diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2019-11-28 04:53:29 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2019-11-28 04:53:29 +0000 |
| commit | 17c93e2be4ad7b3af0cd6878bdd5d8a4a3e6da99 (patch) | |
| tree | 3e0c96613972e8bb4afdeeb97a034806363ddfa9 /web/server/README.md | |
| parent | Releasing debian version 1.18.1-1. (diff) | |
| download | netdata-17c93e2be4ad7b3af0cd6878bdd5d8a4a3e6da99.tar.xz netdata-17c93e2be4ad7b3af0cd6878bdd5d8a4a3e6da99.zip | |
Merging upstream version 1.19.0.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'web/server/README.md')
| -rw-r--r-- | web/server/README.md | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/web/server/README.md b/web/server/README.md index 9f47cb8d9..486617354 100644 --- a/web/server/README.md +++ b/web/server/README.md @@ -149,7 +149,7 @@ Netdata supports access lists in `netdata.conf`: allow management from = localhost ``` -`*` does string matches on the IPs of the clients. +`*` does string matches on the IPs or FQDNs of the clients. - `allow connections from` matches anyone that connects on the Netdata port(s). So, if someone is not allowed, it will be connected and disconnected immediately, without reading even @@ -169,6 +169,26 @@ Netdata supports access lists in `netdata.conf`: - `allow management from` checks the IPs to allow API management calls. Management via the API is currently supported for [health](../api/health/#health-management-api) +In order to check the FQDN of the connection without opening the Netdata agent to DNS-spoofing, a reverse-dns record +must be setup for the connecting host. At connection time the reverse-dns of the peer IP address is resolved, and +a forward DNS resolution is made to validate the IP address against the name-pattern. + +Please note that this process can be expensive on a machine that is serving many connections. Each access list has an +associated configuration option to turn off DNS-based patterns completely to avoid incurring this cost at run-time: + +``` + allow connections by dns = heuristic + allow dashboard by dns = heuristic + allow badges by dns = heuristic + allow streaming by dns = heuristic + allow netdata.conf by dns = no + allow management by dns = heuristic +``` + +The three possible values for each of these options are `yes`, `no` and `heuristic`. The `heuristic` option disables +the check when the pattern only contains IPv4/IPv6 addresses or `localhost`, and enables it when wildcards are +present that may match DNS FQDNs. + ### Other netdata.conf [web] section options |setting|default|info| |