summaryrefslogtreecommitdiffstats
path: root/registry/README.md
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2019-11-28 04:53:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2019-11-28 04:53:29 +0000
commit17c93e2be4ad7b3af0cd6878bdd5d8a4a3e6da99 (patch)
tree3e0c96613972e8bb4afdeeb97a034806363ddfa9 /registry/README.md
parentReleasing debian version 1.18.1-1. (diff)
downloadnetdata-17c93e2be4ad7b3af0cd6878bdd5d8a4a3e6da99.tar.xz
netdata-17c93e2be4ad7b3af0cd6878bdd5d8a4a3e6da99.zip
Merging upstream version 1.19.0.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'registry/README.md')
-rw-r--r--registry/README.md17
1 files changed, 17 insertions, 0 deletions
diff --git a/registry/README.md b/registry/README.md
index f852809b..205937ba 100644
--- a/registry/README.md
+++ b/registry/README.md
@@ -122,6 +122,23 @@ Netdata v1.9+ support limiting access to the registry from given IPs, like this:
Keep in mind that connections to Netdata API ports are filtered by `[web].allow connections from`. So, IPs allowed by `[registry].allow from` should also be allowed by `[web].allow connection from`.
+The patterns can be matches over IP addresses or FQDN of the host.
+In order to check the FQDN of the connection without opening the Netdata agent to DNS-spoofing, a reverse-dns record
+must be setup for the connecting host. At connection time the reverse-dns of the peer IP address is resolved, and
+a forward DNS resolution is made to validate the IP address against the name-pattern.
+
+Please note that this process can be expensive on a machine that is serving many connections. The behaviour of
+the pattern matching can be controlled with the following setting:
+```
+[registry]
+ allow by dns = heuristic
+```
+
+The settings are:
+* `yes` allows the pattern to match DNS names.
+* `no` disables DNS matching for the patterns (they only match IP addresses).
+* `heuristic` will estimate if the patterns should match FQDNs by the presence or absence of `:`s or alpha-characters.
+
### Where is the registry database stored?
`/var/lib/netdata/registry/*.db`