diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2019-11-28 04:53:29 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2019-11-28 04:53:29 +0000 |
commit | 17c93e2be4ad7b3af0cd6878bdd5d8a4a3e6da99 (patch) | |
tree | 3e0c96613972e8bb4afdeeb97a034806363ddfa9 /registry/README.md | |
parent | Releasing debian version 1.18.1-1. (diff) | |
download | netdata-17c93e2be4ad7b3af0cd6878bdd5d8a4a3e6da99.tar.xz netdata-17c93e2be4ad7b3af0cd6878bdd5d8a4a3e6da99.zip |
Merging upstream version 1.19.0.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'registry/README.md')
-rw-r--r-- | registry/README.md | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/registry/README.md b/registry/README.md index f852809b..205937ba 100644 --- a/registry/README.md +++ b/registry/README.md @@ -122,6 +122,23 @@ Netdata v1.9+ support limiting access to the registry from given IPs, like this: Keep in mind that connections to Netdata API ports are filtered by `[web].allow connections from`. So, IPs allowed by `[registry].allow from` should also be allowed by `[web].allow connection from`. +The patterns can be matches over IP addresses or FQDN of the host. +In order to check the FQDN of the connection without opening the Netdata agent to DNS-spoofing, a reverse-dns record +must be setup for the connecting host. At connection time the reverse-dns of the peer IP address is resolved, and +a forward DNS resolution is made to validate the IP address against the name-pattern. + +Please note that this process can be expensive on a machine that is serving many connections. The behaviour of +the pattern matching can be controlled with the following setting: +``` +[registry] + allow by dns = heuristic +``` + +The settings are: +* `yes` allows the pattern to match DNS names. +* `no` disables DNS matching for the patterns (they only match IP addresses). +* `heuristic` will estimate if the patterns should match FQDNs by the presence or absence of `:`s or alpha-characters. + ### Where is the registry database stored? `/var/lib/netdata/registry/*.db` |