Skip to main content

Apache Webserver

Apache 2.4 and above have slightly different ACL syntax, so this page covers how you can use Knocknoc to manage ACLs. The script for managing Apache ACLs as per this document was added to knocknoc-agent in version 1.0.31

Setup for your Apache webserver

SSH to your apache server machine, and carry out the following steps.

Install Knocknoc Agent, and enrol it in your Knocknoc server.

Sudo setup

Your sudoers file needs to contain the following:

in /etc/sudoers.d/knocknoc-agent

for Debian based systems

knocknoc-agent ALL=(ALL) NOPASSWD: /usr/bin/systemctl reload apache2

or for Redhat based systems:

knocknoc-agent ALL=(ALL) NOPASSWD: /usr/bin/systemctl reload httpd

Apache ACL setup

mkdir /etc/apache2/acl

and chown knocknoc-agent /etc/apache2/acl/

then touch /etc/apache2/acl/librenms_acl.conf as an example.

Sample Apache config for LibreNMS

A sample config file for apache2.4 for librenms. Please adapt it to your needs for whatever virtual host you may require.
Note the Include needs to be in a <Directory> section (see the Include below).

<VirtualHost *:80>
    # Redirect HTTP to HTTPS
    Redirect permanent /

<VirtualHost *:443>
    DocumentRoot /opt/librenms/html
    DirectoryIndex index.php

    # SSL Configuration
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/
    SSLCertificateKeyFile /etc/apache2/ssl/

    # Enable gzip compression
    # Note: Apache needs mod_deflate enabled.
    <IfModule mod_deflate.c>
        AddOutputFilterByType DEFLATE text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript

    # PHP processing
    <FilesMatch \.php$>
        SetHandler "proxy:unix:/var/run/php/php-fpm-librenms.sock|fcgi://localhost"

    # Rewrite rules
    <Directory /opt/librenms/html>
        AllowOverride All
        Require all granted
        # Deny access to dot files
        <FilesMatch "/\.(?!well-known).*">
            Require all denied

        # URL rewriting
        RewriteEngine On
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteRule ^ index.php [QSA,L]

        # Knocknoc manages this ACL
        Include /etc/apache2/acl/librenms_acl.conf



Knocknoc Agent Script

The script:

# Update the following line to the correct directory based on your Apache installation
# need to mkdir /etc/apache2/acl and chown it to the appropriate user


# Ensure the ACL file path is absolute, starts with your Apache config path, and prevent directory traversal
if [[ ! "$ACL_FILE" =~ ^/etc/apache2/acl/.*$ ]] || [[ "$ACL_FILE" =~ \.\. ]]; then
    echo "Invalid ACL file path."
    exit 1

# Validate IP address format for add and del actions
if ! [[ $IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]] && [ "$ACTION" != "flush" ]; then
    echo "Invalid IP address format."
    exit 1

reload_apache() {
    # Check for Debian-based systems like Ubuntu
    if [ -f /etc/debian_version ]; then
        echo "Detected Debian-based system"
        sudo systemctl reload apache2
    # Check for Red Hat-based systems like CentOS, Fedora, or RHEL
    elif [ -f /etc/redhat-release ]; then
        echo "Detected Red Hat-based system"
        sudo systemctl reload httpd
    # Fallback if system is neither Red Hat nor Debian-based, try using apache2 first
        echo "Attempting to reload Apache using apache2"
        if ! sudo systemctl reload apache2 2>/dev/null; then
            echo "Failed, attempting to reload Apache using httpd"
            sudo systemctl reload httpd

ensure_deny_all() {
    # Ensure "Require all denied" is always the last line of the file for Apache 2.4+
    if ! tail -n1 "$ACL_FILE" | grep -q "Require all denied"; then
        echo "Require all denied" >> "$ACL_FILE"

case $ACTION in
        # Prevent adding an IP if it already exists for Apache 2.4+
        if grep -q "Require ip $IP" "$ACL_FILE"; then
            echo "IP already allowed."
            # Insert the allow rule before the last line (Require all denied)
            sed -i "$ i\Require ip $IP" "$ACL_FILE"
        # Only remove the IP if it exists for Apache 2.4+
        if grep -q "Require ip $IP" "$ACL_FILE"; then
            sed -i "/Require ip $IP/d" "$ACL_FILE"
            echo "IP not found."
        # Reset the file to only contain "Require all denied" for Apache 2.4+
        echo "Require all denied" > "$ACL_FILE"
        echo "Usage: $0 {add|del|flush} <ACL_FILE> <IP>"
        echo "Example: $0 add /etc/apache2/acl/librenms.acl"
        echo "Note: IP argument is not needed for 'flush' action."
        exit 1

# Ensure "Require all denied" is properly placed at the end of the file for all actions except flush
if [ "$ACTION" != "flush" ]; then

Knocknoc Server Setup

The backend config is as follows, selecting the name of the agent above.


And the ACL config like so, to match the script and Apache config above: