Securing Weathermap (or other plugins)

I only use nginx, so here is what I did for nginx.

This allows internal IPs to bypass the auth check (if you require zero trust, remove satisfy any; - deny all;).
Make sure this is ABOVE other regex based locations otherwise you might leak some paths!

create password file htpasswd -c /etc/nginx/maps.passwd maps (maps is the username, change if you like)

    location ~ ^/plugins/Weathermap/ {
        satisfy any;
        allow 192.168.1.0/24;
        deny all;
        auth_basic "Login to view maps";
        auth_basic_user_file /etc/nginx/maps.passwd;

        location ~ [^/]\.php(/|$) {
            fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_index index.php;
            include fastcgi.conf;
        }
    }

Don’t forget to set the correct path to the fpm socket.

2 Likes

And there is my config for Apache

<IfModule mod_ssl.c>
<VirtualHost *:443>
  DocumentRoot /opt/librenms/html/
  ServerName  librenms

  AllowEncodedSlashes NoDecode
  <Directory "/opt/librenms/html/">
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews
  </Directory>

<Directory "/opt/librenms/html/plugins/Weathermap">
  AuthType Basic
  AuthName "Authentication Required"
  AuthUserFile "/etc/apache2/.htpasswd"
  Require valid-user

  Order allow,deny
  Allow from all
</Directory>

SSLCertificateFile /etc/letsencrypt/live/librenms/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/librenms/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
2 Likes