for more info")
@@ -89,10 +86,7 @@ var (
 		"Bigger uncompressed responses are rejected. See also max_scrape_size option at https://docs.victoriametrics.com/victoriametrics/sd_configs/#scrape_configs")
 )

-var (
-	clusterMemberID            int
-	clusterShardByLabelsSorted []string
-)
+var clusterMemberID int

 func mustInitClusterMemberID() {
 	s := *clusterMemberNum
@@ -116,14 +110,6 @@ func mustInitClusterMemberID() {
 	clusterMemberID = n
 }

-func initClusterShardByLabels() {
-	if len(*clusterShardByLabels) == 0 {
-		return
-	}
-	clusterShardByLabelsSorted = slices.Clone(*clusterShardByLabels)
-	slices.Sort(clusterShardByLabelsSorted)
-}
-
 // Config represents essential parts from Prometheus config defined at https://prometheus.io/docs/prometheus/latest/configuration/configuration/
 type Config struct {
 	Global            GlobalConfig    `yaml:"global,omitempty"`
@@ -1151,29 +1137,13 @@ func (stc *StaticConfig) appendScrapeWork(dst []*ScrapeWork, swc *scrapeWorkConf
 	return dst
 }

-func appendScrapeWorkKey(dst []byte, labels *promutil.Labels, shardByLabels []string) []byte {
-	originalDstLen := len(dst)
-	for _, targetLabelName := range shardByLabels {
-		for _, label := range labels.GetLabels() {
-			if label.Name == targetLabelName {
-				// Do not use strconv.AppendQuote, since it is slow according to CPU profile.
-				dst = append(dst, label.Name...)
-				dst = append(dst, '=')
-				dst = append(dst, label.Value...)
-				dst = append(dst, ',')
-				break
-			}
-		}
-	}
-	// none of the labels specified in -promscrape.cluster.shardByLabels is present, use all labels for backward compatibility.
-	if len(dst) == originalDstLen {
-		for _, label := range labels.GetLabels() {
-			dst = append(dst, label.Name...)
-			dst = append(dst, '=')
-			dst = append(dst, label.Value...)
-			dst = append(dst, ',')
-		}
-		return dst
+func appendScrapeWorkKey(dst []byte, labels *promutil.Labels) []byte {
+	for _, label := range labels.GetLabels() {
+		// Do not use strconv.AppendQuote, since it is slow according to CPU profile.
+		dst = append(dst, label.Name...)
+		dst = append(dst, '=')
+		dst = append(dst, label.Value...)
+		dst = append(dst, ',')
 	}
 	return dst
 }
@@ -1225,7 +1195,7 @@ func (swc *scrapeWorkConfig) getScrapeWork(target string, extraLabels, metaLabel
 	// See https://github.com/VictoriaMetrics/VictoriaMetrics/issues/1687#issuecomment-940629495
 	if *clusterMembersCount > 1 {
 		bb := scrapeWorkKeyBufPool.Get()
-		bb.B = appendScrapeWorkKey(bb.B[:0], labels, clusterShardByLabelsSorted)
+		bb.B = appendScrapeWorkKey(bb.B[:0], labels)
 		memberNums := getClusterMemberNumsForScrapeWork(bytesutil.ToUnsafeString(bb.B), *clusterMembersCount, *clusterReplicationFactor)
 		scrapeWorkKeyBufPool.Put(bb)
 		if !slices.Contains(memberNums, clusterMemberID) {
--- a/lib/promscrape/config_test.go
+++ b/lib/promscrape/config_test.go
@@ -148,112 +148,6 @@ func TestGetClusterMemberNumsForScrapeWork(t *testing.T) {
 	f("foo", 3, 2, []int{2, 0})
 }

-func TestAppendScrapeWorkKeyShardByLabels(t *testing.T) {
-	f := func(labelsA, labelsB map[string]string, shardByLabels []string, equal bool) {
-		t.Helper()
-		originValue := *clusterShardByLabels
-		*clusterShardByLabels = shardByLabels
-		initClusterShardByLabels()
-		keyA := string(appendScrapeWorkKey(nil, promutil.NewLabelsFromMap(labelsA), clusterShardByLabelsSorted))
-		keyB := string(appendScrapeWorkKey(nil, promutil.NewLabelsFromMap(labelsB), clusterShardByLabelsSorted))
-		if equal && keyA != keyB {
-			t.Fatalf("unexpected different scrape work keys for shardByLabels=%q;\nlabelsA=%v\nlabelsB=%v\nkeyA=%q\nkeyB=%q",
-				shardByLabels, labelsA, labelsB, keyA, keyB)
-		} else if !equal && keyA == keyB {
-			t.Fatalf("unexpected equal scrape work keys for shardByLabels=%q;\nlabelsA=%v\nlabelsB=%v\nkeyA=%q\nkeyB=%q",
-				shardByLabels, labelsA, labelsB, keyA, keyB)
-		}
-		*clusterShardByLabels = originValue
-	}
-
-	// didn't specify -promscrape.cluster.shardByLabels, and all labels are the same
-	f(
-		map[string]string{
-			"a": "aa",
-			"b": "bb",
-			"c": "cc",
-			"d": "dd"},
-		map[string]string{
-			"a": "aa",
-			"b": "bb",
-			"c": "cc",
-			"d": "dd"},
-		[]string{},
-		true,
-	)
-	// match all labels in -promscrape.cluster.shardByLabels, and they're the same
-	f(
-		map[string]string{
-			"a": "aa",
-			"b": "bb",
-			"c": "cc",
-			"d": "dd"},
-		map[string]string{
-			"c": "cc",
-			"a": "aa",
-			"b": "other",
-			"d": "other"},
-		[]string{"c", "a"},
-		true,
-	)
-
-	// match all labels in -promscrape.cluster.shardByLabels, and they're different
-	f(
-		map[string]string{
-			"a": "aa",
-			"b": "bb",
-			"c": "cc",
-			"d": "dd"},
-		map[string]string{
-			"a": "aa",
-			"b": "other",
-			"c": "cc-------",
-			"d": "other"},
-		[]string{"a", "c"},
-		false,
-	)
-
-	// match part of labels in -promscrape.cluster.shardByLabels, and they're the same
-	f(
-		map[string]string{
-			"a": "aa",
-			"c": "cc",
-			"d": "dd"},
-		map[string]string{
-			"a": "aa",
-			"c": "cc",
-			"e": "ee"},
-		[]string{"a", "b", "c"},
-		true,
-	)
-
-	// match part of labels in -promscrape.cluster.shardByLabels, and they're different
-	f(
-		map[string]string{
-			"a": "aa",
-			"c": "cc",
-			"d": "dd"},
-		map[string]string{
-			"a": "aa-------",
-			"c": "cc",
-			"e": "ee"},
-		[]string{"a", "b", "c"},
-		false,
-	)
-	// none of labels in -promscrape.cluster.shardByLabels is matched, so all labels will be used to sharding
-	f(
-		map[string]string{
-			"d": "dd",
-			"e": "ee"},
-		map[string]string{
-			"d": "dd",
-			"e": "ee"},
-		[]string{"a", "b", "c"},
-		true,
-	)
-
-}
-
 func TestLoadStaticConfigs(t *testing.T) {
 	scs, err := loadStaticConfigs("testdata/file_sd.json")
 	if err != nil {
--- a/lib/promscrape/scraper.go
+++ b/lib/promscrape/scraper.go
@@ -66,7 +66,6 @@ func CheckConfig() error {
 // Scraped data is passed to pushData.
 func Init(pushData func(at *auth.Token, wr *prompb.WriteRequest)) {
 	mustInitClusterMemberID()
-	initClusterShardByLabels()
 	globalStopChan = make(chan struct{})
 	scraperWG.Go(func() {
 		runScraper(*promscrapeConfigFile, pushData, globalStopChan)
--- a/lib/storage/search.go
+++ b/lib/storage/search.go
@@ -468,21 +468,15 @@ func (tf *TagFilter) Unmarshal(src []byte) ([]byte, error) {
 	return src, nil
 }

-// String returns string representation of the search query: tag filters and time range.
+// String returns string representation of the search query.
 func (sq *SearchQuery) String() string {
-	start := TimestampToHumanReadableFormat(sq.MinTimestamp)
-	end := TimestampToHumanReadableFormat(sq.MaxTimestamp)
-	a := sq.FiltersString()
-	return fmt.Sprintf("filters=%s, timeRange=[%s..%s]", a, start, end)
-}
-
-// FiltersString returns string representation of the tag filters.
-func (sq *SearchQuery) FiltersString() []string {
 	a := make([]string, len(sq.TagFilterss))
 	for i, tfs := range sq.TagFilterss {
 		a[i] = tagFiltersToString(tfs)
 	}
-	return a
+	start := TimestampToHumanReadableFormat(sq.MinTimestamp)
+	end := TimestampToHumanReadableFormat(sq.MaxTimestamp)
+	return fmt.Sprintf("filters=%s, timeRange=[%s..%s]", a, start, end)
 }

 func tagFiltersToString(tfs []TagFilter) string {
--- a/lib/timeutil/duration.go
+++ b/lib/timeutil/duration.go
@@ -19,7 +19,7 @@ func ParseDuration(s string) (time.Duration, error) {
 		return 0, err
 	}
 	if ms < minValidMilli || maxValidMilli < ms {
-		return 0, fmt.Errorf("duration %q must be in the range [%s, %s]", s, minDuration, maxDuration)
+		return 0, fmt.Errorf("duration %q must be in the range [%v, %v]", s, minDuration, maxDuration)
 	}
 	return time.Duration(ms) * time.Millisecond, nil
 }
--- a/lib/timeutil/time.go
+++ b/lib/timeutil/time.go
@@ -28,6 +28,7 @@ func ParseTimeMsec(s string) (int64, error) {
 // See https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#timestamp-formats
 //
 // If s doesn't contain timezone information, then the local timezone is used.
+// The time must be in the range [1970-01-01T00:00:00Z, 2262-04-11T23:47:16Z].
 //
 // It returns unix timestamp in nanoseconds.
 func ParseTimeAt(s string, currentTimestamp int64) (int64, error) {
@@ -70,10 +71,14 @@ func ParseTimeAt(s string, currentTimestamp int64) (int64, error) {
 		if err != nil {
 			return 0, err
 		}
-		if d < 0 {
+		if d > 0 {
 			d = -d
 		}
-		return subInt64NoOverflow(currentTimestamp, int64(d)), nil
+		nsec := currentTimestamp + int64(d)
+		if nsec < 0 {
+			return 0, fmt.Errorf("time %s (%v) must be in the range [%v, %v]", sOrig, time.Unix(0, nsec).UTC(), minTime, maxTime)
+		}
+		return nsec, nil
 	}
 	if len(s) == 4 {
 		// Parse YYYY
@@ -110,28 +115,22 @@ func ParseTimeAt(s string, currentTimestamp int64) (int64, error) {
 	return parseTimeAt(time.RFC3339, sOrig, 0, sOrig)
 }

-func parseTimeAt(layout, value string, tzOffsetNsec int64, sOrig string) (int64, error) {
+var (
+	minTime = time.Unix(0, 0).UTC()
+	maxTime = time.Unix(0, math.MaxInt64).UTC()
+)
+
+func parseTimeAt(layout, value string, tzOffsetNanos int64, sOrig string) (int64, error) {
 	t, err := time.Parse(layout, value)
 	if err != nil {
 		return 0, err
 	}
-	nsec := t.UnixNano()
-
-	return subInt64NoOverflow(nsec, -tzOffsetNsec), nil
-}
-
-func subInt64NoOverflow(a, b int64) int64 {
-	if b >= 0 {
-		if a < math.MinInt64+b {
-			return math.MinInt64
-		}
-		return a - b
+	tzOffset := time.Duration(tzOffsetNanos)
+	t = t.UTC().Add(tzOffset)
+	if t.Before(minTime) || t.After(maxTime) {
+		return 0, fmt.Errorf("time %s (%v) must be in the range [%v, %v]", sOrig, t, minTime, maxTime)
 	}
-
-	if a > math.MaxInt64+b {
-		return math.MaxInt64
-	}
-	return a - b
+	return t.UnixNano(), nil
 }

 // TryParseUnixTimestamp parses s as unix timestamp in seconds, milliseconds, microseconds or nanoseconds and returns the parsed timestamp in nanoseconds.
--- a/lib/timeutil/time_test.go
+++ b/lib/timeutil/time_test.go
@@ -210,7 +210,6 @@ func TestParseTimeAtLimits(t *testing.T) {

 	f := func(s string, wantTime time.Time) {
 		t.Helper()
-
 		got, err := ParseTimeAt(s, now.UnixNano())
 		if err != nil {
 			t.Fatalf("unexpected error: %v", err)
@@ -232,38 +231,42 @@ func TestParseTimeAtLimits(t *testing.T) {
 	west := location(t, "Etc/GMT+12") // UTC-12:00
 	var s string

+	// min timestamp
+	f("0", time.Date(1970, 1, 1, 0, 0, 0, 0, time.UTC))
+	s = fmt.Sprintf("-%d", now.Unix())
+	f(s, time.Date(1970, 1, 1, 0, 0, 0, 0, time.UTC))
+	s = fmt.Sprintf("now-%d", now.Unix())
+	f(s, time.Date(1970, 1, 1, 0, 0, 0, 0, time.UTC))
+
 	// min year
-	f("1678Z", time.Date(1678, 1, 1, 0, 0, 0, 0, time.UTC))
-	f("1678+14:00", time.Date(1678, 1, 1, 0, 0, 0, 0, east))
-	f("1678-12:00", time.Date(1678, 1, 1, 0, 0, 0, 0, west))
+	f("1970Z", time.Date(1970, 1, 1, 0, 0, 0, 0, time.UTC))
+	f("1971+14:00", time.Date(1971, 1, 1, 0, 0, 0, 0, east))
+	f("1970-12:00", time.Date(1970, 1, 1, 0, 0, 0, 0, west))

 	// min month
-	f("1677-10Z", time.Date(1677, 10, 1, 0, 0, 0, 0, time.UTC))
-	f("1677-10+14:00", time.Date(1677, 10, 1, 0, 0, 0, 0, east))
-	f("1677-10-12:00", time.Date(1677, 10, 1, 0, 0, 0, 0, west))
+	f("1970-01Z", time.Date(1970, 1, 1, 0, 0, 0, 0, time.UTC))
+	f("1970-02+14:00", time.Date(1970, 2, 1, 0, 0, 0, 0, east))
+	f("1970-01-12:00", time.Date(1970, 1, 1, 0, 0, 0, 0, west))

 	// min day
-	f("1677-09-22Z", time.Date(1677, 9, 22, 0, 0, 0, 0, time.UTC))
-	f("1677-09-22+14:00", time.Date(1677, 9, 22, 0, 0, 0, 0, east))
-	f("1677-09-22-12:00", time.Date(1677, 9, 22, 0, 0, 0, 0, west))
+	f("1970-01-01Z", time.Date(1970, 1, 1, 0, 0, 0, 0, time.UTC))
+	f("1970-01-02+14:00", time.Date(1970, 1, 2, 0, 0, 0, 0, east))
+	f("1970-01-01-12:00", time.Date(1970, 1, 1, 0, 0, 0, 0, west))

 	// min hour
-	f("1677-09-21T01Z", time.Date(1677, 9, 21, 1, 0, 0, 0, time.UTC))
-	f("1677-09-21T15+14:00", time.Date(1677, 9, 21, 15, 0, 0, 0, east))
-	f("1677-09-21T01+14:00", time.Unix(0, math.MinInt64))
-	f("1677-09-21T01-12:00", time.Date(1677, 9, 21, 1, 0, 0, 0, west))
+	f("1970-01-01T00Z", time.Date(1970, 1, 1, 0, 0, 0, 0, time.UTC))
+	f("1970-01-01T14+14:00", time.Date(1970, 1, 1, 14, 0, 0, 0, east))
+	f("1969-12-31T12-12:00", time.Date(1969, 12, 31, 12, 0, 0, 0, west))

 	// min minute
-	f("1677-09-21T00:12Z", time.Date(1677, 9, 21, 0, 12, 0, 0, time.UTC))
-	f("1677-09-21T15:12Z+14:00", time.Date(1677, 9, 21, 15, 12, 0, 0, east))
-	f("1677-09-21T00:13Z+14:00", time.Unix(0, math.MinInt64))
-	f("1677-09-21T00:13Z-12:00", time.Date(1677, 9, 21, 0, 13, 0, 0, west))
+	f("1970-01-01T00:00Z", time.Date(1970, 1, 1, 0, 0, 0, 0, time.UTC))
+	f("1970-01-01T14:00+14:00", time.Date(1970, 1, 1, 14, 0, 0, 0, east))
+	f("1969-12-31T12:00-12:00", time.Date(1969, 12, 31, 12, 0, 0, 0, west))

 	// min second
-	f("1677-09-21T00:12:43Z", time.Date(1677, 9, 21, 0, 12, 43, 0, time.UTC))
-	f("1677-09-21T15:12:43Z+14:00", time.Date(1677, 9, 21, 15, 12, 43, 0, east))
-	f("1677-09-21T00:12:44Z+14:00", time.Unix(0, math.MinInt64))
-	f("1677-09-21T00:12:44Z-12:00", time.Date(1677, 9, 21, 0, 12, 44, 0, west))
+	f("1970-01-01T00:00:00Z", time.Date(1970, 1, 1, 0, 0, 0, 0, time.UTC))
+	f("1970-01-01T14:00:00+14:00", time.Date(1970, 1, 1, 14, 0, 0, 0, east))
+	f("1969-12-31T12:00:00-12:00", time.Date(1969, 12, 31, 12, 0, 0, 0, west))

 	// max year
 	f("2262Z", time.Date(2262, 1, 1, 0, 0, 0, 0, time.UTC))
@@ -277,26 +280,23 @@ func TestParseTimeAtLimits(t *testing.T) {

 	// max day
 	f("2262-04-11Z", time.Date(2262, 4, 11, 0, 0, 0, 0, time.UTC))
-	f("2262-04-11+14:00", time.Date(2262, 4, 11, 0, 0, 0, 0, east))
+	f("2262-04-12+14:00", time.Date(2262, 4, 12, 0, 0, 0, 0, east))
 	f("2262-04-11-12:00", time.Date(2262, 4, 11, 0, 0, 0, 0, west))

 	// max hour
 	f("2262-04-11T23Z", time.Date(2262, 4, 11, 23, 0, 0, 0, time.UTC))
-	f("2262-04-11T23+14:00", time.Date(2262, 4, 11, 23, 0, 0, 0, east))
+	f("2262-04-12T13+14:00", time.Date(2262, 4, 12, 13, 0, 0, 0, east))
 	f("2262-04-11T11-12:00", time.Date(2262, 4, 11, 11, 0, 0, 0, west))
-	f("2262-04-11T23-12:00", time.Unix(0, math.MaxInt64))

 	// max minute
 	f("2262-04-11T23:47Z", time.Date(2262, 4, 11, 23, 47, 0, 0, time.UTC))
-	f("2262-04-11T23:47+14:00", time.Date(2262, 4, 11, 23, 47, 0, 0, east))
+	f("2262-04-12T13:47+14:00", time.Date(2262, 4, 12, 13, 47, 0, 0, east))
 	f("2262-04-11T11:47-12:00", time.Date(2262, 4, 11, 11, 47, 0, 0, west))
-	f("2262-04-11T23:47-12:00", time.Unix(0, math.MaxInt64))

 	// max second
 	f("2262-04-11T23:47:16Z", time.Date(2262, 4, 11, 23, 47, 16, 0, time.UTC))
-	f("2262-04-11T23:47:16+14:00", time.Date(2262, 4, 11, 23, 47, 16, 0, east))
+	f("2262-04-12T13:47:16+14:00", time.Date(2262, 4, 12, 13, 47, 16, 0, east))
 	f("2262-04-11T11:47:16-12:00", time.Date(2262, 4, 11, 11, 47, 16, 0, west))
-	f("2262-04-11T23:47:16-12:00", time.Unix(0, math.MaxInt64))

 	// max timestamp
 	s = fmt.Sprintf("%d", int64(maxValidSecond))
@@ -324,6 +324,85 @@ func TestParseTimeAtLimits(t *testing.T) {
 	f(s, time.Date(1970, 4, 17, 18, 2, 52, 36_854_776, time.UTC))
 }

+func TestParseTimeAtOutsideLimits(t *testing.T) {
+	now := time.Date(2025, 1, 1, 0, 0, 0, 0, time.UTC)
+
+	f := func(s string) {
+		t.Helper()
+		got, err := ParseTimeAt(s, now.UnixNano())
+		if err == nil {
+			t.Fatalf("expected error but got %d", got)
+		}
+		if !strings.Contains(err.Error(), "must be in the range") {
+			t.Fatalf("expected error: %v", err)
+		}
+	}
+
+	// min timestamp
+	f(fmt.Sprintf("-%d", now.Unix()+1))
+	f(fmt.Sprintf("now-%d", now.Unix()+1))
+
+	// min year
+	f("1969Z")
+	f("1970+14:00")
+	f("1969-12:00")
+
+	// min month
+	f("1969-12Z")
+	f("1970-01+14:00")
+	f("1969-12-12:00")
+
+	// min day
+	f("1969-12-31Z")
+	f("1970-01-01+14:00")
+	f("1969-12-31-12:00")
+
+	// min hour
+	f("1969-12-31T23Z")
+	f("1970-01-01T13+14:00")
+	f("1969-12-31T11-12:00")
+
+	// min minute
+	f("1969-12-31T23:59Z")
+	f("1970-01-01T13:59+14:00")
+	f("1969-12-31T11:59-12:00")
+
+	// min second
+	f("1969-12-31T23:59:59Z")
+	f("1970-01-01T13:59:59+14:00")
+	f("1969-12-31T11:59:59-12:00")
+
+	// max year
+	f("2263Z")
+	f("2263+14:00")
+	f("2263-12:00")
+
+	// max month
+	f("2262-05Z")
+	f("2262-05+14:00")
+	f("2262-05-12:00")
+
+	// max day
+	f("2262-04-12Z")
+	f("2262-04-13+14:00")
+	f("2262-04-12-12:00")
+
+	// max hour
+	f("2262-04-12T00Z")
+	f("2262-04-12T14+14:00")
+	f("2262-04-11T12-12:00")
+
+	// max minute
+	f("2262-04-11T23:48Z")
+	f("2262-04-12T13:48+14:00")
+	f("2262-04-11T11:48-12:00")
+
+	// max second
+	f("2262-04-11T23:47:17Z")
+	f("2262-04-12T13:47:17+14:00")
+	f("2262-04-11T11:47:17-12:00")
+}
+
 func TestParseTimeAtOutsideLimits_Nanos(t *testing.T) {
 	now := time.Date(2025, 1, 1, 0, 0, 0, 0, time.UTC)

@@ -355,6 +434,7 @@ func TestParseTimeMsecFailure(t *testing.T) {
 	}

 	f("")
+	f("2263")
 	f("23-45:50")
 	f("1223-fo:ba")
 	f("1223-12:ba")
--- a/lib/vmalertproxy/vmalertproxy.go
+++ b/lib/vmalertproxy/vmalertproxy.go
@@ -1,68 +0,0 @@
-package vmalertproxy
-
-import (
-	"net/http"
-	"net/http/httputil"
-	"net/url"
-	"strings"
-
-	"github.com/VictoriaMetrics/VictoriaMetrics/lib/logger"
-)
-
-// Init initializes proxying requests to the given proxyURL when calling HandleRequest.
-//
-// Init must be called after flag.Parse(), since it uses command-line flags.
-func Init(proxyURL string) {
-	if len(proxyURL) == 0 {
-		return
-	}
-	pu, err := url.Parse(proxyURL)
-	if err != nil {
-		logger.Fatalf("cannot parse -vmalert.proxyURL=%q: %s", proxyURL, err)
-	}
-	vmalertProxyHost = pu.Host
-	vmalertProxy = httputil.NewSingleHostReverseProxy(pu)
-}
-
-// HandleRequest proxies the given request path to vmalert at proxyURL passed to Init().
-func HandleRequest(w http.ResponseWriter, r *http.Request, path string) {
-	defer func() {
-		err := recover()
-		if err == nil || err == http.ErrAbortHandler {
-			// Suppress http.ErrAbortHandler panic.
-			// See https://github.com/VictoriaMetrics/VictoriaMetrics/issues/1353
-			return
-		}
-		// Forward other panics to the caller.
-		panic(err)
-	}()
-	req := r.Clone(r.Context())
-	req.URL.Path = path
-	req.Host = vmalertProxyHost
-
-	if strings.HasPrefix(r.Header.Get(`User-Agent`), `Grafana`) {
-		// Grafana currently supports only Prometheus-style alerts. If other alert types
-		// (e.g. logs or traces) are returned, it may fail with "Error loading alerts".
-		//
-		// Grafana queries the vmalert API directly, bypassing the VictoriaMetrics datasource,
-		// so query params (such as datasource_type) cannot be enforced on the Grafana side.
-		//
-		// To ensure compatibility, we detect Grafana requests via the User-Agent and enforce
-		// `datasource_type=prometheus`.
-		//
-		// See:
-		// - https://github.com/VictoriaMetrics/victoriametrics-datasource/issues/329#issuecomment-3847585443
-		// - https://github.com/VictoriaMetrics/victoriametrics-datasource/issues/59
-		q := req.URL.Query()
-		q.Set("datasource_type", "prometheus")
-		req.URL.RawQuery = q.Encode()
-		req.RequestURI = ""
-	}
-
-	vmalertProxy.ServeHTTP(w, req)
-}
-
-var (
-	vmalertProxyHost string
-	vmalertProxy     *httputil.ReverseProxy
-)