diff --git a/playbooks/munin.yml b/playbooks/munin.yml
index b72edd5..36740e2 100644
--- a/playbooks/munin.yml
+++ b/playbooks/munin.yml
@@ -28,3 +28,19 @@
       principals: HTTP/munin.foo.sh@FOO.SH
       group: apache
     - munin-master
+
+  tasks:
+    - name: require authentication for munin web
+      copy:
+        dest: /etc/httpd/conf.local.d/munin-auth.conf
+        content: |
+          <Location />
+            AuthType        GSSAPI
+            GssapiBasicAuth On
+            AuthName        "Password Required"
+            Require         valid-user
+          </Location>
+        mode: 0644
+        owner: root
+        group: "{{ ansible_wheel }}"
+      notify: restart apache