I am a new user of TIG, and i have a little newbie question :
I load the configuration file for my telegraf agent from a web server apache2, this working very well!
But the question is : How can i secure the access to my web server, in order to only the telegraf agent can access it, and nobody else ? Currently, if i type in my web browser : http://myapache2server.com/telegraf.conf , i got the configuration file with the password of my database and other informations.
Currently, if i type in my web browser : http://myapache2server.com/telegraf.conf
i got the configuration file with the password of my database and other
informations.
Why are you doing this with Apache at all?
Why not just put telegraf’s configuration file where it belongs on the server
and that’s that?
Hello, thank’s for your response.
I am doing that in order to not put password and other informations on the device. I wish to deploy agent on windows client devices and not only servers, so i didn’t want they can read secrets informations about influx, with this usage, the configuration file is not on the device, and the user cant see the configuration of the agent.
I don’t know a lot about Windows, but are you saying that a Windows machine
cannot have “system level” security for files the average user is not supposed
to be able to read, and “user level” security for their own files?
In other words, cannot you make the telegraf configuration file owned by
“administrator” (which I believe is the MS equivalent of Unix “root”) with no
read permission for “average users”?
I can try this, but normally the folder programs is accessible by everyone.
I saw lot of other windows admin trying to protect the file but cant do that.
The other advantage is i can update the agent configuration file from webserver (it is very cool advantage).
It is a little hard for me to understand the apache link security that you send me, is there a possibility to authentiocate the windows/linux service with a certificate allowed by webserver ? what is the best method to secure that, according to you ?
I can try this, but normally the folder programs is accessible by everyone.
I saw lot of other windows admin trying to protect the file but cant do
that.
I’m surprised, but then again, as I say, I’m not very familiar with Windows.
The other advantage is i can update the agent configuration file from
webserver (it is very cool advantage).
I would use puppet, ansible, chef, saltstack… for this sort of thing
It is a little hard for me to understand the apache link security that you
send me, is there a possibility to authentiocate the windows/linux service
with a certificate allowed by webserver ? what is the best method to
secure that, according to you ?
My recommendation would be either to ask on an Apache list / forum for more
specific assistance, or simply do a web search for “Apache authentication” and
whatever system you’re running Apache on (eg: Centos, Debian, Ubuntu, etc) and
you should get plenty of pretty simple tutorials to show you how to do “basic
authentication” which, literally, is the best starting point for you.
Performing client certificate authentication definitely is possible, although
since this is not the standard way in which certificates are used, there are
far fewer tutorials and guides around telling you how to do this. Start with
Basic Authentication and then perhaps move on from there.
.
