From: Michael Friedrich <michael.friedrich@icinga.com>
Date: Tue, 20 Mar 2018 10:50:52 +0000 (+0100)
Subject: Docs: Add a note to only query the NSClient++ API from the local Icinga 2 client
X-Git-Tag: v2.8.2~2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4f12142d52db6b69e89f13f8aa498582179e4178;p=icinga2

Docs: Add a note to only query the NSClient++ API from the local Icinga 2 client

refs #6172
---

diff --git a/doc/06-distributed-monitoring.md b/doc/06-distributed-monitoring.md
index dafd55cde..9ca5cec5f 100644
--- a/doc/06-distributed-monitoring.md
+++ b/doc/06-distributed-monitoring.md
@@ -1976,10 +1976,14 @@ you'll also need to ensure that port `5665` is enabled.
 #### NSClient++ API <a id="distributed-monitoring-windows-firewall-nsclient-api"></a>
 
 If the [check_nscp_api](06-distributed-monitoring.md#distributed-monitoring-windows-nscp-check-api)
-plugin is used to query NSClient++ remotely, you need to ensure that its port is enabled.
+plugin is used to query NSClient++, you need to ensure that its port is enabled.
 
     C:\WINDOWS\system32>netsh advfirewall firewall add rule name="Open port 8443 (NSClient++ API)" dir=in action=allow protocol=TCP localport=8443
 
+For security reasons, it is advised to enable the NSClient++ HTTP API for local
+connection from the Icinga 2 client only. Remote connections to the HTTP API
+are not recommended with using the legacy HTTP API.
+
 ### Windows Client and Plugins <a id="distributed-monitoring-windows-plugins"></a>
 
 The Icinga 2 package on Windows already provides several plugins.
@@ -2038,7 +2042,7 @@ for the requirements.
 
 There are two methods available for querying NSClient++:
 
-* Query the [HTTP API](06-distributed-monitoring.md#distributed-monitoring-windows-nscp-check-api) locally or remotely (requires a running NSClient++ service)
+* Query the [HTTP API](06-distributed-monitoring.md#distributed-monitoring-windows-nscp-check-api) locally from an Icinga 2 client (requires a running NSClient++ service)
 * Run a [local CLI check](06-distributed-monitoring.md#distributed-monitoring-windows-nscp-check-local) (does not require NSClient++ as a service)
 
 Both methods have their advantages and disadvantages. One thing to
diff --git a/doc/10-icinga-template-library.md b/doc/10-icinga-template-library.md
index 4b74930c0..0cb419ed5 100644
--- a/doc/10-icinga-template-library.md
+++ b/doc/10-icinga-template-library.md
@@ -1668,13 +1668,17 @@ users\_win\_crit | **Optional**. The critical threshold.
 
 There are two methods available for querying NSClient++:
 
-* Query the [HTTP API](10-icinga-template-library.md#nscp-check-api) locally or remotely (requires a running NSClient++ service)
+* Query the [HTTP API](06-distributed-monitoring.md#distributed-monitoring-windows-nscp-check-api) locally from an Icinga 2 client (requires a running NSClient++ service)
 * Run a [local CLI check](10-icinga-template-library.md#nscp-check-local) (does not require NSClient++ as a service)
 
 Both methods have their advantages and disadvantages. One thing to
 note: If you rely on performance counter delta calculations such as
 CPU utilization, please use the HTTP API instead of the CLI sample call.
 
+For security reasons, it is advised to enable the NSClient++ HTTP API for local
+connection from the Icinga 2 client only. Remote connections to the HTTP API
+are not recommended with using the legacy HTTP API.
+
 ### nscp_api <a id="nscp-check-api"></a>
 
 `check_nscp_api` is part of the Icinga 2 plugins. This plugin is available for