mirror/librenms-librenms
1
0
Fork 0
mirror of https://github.com/librenms/librenms.git synced 2024-10-07 16:52:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

docs: Added documentation on securing rrdcached. (#5093)

Browse Source
This commit is contained in:
Layne
2016-11-30 15:21:17 -08:00
committed by Neil Lathwood
parent 8d8728d7d2
commit 1de0d2c548
3 changed files with 42 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
doc/Extensions/RRDCached-Security.md Normal file
View File

@@ -0,0 +1,39 @@
### Securing with nginx
According to the [man page](https://linux.die.net/man/1/rrdcached), under "SECURITY CONSIDERATIONS", rrdcached has no authentication or security except for running under a unix socket. To secure your rrdcached installation, you can proxy it using nginx to allow only specific IPs to connect.
using the same setup above, using nginx version 1.9.0 or later, you can follow this setup to proxy the default rrdcached port to the local unix socket.
(You can use `./conf.d` for your configuration as well)
`mkdir /etc/nginx/streams-{available,enabled}`
add the following to your nginx.conf file:
```nginx
#/etc/nginx/nginx.conf
...
stream {
include /etc/nginx/streams-enabled/*;
}
```
add this to `/etc/nginx/streams-available/rrd`
```nginx
server {
listen 42217;
error_log /var/log/nginx/rrd.stream.error.log;
allow $LibreNMS_IP;
deny all;
proxy_pass unix:/var/run/rrdcached/rrdcached.sock;
}
```
replace `$LibreNMS_IP` with the ip of the server that will be using rrdcached. You can specify more than one `allow` statement.
This will bind nginx to TCP 42217 (the default rrdcached port), allow the specified IPs to connect, and deny all others.
next, we'll symlink the config to streams-enabled:
`ln -s /etc/nginx/streams-{available,enabled}/rrd`
and reload nginx
`service nginx reload`

2
doc/Extensions/RRDCached.md
View File

@@ -128,6 +128,8 @@ Disk I/O can be found under the menu Devices>All Devices>[localhost hostname]>He
Depending on many factors, you should see the Ops/sec drop by ~30-40%.
#### Securing RRCached
Please see [RRDCached Security](RRDCached-Security.md)
[1]: http://librenms.readthedocs.org/Installation/Installation-CentOS-7-Apache/
"Add localhost to LibreNMS"

1
mkdocs.yml
View File

@@ -104,3 +104,4 @@ pages:
- Installation/Installation-(Debian-Ubuntu).md
- Installation/Installation-(RHEL-CentOS).md
- Support/Support-New-OS.md
- Extensions/RRDCached-Security.md