mirror of
https://github.com/librenms/librenms.git
synced 2024-10-07 16:52:45 +00:00
e4c9153d16
* fix a few bare URLs * make mdl happy * make Weathermap.md as mdl happy as possible * make Varnish.md as mdl happy as possible * make Two-Factor-Auth.md mdl happy * touch one header for Syslog.md, but little can be done about the rest * make Sub-Directory.md as mdl happy as possible * make SNMP-Trap-Handler.md lint happy * make SNMP-Proxy.md mdl happy * make Smokeping.md as mdl happy as possible * make Services.md mdl happy * make RRDTune.md mdl happy * cleanup RRDCached.md as much as possible * make RRDCached-Security.md mdl happy * make Rancid.md as mdl happy as possible * make Proxmox.md mdl happy * make Plugin-System.md as mdl happy as possible * make PeeringDB.md mdl happy * make Oxidized.md more lint happy * make Network-Map.md mdl happy * make MIB-based-polling.md as mdl happy as possible * make Metric-Storage.md mdl happy * make IRC-Bot.md as mdl happy as possible * make IRC-Bot-Extensions.md as mdl happy as possible * make * make Graylog.md mdl happy * make Gateone.md mdl happy * make Fast-Ping-Check.md mdl happy * make Distributed-Poller.md as mdl happy as possible * make Dispatcher-Service.md as mdl happy as possible * make Device-Groups.md mdl happy * make Dell-OpenManage.md mdl happy * make Dashboard.md mdl happy * make Customizing-the-Web-UI.md as mdl happy as possible * make Component.md mdl happy * make Billing-Module.md mdl happy * make Auto-Discovery.md mostly mdl happy * make Authentication.md as mdl happy as possible * tidy up a few lines in Applications.md * make Agent-Setup.md as mdl happy as possible * make metrics/OpenTSDB.md mdl happy * spelling fix
56 lines
1.4 KiB
Markdown
56 lines
1.4 KiB
Markdown
# Securing with nginx
|
|
|
|
path: blob/master/doc/
|
|
|
|
According to the [man page](https://linux.die.net/man/1/rrdcached),
|
|
under "SECURITY CONSIDERATIONS", rrdcached has no authentication or
|
|
security except for running under a unix socket. If you choose to use
|
|
a network socket instead of a unix socket, you will need to secure
|
|
your rrdcached installation. To do so you can proxy rrdcached using
|
|
nginx to allow only specific IPs to connect.
|
|
|
|
Using the same setup above, using nginx version 1.9.0 or later, you
|
|
can follow this setup to proxy the default rrdcached port to the local
|
|
unix socket.
|
|
|
|
(You can use `./conf.d` for your configuration as well)
|
|
|
|
`mkdir /etc/nginx/streams-{available,enabled}`
|
|
|
|
add the following to your nginx.conf file:
|
|
|
|
```nginx
|
|
#/etc/nginx/nginx.conf
|
|
...
|
|
stream {
|
|
include /etc/nginx/streams-enabled/*;
|
|
}
|
|
```
|
|
|
|
Add this to `/etc/nginx/streams-available/rrd`
|
|
|
|
```nginx
|
|
server {
|
|
listen 42217;
|
|
|
|
error_log /var/log/nginx/rrd.stream.error.log;
|
|
|
|
allow $LibreNMS_IP;
|
|
deny all;
|
|
|
|
proxy_pass unix:/var/run/rrdcached/rrdcached.sock;
|
|
}
|
|
|
|
```
|
|
|
|
Replace `$LibreNMS_IP` with the ip of the server that will be using
|
|
rrdcached. You can specify more than one `allow` statement. This will
|
|
bind nginx to TCP 42217 (the default rrdcached port), allow the
|
|
specified IPs to connect, and deny all others.
|
|
|
|
next, we'll symlink the config to streams-enabled:
|
|
`ln -s /etc/nginx/streams-{available,enabled}/rrd`
|
|
|
|
and reload nginx
|
|
`service nginx reload`
|