Skip to main content

Nginx via script

Nginx support via script was added in knocknoc-agent version 1.0.30.

To get started, make sure you have that version. Your sudoers file needs to contain the following:

knocknoc-agent ALL=(ALL) NOPASSWD: /usr/sbin/nginx -s reload

in /etc/sudoers.d/knocknoc-agent

And then you can:

mkdir /etc/nginx/acl

and chown knocknoc-agent /etc/nginx/acl/

then touch /etc/nginx/acl/librenms.acl as an example.

A sample nginx config file for librenms is as follows:

server {
 listen      80;
 server_name librenms.domain.com;
 return 301 https://$host$request_uri;
}

server {
 listen 443 ssl;
 server_name librenms.domain.com;
 root        /opt/librenms/html;
 index       index.php;

 ssl_certificate     /etc/nginx/ssl/star.domain.com.crt;
 ssl_certificate_key /etc/nginx/ssl/star.domain.com.key;

# Knocknoc manages this ACL
 include /etc/nginx/acl/librenms.acl;

 charset utf-8;
 gzip on;
 gzip_types text/css application/javascript text/javascript application/x-javascript image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon;
 location / {
  try_files $uri $uri/ /index.php?$query_string;
 }
 location ~ [^/]\.php(/|$) {
  fastcgi_pass unix:/var/run/php/php-fpm-librenms.sock;
  fastcgi_split_path_info ^(.+\.php)(/.+)$;
  include fastcgi.conf;
 }
 location ~ /\.(?!well-known).* {
  deny all;
 }

}

Then, when a user with right ACL allocated logs in to knocknoc, they get added to the librenms ACL. Note that the script ensures all IPs are blocked by default.