Improved Linux compatiblity

🌟 Highlights

The headline changes in this release — see the sections below for details:

• Disk and file checks now work on Linux. CheckDisk (check_drivesize,
  check_files, disk I/O) is no longer Windows-only.
  (details)
• First-class Linux packaging. The build follows the FHS / install prefix,
  with official .deb/.rpm for /usr.
  (details)
• Easy installs everywhere. Windows via winget / Chocolatey / Scoop; the
  Linux web UI via nscp web install-ui.
  (details)
• Secure by default. The web server refuses to serve cleartext HTTP without
  an explicit opt-in, plus check_nt command allow-listing and stricter
  external-script argument checks.
  (details)
• Run Lua scripts straight from the CLI with nscp lua execute, backed by
  Lua thread-safety hardening.
  (details)
• TLS improvements: outbound SNI and explicit Op5 client TLS options.
  (details)

⚠️ Upgrade — please read first

A few defaults were tightened for security and the Linux packaging layout
changed. None of these affect a normal Windows MSI upgrade, but Linux users
and anyone running the web server in cleartext should read this section.

1. The web server now refuses to run unencrypted by default

To stop NSClient++ from silently serving the REST API / web UI over plain HTTP,
the WEB server now refuses to start without a certificate unless you
explicitly opt in.

If you intentionally run the web server in cleartext (e.g. behind a TLS-
terminating proxy, or on an isolated network), set:

[/settings/WEB/server]
allow insecure = true

Otherwise, provide a certificate (certificate = …). If you do nothing and the
server has no certificate, it will log an error and not start the listener.

📖 WEBServer reference
· Web interface setup

2. The web UI is a separate download on Linux (.deb / .rpm)

The Linux packages no longer bundle the React/Vite web frontend (Debian/
Fedora policy forbids npm install during package builds). The daemon, REST
API, NRPE/NSCA listeners and every check module are still in the package — only
the browser UI ships separately.

After installing the package, fetch the matching UI bundle as root:

sudo nscp web install-ui      # downloads + verifies NSCP-Web-<version>.zip
sudo nscp web ui-status       # show installed version / source
sudo nscp web uninstall-ui    # remove only what install-ui put down

Until you do, the web port shows a small built-in placeholder page; the REST
API and all listeners work normally without it. The Windows MSI still bundles
the UI inline.

📖 Installing on Linux

3. Linux install layout now follows the FHS / install prefix

The Linux build honours CMAKE_INSTALL_PREFIX like a normal CMake project, and
the official .deb/.rpm are built for /usr. The file layout is now:

If you previously patched hardcoded paths to build for a custom location,
that is no longer needed — pass -DCMAKE_INSTALL_PREFIX=/opt/nsclient (or the
standard CMAKE_INSTALL_*DIR knobs) instead. To point an already-installed
daemon at a boot.ini in a non-standard place, there is a new override:

nscp service --run --path-override boot-conf=/etc/nsclient/boot.ini

📖 Choosing an install prefix
· File locations

✨ New features

Disk and file checks now work on Linux

CheckDisk is no longer Windows-only. Linux builds gain free-space, file and
disk-I/O checks, so the familiar commands work cross-platform:

# Free space on the root filesystem
check_drivesize --argument "drive=/" --argument "warn=used>80%" --argument "crit=used>90%"

# Age / size of a log file
check_files --argument "path=/var/log" --argument "pattern=*.log" --argument "crit=size>100M"

(Some Windows-only legacy commands are not registered on Linux.)

📖 Disk space scenario
· CheckDisk reference

Run Lua scripts straight from the command line

Useful for developing and debugging check scripts without wiring them into the
config first:

nscp lua execute --script myscript.lua

Lua also got thread-safety hardening (a proper GIL), new helpers for targeted
and forwarded queries, and clearer errors when a script fails to load.

Install on Windows with winget / Chocolatey / Scoop

NSClient++ is now published to the common Windows package managers:

winget install Mickem.NSClient
choco install nsclient
scoop install nsclient # Still pending approval

TLS improvements: SNI + Op5 client TLS options

• SNI is now sent on outbound TLS connections (Graphite and the generic TLS
  client), so a TLS proxy hosting several certificates returns the right one.

• The Op5 client gained explicit TLS settings:

  [/settings/op5/client/targets/default]
  tls version = 1.2+
  verify mode = peer
  ca = ${ca-path}

📖 Graphite reference
· Graphite scenario

🔒 Security hardening

Beyond the cleartext-HTTP default above:

• check_nt can now be restricted to specific commands. The legacy
  check_nt protocol is password-only (and source-IP filtering is spoofable),
  so you can now limit which of its ten request codes are answered. Default is
  any (unchanged behaviour):

  [/settings/NSClient/server]
  # Answer only harmless system metrics; deny arbitrary counter/file reads
  # and service/process enumeration:
  allow = metrics, info

  A request outside the list is rejected with ERROR: Command not allowed.

• Stricter shell-metacharacter checks in external scripts. User-supplied argument
  values containing more shell metacharacters are now rejected.

  📖 External scripts scenario

• Graphite metric paths are sanitized before being written to the line
  protocol, preventing injection of extra metrics.

• Python sys.path handling hardened to prevent code-injection via path
  manipulation.

🐛 Notable fixes & reliability

• IPv6: listeners set IPV6_V6ONLY on Linux to avoid port conflicts with
  IPv4, and IPv6 address resolution was improved.
• Thread-safety: logger subscriber management, the scheduler, and timer
  callbacks were made properly thread-safe; CommandClient now shuts down
  gracefully on POSIX signals.
• collectd client: correct (little-endian) gauge encoding, working IPv6
  multicast, a configurable send interval (default 10s), and previously
  dropped metric types (counter/derive/absolute) are now mapped instead of
  discarded.
• check_mk server: fixed a memory leak.
• Lua Lua log lines report the actual script line number.

📦 Packaging & distribution notes

• The bundled check_nsclient Nagios plugin moved to its own repository
  (mickem/check_nsclient) and is
  pulled in at build time. This only matters if you build from source.
• Package/file names were normalised — double-check the exact asset name on
  the releases page if you script
  downloads.
• Reduced Linux build dependencies: the build now uses libzip (instead of
  vendored Miniz), can use the system Google Test, and degrades cleanly when an
  optional dependency is missing. Linux uses the Boost.Beast web backend by
  default.

New Contributors

• @Fantu made their first contribution in #1290

Full Changelog: 0.12.6...0.13.0