docs/netdata-agent/configuration/running-the-netdata-agent-behind-a-reverse-proxy/README.md
:::tip Simpler Alternative for Netdata Cloud Users
If you use Netdata Cloud (free or paid), consider Bearer Token Protection instead. With a single setting (bearer token protection = yes), you get:
Reverse proxy setup is still valuable if you need custom authentication, don't use Netdata Cloud, or require offline access.
:::
You can improve security and capabilities by running your Netdata Agent behind another web server in production environments. This approach lets you secure access to the dashboard with SSL, user authentication, and firewall rules while providing more robustness and capabilities than the Agent's internal web server.
We have documented configuration guides for these web servers:
:::tip
If you prefer a different web server, we suggest you follow the nginx documentation and tell us how you did it by adding your own "Running behind webserverX" document.
:::
After setting up your reverse proxy, you should firewall protect all your Netdata servers so that only the web server IP can directly access Netdata.
You can use iptables to block direct access. Run this on each of your servers (or use your firewall manager):
PROXY_IP="1.2.3.4"
iptables -t filter -I INPUT -p tcp --dport 19999 \! -s ${PROXY_IP} -m conntrack --ctstate NEW -j DROP
This prevents anyone except your web server from accessing a Netdata dashboard running on the host.
You can also configure access control in netdata.conf:
[web]
allow connections from = localhost 1.2.3.4
You can add more IPs as needed to this setting.