The default Munin install on Debian adds an Alias for
/munin to every site in Apache, which ends up at
/var/cache/munin/www, but is restricted to local clients only, as in those coming from localhost.
To avoid messing with the default configuration too much and/or moving files around, you can set up access via an alternate method…
# Create a .htaccess to limit access to authenticated users:
echo -e 'AuthUserFile /etc/sympl/munin.htpasswd\nAuthType Basic\nAuthName "Access Restricted"\nRequire valid-user\n' > /var/cache/munin/www/.htaccess
# Create a user and enter the password when prompted
htpasswd -c /home/sympl/munin.htpasswd munin
# Symlink the directory so it's accessible (feel free to use an alternate name for the directory).
ln -s /var/cache/munin/www /srv/example.com/public/htdocs/munin
# Disable the default config and it's built-in alias, and reload apache.
a2disconf munin ; service apache2 reload.
You’ll want to be careful the .htaccess file in the Munin cache directory doesn’t get removed, as that will remove the password requirement, but the basic auth combined with an SSL cert (along with putting it on a less-obvious URL) should help.