Provided by: nut-cgi_2.8.3-2_amd64 bug

NAME
       upsset.conf - Configuration for Network UPS Tools upsset.cgi


DESCRIPTION
       This file only does one job — it lets you convince upsset.cgi(8) that your system’s CGI directory is
       secure. The program will not run until this file has been properly defined.


IMPORTANT NOTES
       •   Contents of this file should be pure ASCII (character codes not in range would be ignored with a
           warning message).


SECURITY REQUIREMENTS
       upsset.cgi(8) allows you to try login name and password combinations. There is no rate limiting, as the
       program shuts down between every request. Such is the nature of CGI programs.

       Credentials are provided to upsset.cgi as part of your browsing session, so it is highly recommended to
       set up HTTPS on the web server; ways to do so are outside the scope of this document.

       Normally, attackers would not be able to access your upsd(8) server directly, as it would be protected by
       the LISTEN directives in your upsd.conf(5) file, tcp-wrappers (if available when NUT was built), and
       hopefully local firewall settings in your OS.

       upsset runs on your web server, so upsd will see it as a connection from a host on an internal network.
       It doesn’t know that the connection is actually initiated by someone further outside. This is why you
       must secure it.

       On Apache, you can use the .htaccess file or put the directives in your httpd.conf. It looks something
       like this, assuming the .htaccess method for older Apache releases:

           <Files upsset.cgi>
                   deny from all
                   allow from your.network.addresses
           </Files>

       You will probably have to set AllowOverride Limit for this directory in your server-level configuration
       file as well.

       Modern Apache enjoys a more detailed syntax, like this:

           ScriptAlias /upsstats.cgi /usr/share/nut/cgi/upsstats.cgi
           ScriptAlias /upsset.cgi /usr/share/nut/cgi/upsset.cgi
           <Directory "/usr/share/nut/cgi">
                 Options +Includes +ExecCGI
                 AllowOverride Limit
                 <RequireAny>
                     Require local
                     Require ip aa.bb.cc.dd/nn
                 </RequireAny>
           </Directory>

       If this doesn’t make sense, then stop reading and leave this program alone. It’s not something you
       absolutely need to have anyway.

       Assuming you have all this done, and it actually works (test it!), then you may add the following
       directive to this file:

           I_HAVE_SECURED_MY_CGI_DIRECTORY

       If you lie to the program and someone beats on your upsd through your web server, don’t blame me.


SEE ALSO
       upsset.cgi(8)

   Internet resources:
       The NUT (Network UPS Tools) home page: https://www.networkupstools.org/historic/v2.8.3/

Network UPS Tools 2.8.3                            07/08/2025                                     UPSSET.CONF(5)