summaryrefslogtreecommitdiffstats
path: root/registry/README.md
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2019-11-28 04:53:08 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2019-11-28 04:53:08 +0000
commit315e0143f65da3485dcbcd2f6a3172a351618aec (patch)
treeb713ae472cffab249c95917c6fb6d242d54e0a87 /registry/README.md
parentAdding upstream version 1.18.1. (diff)
downloadnetdata-315e0143f65da3485dcbcd2f6a3172a351618aec.tar.xz
netdata-315e0143f65da3485dcbcd2f6a3172a351618aec.zip
Adding upstream version 1.19.0.upstream/1.19.0
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--registry/README.md17
1 files changed, 17 insertions, 0 deletions
diff --git a/registry/README.md b/registry/README.md
index f852809be..205937ba4 100644
--- a/registry/README.md
+++ b/registry/README.md
@@ -122,6 +122,23 @@ Netdata v1.9+ support limiting access to the registry from given IPs, like this:
Keep in mind that connections to Netdata API ports are filtered by `[web].allow connections from`. So, IPs allowed by `[registry].allow from` should also be allowed by `[web].allow connection from`.
+The patterns can be matches over IP addresses or FQDN of the host.
+In order to check the FQDN of the connection without opening the Netdata agent to DNS-spoofing, a reverse-dns record
+must be setup for the connecting host. At connection time the reverse-dns of the peer IP address is resolved, and
+a forward DNS resolution is made to validate the IP address against the name-pattern.
+
+Please note that this process can be expensive on a machine that is serving many connections. The behaviour of
+the pattern matching can be controlled with the following setting:
+```
+[registry]
+ allow by dns = heuristic
+```
+
+The settings are:
+* `yes` allows the pattern to match DNS names.
+* `no` disables DNS matching for the patterns (they only match IP addresses).
+* `heuristic` will estimate if the patterns should match FQDNs by the presence or absence of `:`s or alpha-characters.
+
### Where is the registry database stored?
`/var/lib/netdata/registry/*.db`