diff options
Diffstat (limited to 'docs/configure/secure-nodes.md')
| -rw-r--r-- | docs/configure/secure-nodes.md | 36 |
1 files changed, 20 insertions, 16 deletions
diff --git a/docs/configure/secure-nodes.md b/docs/configure/secure-nodes.md index 02057ab9e..75bf6fd36 100644 --- a/docs/configure/secure-nodes.md +++ b/docs/configure/secure-nodes.md @@ -1,7 +1,11 @@ <!-- title: "Secure your nodes" description: "Your data and systems are safe with Netdata, but we recommend a few easy ways to improve the security of your infrastructure." -custom_edit_url: https://github.com/netdata/netdata/edit/master/docs/configure/secure-nodes.md +custom_edit_url: "https://github.com/netdata/netdata/edit/master/docs/configure/secure-nodes.md" +sidebar_label: "Secure your nodes" +learn_status: "Published" +learn_topic_type: "Tasks" +learn_rel_path: "Setup" --> # Secure your nodes @@ -11,13 +15,13 @@ internet at large, anyone can access the dashboard and your node's metrics at `h so that the local dashboard was immediately accessible to users, and so that we don't dictate how professionals set up and secure their infrastructures. -Despite this design decision, your [data](/docs/netdata-security.md#your-data-is-safe-with-netdata) and your -[systems](/docs/netdata-security.md#your-systems-are-safe-with-netdata) are safe with Netdata. Netdata is read-only, +Despite this design decision, your [data](https://github.com/netdata/netdata/blob/master/docs/netdata-security.md#your-data-is-safe-with-netdata) and your +[systems](https://github.com/netdata/netdata/blob/master/docs/netdata-security.md#your-systems-are-safe-with-netdata) are safe with Netdata. Netdata is read-only, cannot do anything other than present metrics, and runs without special/`sudo` privileges. Also, the local dashboard only exposes chart metadata and metric values, not raw data. While Netdata is secure by design, we believe you should [protect your -nodes](/docs/netdata-security.md#why-netdata-should-be-protected). If left accessible to the internet at large, the +nodes](https://github.com/netdata/netdata/blob/master/docs/netdata-security.md#why-netdata-should-be-protected). If left accessible to the internet at large, the local dashboard could reveal sensitive information about your infrastructure. For example, an attacker can view which applications you run (databases, webservers, and so on), or see every user account on a node. @@ -37,7 +41,7 @@ that align with your goals and your organization's standards. This is the _recommended method for those who have connected their nodes to Netdata Cloud_ and prefer viewing real-time metrics using the War Room Overview, Nodes view, and Cloud dashboards. -You can disable the local dashboard (and API) but retain the encrypted Agent-Cloud link ([ACLK](/aclk/README.md)) that +You can disable the local dashboard (and API) but retain the encrypted Agent-Cloud link ([ACLK](https://github.com/netdata/netdata/blob/master/aclk/README.md)) that allows you to stream metrics on demand from your nodes via the Netdata Cloud interface. This change mitigates all concerns about revealing metrics and system design to the internet at large, while keeping all the functionality you need to view metrics and troubleshoot issues with Netdata Cloud. @@ -50,17 +54,17 @@ static-threaded` setting, and change it to `none`. mode = none ``` -Save and close the editor, then [restart your Agent](/docs/configure/start-stop-restart.md) using `sudo systemctl +Save and close the editor, then [restart your Agent](https://github.com/netdata/netdata/blob/master/docs/configure/start-stop-restart.md) using `sudo systemctl restart netdata`. If you try to visit the local dashboard to `http://NODE:19999` again, the connection will fail because that node no longer serves its local dashboard. -> See the [configuration basics doc](/docs/configure/nodes.md) for details on how to find `netdata.conf` and use +> See the [configuration basics doc](https://github.com/netdata/netdata/blob/master/docs/configure/nodes.md) for details on how to find `netdata.conf` and use > `edit-config`. ## Restrict access to the local dashboard If you want to keep using the local dashboard, but don't want it exposed to the internet, you can restrict access with -[access lists](/web/server/README.md#access-lists). This method also fully retains the ability to stream metrics +[access lists](https://github.com/netdata/netdata/blob/master/web/server/README.md#access-lists). This method also fully retains the ability to stream metrics on-demand through Netdata Cloud. The `allow connections from` setting helps you allow only certain IP addresses or FQDN/hostnames, such as a trusted @@ -68,7 +72,7 @@ static IP, only `localhost`, or connections from behind a management LAN. By default, this setting is `localhost *`. This setting allows connections from `localhost` in addition to _all_ connections, using the `*` wildcard. You can change this setting using Netdata's [simple -patterns](/libnetdata/simple_pattern/README.md). +patterns](https://github.com/netdata/netdata/blob/master/libnetdata/simple_pattern/README.md). ```conf [web] @@ -95,8 +99,8 @@ The `allow connections from` setting is global and restricts access to the dashb allow management from = localhost ``` -See the [web server](/web/server/README.md#access-lists) docs for additional details about access lists. You can take -access lists one step further by [enabling SSL](/web/server/README.md#enabling-tls-support) to encrypt data from local +See the [web server](https://github.com/netdata/netdata/blob/master/web/server/README.md#access-lists) docs for additional details about access lists. You can take +access lists one step further by [enabling SSL](https://github.com/netdata/netdata/blob/master/web/server/README.md#enabling-tls-support) to encrypt data from local dashboard in transit. The connection to Netdata Cloud is always secured with TLS. ## Use a reverse proxy @@ -106,18 +110,18 @@ local dashboard and Netdata Cloud dashboards. You can use a reverse proxy to pas enable HTTPS to encrypt metadata and metric values in transit. We recommend Nginx, as it's what we use for our [demo server](https://london.my-netdata.io/), and we have a guide -dedicated to [running Netdata behind Nginx](/docs/Running-behind-nginx.md). +dedicated to [running Netdata behind Nginx](https://github.com/netdata/netdata/blob/master/docs/Running-behind-nginx.md). -We also have guides for [Apache](/docs/Running-behind-apache.md), [Lighttpd](/docs/Running-behind-lighttpd.md), -[HAProxy](/docs/Running-behind-haproxy.md), and [Caddy](/docs/Running-behind-caddy.md). +We also have guides for [Apache](https://github.com/netdata/netdata/blob/master/docs/Running-behind-apache.md), [Lighttpd](https://github.com/netdata/netdata/blob/master/docs/Running-behind-lighttpd.md), +[HAProxy](https://github.com/netdata/netdata/blob/master/docs/Running-behind-haproxy.md), and [Caddy](https://github.com/netdata/netdata/blob/master/docs/Running-behind-caddy.md). ## What's next? -Read about [Netdata's security design](/docs/netdata-security.md) and our [blog +Read about [Netdata's security design](https://github.com/netdata/netdata/blob/master/docs/netdata-security.md) and our [blog post](https://www.netdata.cloud/blog/netdata-agent-dashboard/) about why the local Agent dashboard is both open and secure by design. -Next up, learn about [collectors](/docs/collect/how-collectors-work.md) to ensure you're gathering every essential +Next up, learn about [collectors](https://github.com/netdata/netdata/blob/master/docs/collect/how-collectors-work.md) to ensure you're gathering every essential metric about your node, its applications, and your infrastructure at large. [](<>) |