A customer wanted to limit access to the Web-UI on Checkmk slaves. This couldn’t be done on the firewall, as all clients need to be able to access the Web-Interface to download agents from the bakery.
To limit the exposed paths we created the following little apache configuration. So far it’s working pretty well in 2.0, haven’t tested it with 2.1beta yet.
Any suggestions or feedback is welcome
# access to any checkmk paths only for the svrehcmk1 / checkmk master
<Locationmatch "/.*/check_mk">
Require ip <ip_of_cmk_master> <ip_of_cmkadmin_jump_host_for_troubleshooting>
</LocationMatch>
# Exception:
# agent bakery and login is allowed for all clients
<Location "/.*/check_mk/login.py">
Require all granted
</Location>
<LocationMatch "/.*/check_mk/deploy_agent.py">
Require all granted
</LocationMatch>
Basically security concerns - why allow every single box in the whole network to access the complete checkmk web-ui if you don’t have to? granted: as long as checkmk login is secure and there are no vulnerabilities, which it currently is, there is no issue, but you simply have less exposure if something happens.
Similar idea to what most web application firewalls do (they are just a little smarter and more expensive :D)
Just in case you use predictive monitoring the link to the graph points to the remote site at least in1.6. Didn’t tested in 2.0 yet.
In our Local Monitoring the user has to use the local site. This is to offload users from master server and also allow user access to monitoring in case site is disconnected from WAN.
We believe that this is something, which should be handled by a firewall or WAF.
If one wants to fiddle with this, that is fine, but we can not and will not support such a setup.
