AMC, even community edition is a nice and handy tool, but having it run without any protection and/or on a separate address to access by plain HTTP URL or setting up VPN to access it makes it a pain for system administrators.
One way to mitigate most of this issues is to run AMC binded to 127.0.0.1 address and access it via reverse proxy on Apache/Nginx. That allows to use access lists, password protection and TLS without touching AMC code itself. Sounds nice, but in the current incurnation it’s a bit tricky
Here is (possibly excessive) Apache setup I use to access AMC, running at 127.0.0.1:3080:
ProxyRequests off ProxyPass /amc/ http://127.0.0.1:3080/ ProxyPass /static/ http://127.0.0.1:3080/static/ ProxyPass /aerospike/ http://127.0.0.1:3080/aerospike/ ProxyPass /get_amc_version http://127.0.0.1:3080/get_amc_version ProxyPassReverse /amc/ http://127.0.0.1:3080/ ProxyPassReverse /static/ http://127.0.0.1:3080/static/ ProxyPassReverse /aerospike/ http://127.0.0.1:3080/aerospike/ ProxyHTMLURLMap http://127.0.0.1:3080/ /amc ProxyHTMLURLMap http://127.0.0.1:3080/static /amc/static ProxyHTMLURLMap http://127.0.0.1:3080/aerospike /amc/aerospike <Location /amc/> ProxyPassReverse / SetOutputFilter proxy-html RequestHeader unset Accept-Encoding </Location> <Location /static/> ProxyPassReverse / SetOutputFilter proxy-html RequestHeader unset Accept-Encoding </Location> <Location /aerospike/> ProxyPassReverse / SetOutputFilter proxy-html RequestHeader unset Accept-Encoding </Location>
That requires proxy and proxy_html modules enabled. Looking on the given config you can see, that it’s quite excessive, as it has to intercept access to the /aerospike/, /amc/, /static/ and /get_amc_version URIs. I’m lucky, that my main site doesn’t have such subdirs by itself, but that’s not for everyone.
All this problems can be mitigated by allowing to access AMC by the URL that contains sub-folder in the path. For example, http://127.0.0.1:3080/amc/. Then all proxing could be configured in just few lines.
Please, implement such a configuration option to ease the life of those who run AMC behind FW or on a remote location.