librenms-librenms/doc/Extensions/RRDCached-Security.md

# Securing with nginx

path: blob/master/doc/

According to the [man page](https://linux.die.net/man/1/rrdcached),
under "SECURITY CONSIDERATIONS", rrdcached has no authentication or
security except for running under a unix socket. If you choose to use
a network socket instead of a unix socket, you will need to secure
your rrdcached installation. To do so you can proxy rrdcached using
nginx to allow only specific IPs to connect.

Using the same setup above, using nginx version 1.9.0 or later, you
can follow this setup to proxy the default rrdcached port to the local
unix socket.

(You can use `./conf.d` for your configuration as well)

`mkdir /etc/nginx/streams-{available,enabled}`

add the following to your nginx.conf file:

```nginx
#/etc/nginx/nginx.conf
...
stream {
    include /etc/nginx/streams-enabled/*;
}
```

Add this to `/etc/nginx/streams-available/rrd`

```nginx
server {
    listen 42217;

    error_log  /var/log/nginx/rrd.stream.error.log;

    allow $LibreNMS_IP;
    deny all;

    proxy_pass unix:/var/run/rrdcached/rrdcached.sock;
}

```

Replace `$LibreNMS_IP` with the ip of the server that will be using
rrdcached. You can specify more than one `allow` statement. This will
bind nginx to TCP 42217 (the default rrdcached port), allow the
specified IPs to connect, and deny all others.

next, we'll symlink the config to streams-enabled:
`ln -s /etc/nginx/streams-{available,enabled}/rrd`

and reload nginx
`service nginx reload`
more documentation clean up (#10577) * fix a few bare URLs * make mdl happy * make Weathermap.md as mdl happy as possible * make Varnish.md as mdl happy as possible * make Two-Factor-Auth.md mdl happy * touch one header for Syslog.md, but little can be done about the rest * make Sub-Directory.md as mdl happy as possible * make SNMP-Trap-Handler.md lint happy * make SNMP-Proxy.md mdl happy * make Smokeping.md as mdl happy as possible * make Services.md mdl happy * make RRDTune.md mdl happy * cleanup RRDCached.md as much as possible * make RRDCached-Security.md mdl happy * make Rancid.md as mdl happy as possible * make Proxmox.md mdl happy * make Plugin-System.md as mdl happy as possible * make PeeringDB.md mdl happy * make Oxidized.md more lint happy * make Network-Map.md mdl happy * make MIB-based-polling.md as mdl happy as possible * make Metric-Storage.md mdl happy * make IRC-Bot.md as mdl happy as possible * make IRC-Bot-Extensions.md as mdl happy as possible * make * make Graylog.md mdl happy * make Gateone.md mdl happy * make Fast-Ping-Check.md mdl happy * make Distributed-Poller.md as mdl happy as possible * make Dispatcher-Service.md as mdl happy as possible * make Device-Groups.md mdl happy * make Dell-OpenManage.md mdl happy * make Dashboard.md mdl happy * make Customizing-the-Web-UI.md as mdl happy as possible * make Component.md mdl happy * make Billing-Module.md mdl happy * make Auto-Discovery.md mostly mdl happy * make Authentication.md as mdl happy as possible * tidy up a few lines in Applications.md * make Agent-Setup.md as mdl happy as possible * make metrics/OpenTSDB.md mdl happy * spelling fix 2019-09-09 05:48:35 -05:00			`# Securing with nginx`

Updated to use new theme for docs site (#9320) * Updated to use new theme for docs site * Updated theme location * Removed librenms.css * Updated index page + re-added librenms.css * Use built in theme modification * flexbox grid, dump bootstrap * tidy up things * Added path and updated deploy script + mkdocs config * Removed db schmea changes * Updated to install python/pip 3 * Removed pip3 install * Pip3 install * Updated deploy-docs * Updated deploy-docs 2018-10-27 23:04:34 +01:00			`path: blob/master/doc/`
docs: Added documentation on securing rrdcached. (#5093) 2016-11-30 15:21:17 -08:00
more documentation clean up (#10577) * fix a few bare URLs * make mdl happy * make Weathermap.md as mdl happy as possible * make Varnish.md as mdl happy as possible * make Two-Factor-Auth.md mdl happy * touch one header for Syslog.md, but little can be done about the rest * make Sub-Directory.md as mdl happy as possible * make SNMP-Trap-Handler.md lint happy * make SNMP-Proxy.md mdl happy * make Smokeping.md as mdl happy as possible * make Services.md mdl happy * make RRDTune.md mdl happy * cleanup RRDCached.md as much as possible * make RRDCached-Security.md mdl happy * make Rancid.md as mdl happy as possible * make Proxmox.md mdl happy * make Plugin-System.md as mdl happy as possible * make PeeringDB.md mdl happy * make Oxidized.md more lint happy * make Network-Map.md mdl happy * make MIB-based-polling.md as mdl happy as possible * make Metric-Storage.md mdl happy * make IRC-Bot.md as mdl happy as possible * make IRC-Bot-Extensions.md as mdl happy as possible * make * make Graylog.md mdl happy * make Gateone.md mdl happy * make Fast-Ping-Check.md mdl happy * make Distributed-Poller.md as mdl happy as possible * make Dispatcher-Service.md as mdl happy as possible * make Device-Groups.md mdl happy * make Dell-OpenManage.md mdl happy * make Dashboard.md mdl happy * make Customizing-the-Web-UI.md as mdl happy as possible * make Component.md mdl happy * make Billing-Module.md mdl happy * make Auto-Discovery.md mostly mdl happy * make Authentication.md as mdl happy as possible * tidy up a few lines in Applications.md * make Agent-Setup.md as mdl happy as possible * make metrics/OpenTSDB.md mdl happy * spelling fix 2019-09-09 05:48:35 -05:00			`According to the [man page](https://linux.die.net/man/1/rrdcached),`
			`under "SECURITY CONSIDERATIONS", rrdcached has no authentication or`
			`security except for running under a unix socket. If you choose to use`
			`a network socket instead of a unix socket, you will need to secure`
			`your rrdcached installation. To do so you can proxy rrdcached using`
			`nginx to allow only specific IPs to connect.`

			`Using the same setup above, using nginx version 1.9.0 or later, you`
			`can follow this setup to proxy the default rrdcached port to the local`
			`unix socket.`
docs: Added documentation on securing rrdcached. (#5093) 2016-11-30 15:21:17 -08:00
			(You can use `./conf.d` for your configuration as well)

			`mkdir /etc/nginx/streams-{available,enabled}`

			`add the following to your nginx.conf file:`
more documentation clean up (#10577) * fix a few bare URLs * make mdl happy * make Weathermap.md as mdl happy as possible * make Varnish.md as mdl happy as possible * make Two-Factor-Auth.md mdl happy * touch one header for Syslog.md, but little can be done about the rest * make Sub-Directory.md as mdl happy as possible * make SNMP-Trap-Handler.md lint happy * make SNMP-Proxy.md mdl happy * make Smokeping.md as mdl happy as possible * make Services.md mdl happy * make RRDTune.md mdl happy * cleanup RRDCached.md as much as possible * make RRDCached-Security.md mdl happy * make Rancid.md as mdl happy as possible * make Proxmox.md mdl happy * make Plugin-System.md as mdl happy as possible * make PeeringDB.md mdl happy * make Oxidized.md more lint happy * make Network-Map.md mdl happy * make MIB-based-polling.md as mdl happy as possible * make Metric-Storage.md mdl happy * make IRC-Bot.md as mdl happy as possible * make IRC-Bot-Extensions.md as mdl happy as possible * make * make Graylog.md mdl happy * make Gateone.md mdl happy * make Fast-Ping-Check.md mdl happy * make Distributed-Poller.md as mdl happy as possible * make Dispatcher-Service.md as mdl happy as possible * make Device-Groups.md mdl happy * make Dell-OpenManage.md mdl happy * make Dashboard.md mdl happy * make Customizing-the-Web-UI.md as mdl happy as possible * make Component.md mdl happy * make Billing-Module.md mdl happy * make Auto-Discovery.md mostly mdl happy * make Authentication.md as mdl happy as possible * tidy up a few lines in Applications.md * make Agent-Setup.md as mdl happy as possible * make metrics/OpenTSDB.md mdl happy * spelling fix 2019-09-09 05:48:35 -05:00
docs: Added documentation on securing rrdcached. (#5093) 2016-11-30 15:21:17 -08:00			```nginx
			`#/etc/nginx/nginx.conf`
			`...`
			`stream {`
			`include /etc/nginx/streams-enabled/*;`
			`}`
			```

more documentation clean up (#10577) * fix a few bare URLs * make mdl happy * make Weathermap.md as mdl happy as possible * make Varnish.md as mdl happy as possible * make Two-Factor-Auth.md mdl happy * touch one header for Syslog.md, but little can be done about the rest * make Sub-Directory.md as mdl happy as possible * make SNMP-Trap-Handler.md lint happy * make SNMP-Proxy.md mdl happy * make Smokeping.md as mdl happy as possible * make Services.md mdl happy * make RRDTune.md mdl happy * cleanup RRDCached.md as much as possible * make RRDCached-Security.md mdl happy * make Rancid.md as mdl happy as possible * make Proxmox.md mdl happy * make Plugin-System.md as mdl happy as possible * make PeeringDB.md mdl happy * make Oxidized.md more lint happy * make Network-Map.md mdl happy * make MIB-based-polling.md as mdl happy as possible * make Metric-Storage.md mdl happy * make IRC-Bot.md as mdl happy as possible * make IRC-Bot-Extensions.md as mdl happy as possible * make * make Graylog.md mdl happy * make Gateone.md mdl happy * make Fast-Ping-Check.md mdl happy * make Distributed-Poller.md as mdl happy as possible * make Dispatcher-Service.md as mdl happy as possible * make Device-Groups.md mdl happy * make Dell-OpenManage.md mdl happy * make Dashboard.md mdl happy * make Customizing-the-Web-UI.md as mdl happy as possible * make Component.md mdl happy * make Billing-Module.md mdl happy * make Auto-Discovery.md mostly mdl happy * make Authentication.md as mdl happy as possible * tidy up a few lines in Applications.md * make Agent-Setup.md as mdl happy as possible * make metrics/OpenTSDB.md mdl happy * spelling fix 2019-09-09 05:48:35 -05:00			Add this to `/etc/nginx/streams-available/rrd`

docs: Added documentation on securing rrdcached. (#5093) 2016-11-30 15:21:17 -08:00			```nginx
			`server {`
			`listen 42217;`

			`error_log /var/log/nginx/rrd.stream.error.log;`

			`allow $LibreNMS_IP;`
			`deny all;`

			`proxy_pass unix:/var/run/rrdcached/rrdcached.sock;`
			`}`
more documentation clean up (#10577) * fix a few bare URLs * make mdl happy * make Weathermap.md as mdl happy as possible * make Varnish.md as mdl happy as possible * make Two-Factor-Auth.md mdl happy * touch one header for Syslog.md, but little can be done about the rest * make Sub-Directory.md as mdl happy as possible * make SNMP-Trap-Handler.md lint happy * make SNMP-Proxy.md mdl happy * make Smokeping.md as mdl happy as possible * make Services.md mdl happy * make RRDTune.md mdl happy * cleanup RRDCached.md as much as possible * make RRDCached-Security.md mdl happy * make Rancid.md as mdl happy as possible * make Proxmox.md mdl happy * make Plugin-System.md as mdl happy as possible * make PeeringDB.md mdl happy * make Oxidized.md more lint happy * make Network-Map.md mdl happy * make MIB-based-polling.md as mdl happy as possible * make Metric-Storage.md mdl happy * make IRC-Bot.md as mdl happy as possible * make IRC-Bot-Extensions.md as mdl happy as possible * make * make Graylog.md mdl happy * make Gateone.md mdl happy * make Fast-Ping-Check.md mdl happy * make Distributed-Poller.md as mdl happy as possible * make Dispatcher-Service.md as mdl happy as possible * make Device-Groups.md mdl happy * make Dell-OpenManage.md mdl happy * make Dashboard.md mdl happy * make Customizing-the-Web-UI.md as mdl happy as possible * make Component.md mdl happy * make Billing-Module.md mdl happy * make Auto-Discovery.md mostly mdl happy * make Authentication.md as mdl happy as possible * tidy up a few lines in Applications.md * make Agent-Setup.md as mdl happy as possible * make metrics/OpenTSDB.md mdl happy * spelling fix 2019-09-09 05:48:35 -05:00
docs: Added documentation on securing rrdcached. (#5093) 2016-11-30 15:21:17 -08:00			```
more documentation clean up (#10577) * fix a few bare URLs * make mdl happy * make Weathermap.md as mdl happy as possible * make Varnish.md as mdl happy as possible * make Two-Factor-Auth.md mdl happy * touch one header for Syslog.md, but little can be done about the rest * make Sub-Directory.md as mdl happy as possible * make SNMP-Trap-Handler.md lint happy * make SNMP-Proxy.md mdl happy * make Smokeping.md as mdl happy as possible * make Services.md mdl happy * make RRDTune.md mdl happy * cleanup RRDCached.md as much as possible * make RRDCached-Security.md mdl happy * make Rancid.md as mdl happy as possible * make Proxmox.md mdl happy * make Plugin-System.md as mdl happy as possible * make PeeringDB.md mdl happy * make Oxidized.md more lint happy * make Network-Map.md mdl happy * make MIB-based-polling.md as mdl happy as possible * make Metric-Storage.md mdl happy * make IRC-Bot.md as mdl happy as possible * make IRC-Bot-Extensions.md as mdl happy as possible * make * make Graylog.md mdl happy * make Gateone.md mdl happy * make Fast-Ping-Check.md mdl happy * make Distributed-Poller.md as mdl happy as possible * make Dispatcher-Service.md as mdl happy as possible * make Device-Groups.md mdl happy * make Dell-OpenManage.md mdl happy * make Dashboard.md mdl happy * make Customizing-the-Web-UI.md as mdl happy as possible * make Component.md mdl happy * make Billing-Module.md mdl happy * make Auto-Discovery.md mostly mdl happy * make Authentication.md as mdl happy as possible * tidy up a few lines in Applications.md * make Agent-Setup.md as mdl happy as possible * make metrics/OpenTSDB.md mdl happy * spelling fix 2019-09-09 05:48:35 -05:00
			Replace `$LibreNMS_IP` with the ip of the server that will be using
			rrdcached. You can specify more than one `allow` statement. This will
			`bind nginx to TCP 42217 (the default rrdcached port), allow the`
			`specified IPs to connect, and deny all others.`
docs: Added documentation on securing rrdcached. (#5093) 2016-11-30 15:21:17 -08:00
			`next, we'll symlink the config to streams-enabled:`
			`ln -s /etc/nginx/streams-{available,enabled}/rrd`

			`and reload nginx`
			`service nginx reload`