Limit access to Checkmk Web-UI on slaves

A customer wanted to limit access to the Web-UI on Checkmk slaves. This couldn’t be done on the firewall, as all clients need to be able to access the Web-Interface to download agents from the bakery.
To limit the exposed paths we created the following little apache configuration. So far it’s working pretty well in 2.0, haven’t tested it with 2.1beta yet.

Any suggestions or feedback is welcome :slight_smile:

# access to any checkmk paths only for the svrehcmk1 / checkmk master
<Locationmatch "/.*/check_mk">
    Require ip <ip_of_cmk_master> <ip_of_cmkadmin_jump_host_for_troubleshooting>

# Exception:
# agent bakery and login is allowed for all clients
<Location "/.*/check_mk/">
    Require all granted

<LocationMatch "/.*/check_mk/">
    Require all granted

Only one question. What is the reason for this?

Basically security concerns - why allow every single box in the whole network to access the complete checkmk web-ui if you don’t have to? granted: as long as checkmk login is secure and there are no vulnerabilities, which it currently is, there is no issue, but you simply have less exposure if something happens.
Similar idea to what most web application firewalls do (they are just a little smarter and more expensive :D)

Just in case you use predictive monitoring the link to the graph points to the remote site at least in1.6. Didn’t tested in 2.0 yet.
In our Local Monitoring the user has to use the local site. This is to offload users from master server and also allow user access to monitoring in case site is disconnected from WAN.

Just my thought’s.


We believe that this is something, which should be handled by a firewall or WAF.
If one wants to fiddle with this, that is fine, but we can not and will not support such a setup.

totally fine :), I don’t think official t29 support is needed.

We’re doing it on the system apache which doesn’t mess with the checkmk site any more than a WAF would :slight_smile:
a firewall wouldn’t really work here I guess.

1 Like