Adding some basic security to your Munki repo

SSL

So far, we’ve just been working with http instead of https. Yeah, that’s not good going forward. So you’ll want to fix that, especially if you add basic authentication.

So, yeah, even though your Munki “website” is “static,” you should at least make it https.

Let’s Encrypt

If your Munki repo is public-facing (try to be conservative with what kind of traffic you translate WAN-to-LAN on your firewall), you can get a free SSL certificate by using Let’s Encrypt’s certbot.

Self-signed certificate

You can create a self-signed certificate. More details at Using https / self-signed certificates and basic authentication with Munki.

https going forward

The links above should help, but securing a web server isn’t a Munki-specific thing, so have a look at the links above. If they get you going with securing your repo, yay! If not, you can continue with http for now, but you may want to revisit in the future. Going forward, all the rest of the tutorials will assume you have https enabled.

Securing access to the repo

https and basic authentication add some security to the access of the repo by clients, but you should also protect write access to the repo. In fact, that protection is more important. Munki runs as root, so any changes to the repo must be made carefully and only by approved people in your school. One wrong script could wipe out user data or cause other problems.

Leave a comment

Your email address will not be published. Required fields are marked *