Search Results

The following example assumes your Knocknoc instance is located at https://demo.knoc.cloud. Wherever you see that, please substitute it for your own instance URL. Setting Up the IdP Create an Application Click Create App Integration Select SAML 2.0 Set ...

Knocknoc supports local users in addition to SAML/LDAP. Simply add a user, with a username and password. Then assign them to a group and map that group to an ACL. This is helpful for casual users, as you can set and expiry so for example if you have a web ap...

Current version of Knocknoc server is: 5.0.62, released on Mon, 12 Feb 2024 Current version of knocknoc-agent is: 1.0.28, released on Sat, 24 Feb 2024 

This is an example that lets you use UFW (https://wiki.ubuntu.com/UncomplicatedFirewall) and IPsets to dynamically whitelist IPs for a common host-based firewall.  First you need a systemd script that creates an ipset on startup and then have a script that in...

Knocknoc licensing and pricing can be found on the Knocknoc website. Once you have obtained your license and have either completed the self-hosted install or received the login details for your cloud hosted instance: Copy your license key from the Knocknoc...

The scripting backend can be used for MikroTik RouterOS config updates as well. Here is a sample script you can use as a backend: #!/bin/bash # MikroTik SSH Update Script # Configuration MIKROTIK_USER="admin" MIKROTIK_HOST="192.168.88.1" # Replace with...

Groups in Knocknoc map users to ACLs and a user can be assigned to multiple groups, to create a group in Knocknoc; Browse to the Knocknoc admin interface. Click on Groups on the left. Click Create Group on the right. Enter the name of the Group, matchi...

An ACL in Knocknoc is an important mapping between a Backend and ACL name, which is an argument passed into the Backend method. For example, if you have a Backend that is a script that updates an AWS security group, you can put the security group ID as the ...

Admins in Knocknoc can login to /admin on their Knocknoc server, however they can't be granted ACLs. This separates out regular logins from admin logins, and allowed for best practice. You can create an Admin using this dialog box if required. SAML is the p...

The Settings in Knocknoc allows you to configure some of the basic setup like authentication sources in web interface. The License is where you can cut and paste your license key from the Licensing Portal. Clicking save activates the server immediately (req...

NTP It's important that ALL the servers within the Knocknoc cluster and agents are synchronised and set to the correct time.  We recommend using chrony on a Linux VM to keep the time, but any NTP implementation would work. Time is an important aspect of auth...

The Knocknoc server will need to be able to contact your LDAP server on port 389 or 636. This is determined by the LDAP URL in the Settings: ldap://myldap.domain.com - this format says port 389 ldaps://myldap.domain.com - this format is port 636 Please make...

Running Knocknoc behind HAProxy could be a great option for people with existing HAProxy deployments, or who want to unify certificate and other management tasks. Here is a sample HAProxy config for Knocknoc as a backend: frontend Sol1-Frontend bind 0.0.0...

Cloud SaaS or self-hosted server? You can run your Knocknoc server either as a managed cloud instance (we host it) or self-host it. Should you deploy a cloud or self-hosted instance of Knocknoc? The answer will depend on a few factors. For example, if you w...

This is an example that lets you use Shorewall https://shorewall.org/index.html and IPsets to dynamically whitelist IPs. You can achieve great power with these simple steps: A systemd service script that creates and loads the ipset at startup. Allows the ...

Checking to see if an ACL is present in HAProxy For when you aren't sure if the whole process is working, you can manually connect to the HAProxy socket and print out the contents. socat is the way forward here. Install it with your favourite package manager...

User creation varies depending on the authentication source in use. Local users will need to be configured within the admin interface, LDAP users will need to be configured within the LDAP source and in the admin interface and SAML users are required to be con...

SAML for the admin interface is the same as SAML for the user base with a few very small alterations. Follow the existing guides for EntraID, OKTA or JumpCloud while keeping the below in mind. If the same IdP is in use for users and admins, a second Applica...

Nginx support via script was added in knocknoc-agent version 1.0.30. This allows for flexible ACL management from Knocknoc server for nginx. Setup for the Nginx server To get started, make sure you have knocknoc-agent version 1.0.30 or above installed. The ...

Apache 2.4 and above have slightly different ACL syntax, so this page covers how you can use Knocknoc to manage ACLs. The script for managing Apache ACLs as per this document was added to knocknoc-agent in version 1.0.31 Setup for your Apache webserver SSH t...