librenms-librenms/doc/Extensions/RRDCached-Security.md

### Securing with nginx
According to the [man page](https://linux.die.net/man/1/rrdcached), under "SECURITY CONSIDERATIONS", rrdcached has no authentication or security except for running under a unix socket. If you choose to use a network socket instead of a unix socket, you will need to secure your rrdcached installation. To do so you can proxy rrdcached using nginx to allow only specific IPs to connect.

using the same setup above, using nginx version 1.9.0 or later, you can follow this setup to proxy the default rrdcached port to the local unix socket.

(You can use `./conf.d` for your configuration as well)

`mkdir /etc/nginx/streams-{available,enabled}`

add the following to your nginx.conf file:
```nginx
#/etc/nginx/nginx.conf
...
stream {
    include /etc/nginx/streams-enabled/*;
}
```

add this to `/etc/nginx/streams-available/rrd`
```nginx
server {
    listen 42217;

    error_log  /var/log/nginx/rrd.stream.error.log;

    allow $LibreNMS_IP;
    deny all;

    proxy_pass unix:/var/run/rrdcached/rrdcached.sock;
}
```
replace `$LibreNMS_IP` with the ip of the server that will be using rrdcached. You can specify more than one `allow` statement.
This will bind nginx to TCP 42217 (the default rrdcached port), allow the specified IPs to connect, and deny all others.

next, we'll symlink the config to streams-enabled:
`ln -s /etc/nginx/streams-{available,enabled}/rrd`

and reload nginx
`service nginx reload`
docs: Added documentation on securing rrdcached. (#5093) 2016-11-30 15:21:17 -08:00			`### Securing with nginx`
docs: RRDCached-Security clearify security (#8302) Clarify that additional security is only needed if you use a network socket instead of a unix socket. This might reduce confusion since the default directions on https://docs.librenms.org/#Extensions/RRDCached/ only setup unix sockets so no further steps are needed. Source information found at: https://oss.oetiker.ch/rrdtool/doc/rrdcached.en.html#SECURITY_CONSIDERATIONS 2018-02-27 10:42:16 -05:00			`According to the [man page](https://linux.die.net/man/1/rrdcached), under "SECURITY CONSIDERATIONS", rrdcached has no authentication or security except for running under a unix socket. If you choose to use a network socket instead of a unix socket, you will need to secure your rrdcached installation. To do so you can proxy rrdcached using nginx to allow only specific IPs to connect.`
docs: Added documentation on securing rrdcached. (#5093) 2016-11-30 15:21:17 -08:00
			`using the same setup above, using nginx version 1.9.0 or later, you can follow this setup to proxy the default rrdcached port to the local unix socket.`

			(You can use `./conf.d` for your configuration as well)

			`mkdir /etc/nginx/streams-{available,enabled}`

			`add the following to your nginx.conf file:`
			```nginx
			`#/etc/nginx/nginx.conf`
			`...`
			`stream {`
			`include /etc/nginx/streams-enabled/*;`
			`}`
			```

			add this to `/etc/nginx/streams-available/rrd`
			```nginx
			`server {`
			`listen 42217;`

			`error_log /var/log/nginx/rrd.stream.error.log;`

			`allow $LibreNMS_IP;`
			`deny all;`

			`proxy_pass unix:/var/run/rrdcached/rrdcached.sock;`
			`}`
			```
			replace `$LibreNMS_IP` with the ip of the server that will be using rrdcached. You can specify more than one `allow` statement.
			`This will bind nginx to TCP 42217 (the default rrdcached port), allow the specified IPs to connect, and deny all others.`

			`next, we'll symlink the config to streams-enabled:`
			`ln -s /etc/nginx/streams-{available,enabled}/rrd`

			`and reload nginx`
			`service nginx reload`