Table of Contents
Security hints
Protect ini file
The ini file can contain credentials for databases or api secrets if checks must test its acess.
- If possible put them outside webroot or
- protect its access with http, put it into a folder “protected” below webroot and deny the access
Snippet for Apache httpd:
<Location "/protected">
Require all denied
</Location>
IP restriction
The request to exec the amcli
(or the generated static json file) should be protected. Maybe your output has no sensitive information but maybe it does on error. The monitoring request is not for the public.
Dynamic requests depending on the kind of checks can run a bit longer and could be misused for DOS attacks.
You can set an ip restriction to the ip address of your appmonitor server instance + localhost.
Snippet for Apache httpd:
<location "/appmonitor">
Require ip 192.168.100.10
Require ip 127.0.0.1
</Location>