API bind host to allow connection from icinga2 Master alone

masterluke · June 23, 2022, 4:12am

Hello

A newbie require your help to configuring icinga2 securely.
Having bit of a trouble with binding the host to master icinga2 server(For security reasons).
Consider aa.aaa.aaa.aa is the IP address of Master icinga2 server and
bb.bbb.bbb.bb is the node endpoint to monitor.

In node server, I want to allow connections only from Master icinga2 server, i.e., from IP aa.aaa.aaa.aa only. (Similar to allowed_hosts option in NRPE)

So in node wizard configuration in node service, I defined the API bind host to Master icinga server IP address.

Getting - critical/ApiListener: Cannot add listener on host ‘’ for port ‘5665’ Error.
When I define 127.0.0.1 instead, All checks are passing. Shouldn’t my connection from Master server fail, Since the port is opened locally only?

Does API bind host is meant for someother purpose that I am missing?
Master and node icinga versions: r2.13.3-1
OS: Ubuntu 20.04

dgoetz · June 23, 2022, 7:25am

Bind host is the local address the service should listen on. I recommend agents connect to the master (or a satellite) so there is no load on the master for trying to connect to agents which are down. In this case you can bind Icinga 2 to the localhost and only master and satellite are exposing the API.