Protect Netdata using basic access authentication.

Configure Netdata application to listen only on localhost instead of every interface.

$ sudo sed -i -e "s/# bind to = \*/bind to =" /srv/netdata/etc/netdata/netdata.conf

Restart Netdata service to apply changes.

$ sudo systemctl restart netdata

Install nginx HTTP proxy server.

$ sudo apt-get install nginx

Create a directory to store ssl certificate.

$ sudo mkdir /etc/nginx/ssl

Generate ssl certificate for an IP address.

$ sudo openssl req -subj "/commonName=$(ip address show dev eth0 scope global | awk '/inet / {split($2,var,"/"); print var[1]}')/" -x509 -nodes -days 730 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
Use Let’s Encrypt certificate.

Generate credentials for basic access authentication (net-user username, net-pass password).

$ echo "net-user:$(openssl passwd -crypt net-pass)" | sudo tee /etc/nginx/htpasswd

Disable default configuration.

$ sudo unlink /etc/nginx/sites-enabled/default

Generate minimal nginx virtual host configuration.

$ cat <<EOF | sudo tee /etc/nginx/sites-available/netdata
server {
  listen 8080 ssl;
  server_name default;
  ssl_certificate_key /etc/nginx/ssl/nginx.key;
  ssl_certificate     /etc/nginx/ssl/nginx.crt;
  auth_basic "Restricted access";
  auth_basic_user_file /etc/nginx/htpasswd;
  location / {

Enable this specific configuration.

$ sudo ln -s /etc/nginx/sites-available/netdata /etc/nginx/sites-enabled/

Reload nginx configuration.

$ sudo systemctl reload nginx