Apache Webserver
Apache 2.4 and above have slightly different ACL syntax, so this page covers how you can use Knocknoc to manage ACLs. The script for managing Apache ACLs as per this document was added to knocknoc-agent in version 1.0.31
Setup for your Apache webserver
SSH to your apache server machine, and carry out the following steps.
Install Knocknoc Agent, and enrol it in your Knocknoc server.
Sudo setup
Your sudoers file needs to contain the following:
knocknoc-agent ALL=(ALL) NOPASSWD: systemctl reload apache2
or for Redhat based systems:
knocknoc-agent ALL=(ALL) NOPASSWD: systemctl reload httpd
in /etc/sudoers.d/knocknoc-agent
Apache ACL setup
mkdir /etc/apache2/acl
and chown knocknoc-agent /etc/apache2/acl/
then touch /etc/apache2/acl/librenms_acl.conf
as an example.
Sample Apache config for LibreNMS
A sample config file for apache2.4 for librenms. Please adapt it to your needs for whatever virtual host you may require.
<VirtualHost *:80>
ServerName librenms.domain.com
# Redirect HTTP to HTTPS
Redirect permanent / https://librenms.domain.com/
</VirtualHost>
<VirtualHost *:443>
ServerName librenms.domain.com
DocumentRoot /opt/librenms/html
DirectoryIndex index.php
# SSL Configuration
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/star.domain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/star.domain.com.key
# Knocknoc manages this ACL
Include /etc/apache2/acl/librenms_acl.conf
# Enable gzip compression
# Note: Apache needs mod_deflate enabled.
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript
</IfModule>
# PHP processing
<FilesMatch \.php$>
SetHandler "proxy:unix:/var/run/php/php-fpm-librenms.sock|fcgi://localhost"
</FilesMatch>
# Rewrite rules
<Directory /opt/librenms/html>
AllowOverride All
Require all granted
# Deny access to dot files
<FilesMatch "/\.(?!well-known).*">
Require all denied
</FilesMatch>
# URL rewriting
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ index.php [QSA,L]
</Directory>
</VirtualHost>
Knocknoc Agent Script
The script:
#!/bin/bash
# Update the following line to the correct directory based on your Apache installation
# need to mkdir /etc/apache2/acl and chown it to the appropriate user
ACTION=$1
ACL_FILE=$2
IP=$3
# Ensure the ACL file path is absolute, starts with your Apache config path, and prevent directory traversal
if [[ ! "$ACL_FILE" =~ ^/etc/apache2/acl/.*$ ]] || [[ "$ACL_FILE" =~ \.\. ]]; then
echo "Invalid ACL file path."
exit 1
fi
# Validate IP address format for add and del actions
if ! [[ $IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]] && [ "$ACTION" != "flush" ]; then
echo "Invalid IP address format."
exit 1
fi
reload_apache() {
# Check for Debian-based systems like Ubuntu
if [ -f /etc/debian_version ]; then
echo "Detected Debian-based system"
sudo systemctl reload apache2
# Check for Red Hat-based systems like CentOS, Fedora, or RHEL
elif [ -f /etc/redhat-release ]; then
echo "Detected Red Hat-based system"
sudo systemctl reload httpd
# Fallback if system is neither Red Hat nor Debian-based, try using apache2 first
else
echo "Attempting to reload Apache using apache2"
if ! sudo systemctl reload apache2 2>/dev/null; then
echo "Failed, attempting to reload Apache using httpd"
sudo systemctl reload httpd
fi
fi
}
ensure_deny_all() {
# Ensure "Require all denied" is always the last line of the file for Apache 2.4+
if ! tail -n1 "$ACL_FILE" | grep -q "Require all denied"; then
echo "Require all denied" >> "$ACL_FILE"
fi
}
case $ACTION in
add)
# Prevent adding an IP if it already exists for Apache 2.4+
if grep -q "Require ip $IP" "$ACL_FILE"; then
echo "IP already allowed."
else
# Insert the allow rule before the last line (Require all denied)
sed -i "$ i\Require ip $IP" "$ACL_FILE"
reload_apache
fi
;;
del)
# Only remove the IP if it exists for Apache 2.4+
if grep -q "Require ip $IP" "$ACL_FILE"; then
sed -i "/Require ip $IP/d" "$ACL_FILE"
reload_apache
else
echo "IP not found."
fi
;;
flush)
# Reset the file to only contain "Require all denied" for Apache 2.4+
echo "Require all denied" > "$ACL_FILE"
reload_apache
;;
*)
echo "Usage: $0 {add|del|flush} <ACL_FILE> <IP>"
echo "Example: $0 add /etc/apache2/acl/librenms.acl 192.168.1.100"
echo "Note: IP argument is not needed for 'flush' action."
exit 1
;;
esac
# Ensure "Require all denied" is properly placed at the end of the file for all actions except flush
if [ "$ACTION" != "flush" ]; then
ensure_deny_all
fi
Knocknoc Server Setup
The backend config is as follows, selecting the name of the agent above.
And the ACL config like so, to match the script and Apache config above: