NAME

upsset.conf - Configuration for Network UPS Tools upsset.cgi

NOTE ABOUT HISTORIC NUT RELEASE

Note
Two NUT websites

This version of the page reflects NUT release v2.8.1 with codebase commited 4ba352d8f at 2023-10-31T21:46:20+01:00

Options, features and capabilities in current development (and future releases) are detailed on the main site and may differ from ones described here.

DESCRIPTION

This file only does one job—it lets you convince upsset.cgi(8) that your system’s CGI directory is secure. The program will not run until this file has been properly defined.

SECURITY REQUIREMENTS

upsset.cgi(8) allows you to try login name and password combinations. There is no rate limiting, as the program shuts down between every request. Such is the nature of CGI programs.

Normally, attackers would not be able to access your upsd(8) server directly as it would be protected by the LISTEN directives in your upsd.conf(5) file, tcp-wrappers (if available when NUT was built), and hopefully local firewall settings in your OS.

upsset runs on your web server, so upsd will see it as a connection from a host on an internal network. It doesn’t know that the connection is actually coming from someone on the outside. This is why you must secure it.

On Apache, you can use the .htaccess file or put the directives in your httpd.conf. It looks something like this, assuming the .htaccess method for older Apache releases:

<Files upsset.cgi>
deny from all
allow from your.network.addresses
</Files>

You will probably have to set "AllowOverride Limit" for this directory in your server-level configuration file as well.

Modern Apache enjoys a more detailed syntax, like this:

ScriptAlias /upsstats.cgi /usr/share/nut/cgi/upsstats.cgi
ScriptAlias /upsset.cgi /usr/share/nut/cgi/upsset.cgi
<Directory "/usr/share/nut/cgi">
      Options +Includes +ExecCGI
      AllowOverride Limit
      <RequireAny>
          Require local
          Require ip aa.bb.cc.dd/nn
      </RequireAny>
</Directory>

If this doesn’t make sense, then stop reading and leave this program alone. It’s not something you absolutely need to have anyway.

Assuming you have all this done, and it actually works (test it!), then you may add the following directive to this file:

I_HAVE_SECURED_MY_CGI_DIRECTORY

If you lie to the program and someone beats on your upsd through your web server, don’t blame me.

SEE ALSO

Internet resources:

The NUT (Network UPS Tools) home page: https://www.networkupstools.org/