Docs: Add a note to only query the NSClient++ API from the local Icinga 2 client

diff --git a/doc/06-distributed-monitoring.md b/doc/06-distributed-monitoring.md
index 955be7a0832d0bf1ac2dadfdcbdba9b9f5d52e4e..cdec4fac6d1adb15030ae17552f03e279471ac09 100644 (file)
--- a/doc/06-distributed-monitoring.md
+++ b/doc/06-distributed-monitoring.md
@@ -1991,10 +1991,14 @@ you'll also need to ensure that port `5665` is enabled.
 #### NSClient++ API <a id="distributed-monitoring-windows-firewall-nsclient-api"></a>
 
 If the [check_nscp_api](06-distributed-monitoring.md#distributed-monitoring-windows-nscp-check-api)
-plugin is used to query NSClient++ remotely, you need to ensure that its port is enabled.
+plugin is used to query NSClient++, you need to ensure that its port is enabled.
 
     C:\WINDOWS\system32>netsh advfirewall firewall add rule name="Open port 8443 (NSClient++ API)" dir=in action=allow protocol=TCP localport=8443
 
+For security reasons, it is advised to enable the NSClient++ HTTP API for local
+connection from the Icinga 2 client only. Remote connections to the HTTP API
+are not recommended with using the legacy HTTP API.
+
 ### Windows Client and Plugins <a id="distributed-monitoring-windows-plugins"></a>
 
 The Icinga 2 package on Windows already provides several plugins.
@@ -2053,7 +2057,7 @@ for the requirements.
 
 There are two methods available for querying NSClient++:
 
-* Query the [HTTP API](06-distributed-monitoring.md#distributed-monitoring-windows-nscp-check-api) locally or remotely (requires a running NSClient++ service)
+* Query the [HTTP API](06-distributed-monitoring.md#distributed-monitoring-windows-nscp-check-api) locally from an Icinga 2 client (requires a running NSClient++ service)
 * Run a [local CLI check](06-distributed-monitoring.md#distributed-monitoring-windows-nscp-check-local) (does not require NSClient++ as a service)
 
 Both methods have their advantages and disadvantages. One thing to

diff --git a/doc/10-icinga-template-library.md b/doc/10-icinga-template-library.md
index 4fe53a250387e38f6d3dd6201fa2ee33a144a5ee..f790397f9b3021f3fcf001f4c2d1875841b406c3 100644 (file)
--- a/doc/10-icinga-template-library.md
+++ b/doc/10-icinga-template-library.md
@@ -1696,13 +1696,17 @@ users\_win\_crit | **Optional**. The critical threshold.
 
 There are two methods available for querying NSClient++:
 
-* Query the [HTTP API](10-icinga-template-library.md#nscp-check-api) locally or remotely (requires a running NSClient++ service)
+* Query the [HTTP API](06-distributed-monitoring.md#distributed-monitoring-windows-nscp-check-api) locally from an Icinga 2 client (requires a running NSClient++ service)
 * Run a [local CLI check](10-icinga-template-library.md#nscp-check-local) (does not require NSClient++ as a service)
 
 Both methods have their advantages and disadvantages. One thing to
 note: If you rely on performance counter delta calculations such as
 CPU utilization, please use the HTTP API instead of the CLI sample call.
 
+For security reasons, it is advised to enable the NSClient++ HTTP API for local
+connection from the Icinga 2 client only. Remote connections to the HTTP API
+are not recommended with using the legacy HTTP API.
+
 ### nscp_api <a id="nscp-check-api"></a>
 
 `check_nscp_api` is part of the Icinga 2 plugins. This plugin is available for