Nginx
Knocknoc can drive an nginx server's allow/deny list directly from the agent, without a wrapper script. Users authenticated by Knocknoc are added to a per-ACL include file (e.g. /etc/nginx/acl/librenms.acl) that the agent rewrites atomically, then reloads nginx via sudo nginx -s reload.
This is the recommended approach as of v26.05.
Setup on the nginx server
-
Install
knocknoc-agent(v26.05 or later) on the nginx host. -
Run the helper:
sudo knocker enable nginxThis installs
/etc/sudoers.d/knocknoc-agent_nginxgrantingknocknoc-agentpermission to run/usr/sbin/nginx -s reload, creates/etc/nginx/acl/owned byroot:knocknoc-agentwith mode0775, and runsnginx -tas a sanity check. -
Reference an ACL file from each server block you want to gate. The filename must match what you configure in the Knoc (alphanumerics,
_,.,-, ending in.acl):server { listen 443 ssl; server_name librenms.example.com; # Knocknoc manages this file include /etc/nginx/acl/librenms.acl; # ...rest of your config... } -
sudo nginx -t && sudo systemctl reload nginx.
The agent creates the ACL file on first grant — you don't need to touch it.
Knocknoc admin config
- Create a Backend of type Nginx pointing at the agent running on the nginx host. The backend has no further configuration — everything lives on the ACL.
- Create an ACL of type Nginx. The only field is ACL file, which must be the absolute path under
/etc/nginx/acl/(e.g./etc/nginx/acl/librenms.acl). - Map the ACL into the relevant user group. On grant, the agent rewrites the file and reloads nginx.
The admin UI greys out the Nginx backend on agents that don't advertise the capability — i.e. nginx isn't on $PATH or the sudoers entry is missing. Re-run knocker enable nginx and reconnect the agent to fix.
Knocker reference
knocker status nginx # report install state (binary, sudoers, ACL dir, nginx -t)
knocker disable nginx # remove the sudoers entry (ACL dir retained)