search

Ylianst / MeshCentral

A complete web-based remote monitoring and management web site. Once setup you can install agents and perform remote desktop session to devices on the local network or over the Internet.
https://meshcentral.com
Apache License 2.0
4.19k stars 563 forks source link

NGINX reverse proxy 502 bad gateway #426

Closed killmasta93 closed 5 years ago

killmasta93 commented 5 years ago

Hi, Currently trying to get working NGINX as reverse proxy with subdomain. I have working the lets encrypt and changed the config.json, from the tutorial. This is my config.json https://pastebin.com/aAQB6g11

and this is my nginx.conf

https://pastebin.com/iLxcszyX

checked the logs on NGINX and got this 2019/08/11 16:06:10 [error] 1001#1001: *220 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.3.253, server: remote.mydomain.com, request: "GET /agent.ashx HTTP/1.1", upstream: "http://127.0.0.1:4430/agent.ashx", host: "192.168.3.245"

checked the services seems that node is not listening

root@remote:~# sudo netstat -tulpn | grep LISTEN tcp 0 0 127.0.0.1:27017 0.0.0.0: LISTEN 507/mongod
tcp 0 0 0.0.0.0:80 0.0.0.0: LISTEN 1000/nginx: master
tcp 0 0 127.0.0.53:53 0.0.0.0: LISTEN 426/systemd-resolve tcp 0 0 0.0.0.0:22 0.0.0.0: LISTEN 675/sshd
tcp 0 0 127.0.0.1:6010 0.0.0.0: LISTEN 722/sshd: root@pts/ tcp 0 0 0.0.0.0:443 0.0.0.0: LISTEN 1000/nginx: master
tcp6 0 0 :::22 ::: LISTEN 675/sshd
tcp6 0 0 ::1:6010 ::: LISTEN 722/sshd: root@pts/

i tried running manually mesh central and got this ERROR: Unable to parse /root/meshcentral-data/config.json.

im sure i did something wrong on the config.json

killmasta93 commented 5 years ago

EDIT: so on the config.json i changed "TlsOffload": 127.0.0.1, to "TlsOffload": true, and started to work the the WEBGUI but i tried to reinstall the client with the new pointer domain i saw this log

Agent bad web cert hash (Agent:18279cb435 != Server:6da8e5e75c or 8686b77cc3), holding connection (192.168.3.254:55034). Agent reported web cert hash:18279cb435dcbb5a60ef1f8626b7bf1616506f880d728746b8a135d7e75148c0258237810b81a7d64fe2d9fc62799e4f.

and on the NGINX logs seems good 192.168.3.254 - - [11/Aug/2019:18:42:59 -0500] "GET /agent.ashx HTTP/1.1" 101 100 "-" "-" 192.168.3.254 - - [11/Aug/2019:18:43:31 -0500] "GET /agent.ashx HTTP/1.1" 101 100 "-" "-" 192.168.3.254 - - [11/Aug/2019:18:43:36 -0500] "GET /meshagents?id=4&meshid=bP0CAXcMJ8vUJ@9YUmi3O4x1KIxmIbwQ@Jqjspx$uZIYyA@i6fKWmQsJOZRdNa0R&installflags=0 HTTP/1.1" 200 2735092 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36" 192.168.3.254 - - [11/Aug/2019:18:43:44 -0500] "GET /agent.ashx HTTP/1.1" 101 100 "-" "-"

Ylianst commented 5 years ago

Hi. For the first problem, I think you need to do "TlsOffload":"127.0.0.1" with quotes around the 127.0.0.1. I will guess it did not parse the config.json right and the server quit. If you run the server manually ("node node_modules/meshcentral") you can probably see things like this.

The second issue with the "bad web cert" is because MeshCentral needs to know what cert NGINX is using, otherwise it thinks the agent traffic is being intercepted by a man-in-the-middle. MeshCentral need to load the NGINX certificate and know that is the one agents need to see.

The easy and evil way to fix this is to add this in the settings section of config.json:

"ignoreagenthashcheck": true

The proper way to do it is to add:

"certurl":"https://127.0.0.1:443"

To the domain section, to cause MeshCentral to load the NGINX cert.

Hope it helps, Ylian

killmasta93 commented 5 years ago

Thanks for the reply, so the TlsOffload by putting in the quotes worked flawless i tried adding the ignoreagent but not sure in which part i need to add it on the config.json, and as for the correct way i currently have it "CertUrl": "https://127.0.0.1:443/", but still issue with the cert, i go to the webGUI and i see perfectly the SSL Thank you again

Ylianst commented 5 years ago

The "ignoreagenthashcheck" goes in the "settings" section of config.json. It's not good for security, but will get you back up quickly.

For the CertUrl thing, if you can run MeshCentral manually and let me know what your see. It should show you what is going on.

killmasta93 commented 5 years ago

Thanks for the quick reply, i run meshcentral manually i get this root@remote:~# node ./node_modules/meshcentral MeshCentral HTTP redirection server running on port 800. MeshCentral v0.3.9-q, WAN mode. MeshCentral Intel(R) AMT server running on remote.tirescue.com:4433. MeshCentral HTTP server running on port 4430, alias port 443. Agent bad web cert hash (Agent:18279cb435 != Server:6da8e5e75c or 8686b77cc3), holding connection (192.168.3.254:33744). Agent reported web cert hash:18279cb435dcbb5a60ef1f8626b7bf1616506f880d728746b8a135d7e75148c0258237810b81a7d64fe2d9fc62799e4f.

Ylianst commented 5 years ago

Hi. Did you put the CertUrl in the default (empty) domain under the "domains" section? I don't see the server trying to load the cert from NGINX.

On Aug 12, 2019 9:22 PM, killmasta93 notifications@github.com wrote:

Thanks for the quick reply, i run meshcentral manually i get this root@remote:~# node ./node_modules/meshcentral MeshCentral HTTP redirection server running on port 800. MeshCentral v0.3.9-q, WAN mode. MeshCentral Intel(R) AMT server running on remote.tirescue.com:4433. MeshCentral HTTP server running on port 4430, alias port 443. Agent bad web cert hash (Agent:18279cb435 != Server:6da8e5e75c or 8686b77cc3), holding connection (192.168.3.254:33744). Agent reported web cert hash:18279cb435dcbb5a60ef1f8626b7bf1616506f880d728746b8a135d7e75148c0258237810b81a7d64fe2d9fc62799e4f.

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHubhttps://github.com/Ylianst/MeshCentral/issues/426?email_source=notifications&email_token=AAKCAZMMFX6CHECTFGTXVXDQEIZIVA5CNFSM4IK4XQ42YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4EP5LQ#issuecomment-520683182, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AAKCAZIALVXN7LE24VYOKBLQEIZIVANCNFSM4IK4XQ4Q.

treicadani commented 5 years ago

To load the cert correctly you need to use your FQDN and not ip address.

Change "CertUrl": "https://127.0.0.1:443/", To "CertUrl": "https://remote.mydomain.com:443/"

Then restart Meshcentral and should load it.

killmasta93 commented 5 years ago

Thanks for the reply, so i changed the CertURL to "CertUrl": "https://remote.mydomain.com:443/" then reran the node command and got this MeshCentral HTTP server running on port 4430, alias port 443. Agent bad web cert hash (Agent:18279cb435 != Server:6da8e5e75c or 8686b77cc3), holding connection (192.168.3.254:33868). Agent reported web cert hash:18279cb435dcbb5a60ef1f8626b7bf1616506f880d728746b8a135d7e75148c0258237810b81a7d64fe2d9fc62799e4f. Agent bad web cert hash (Agent:18279cb435 != Server:6da8e5e75c or 8686b77cc3), holding connection (192.168.3.254:33870). Agent reported web cert hash:18279cb435dcbb5a60ef1f8626b7bf1616506f880d728746b8a135d7e75148c0258237810b81a7d64fe2d9fc62799e4f. @Ylianst as for this CertUrl in the default (empty) domain under the "domains" section not sure if you mean what @treicadani says Thank you

treicadani commented 5 years ago

But, but did you replaced the contents of remote.mydomain.com with your own domain or you've assigned that exact like "https://remote.mydomain.com:443/" ? If you did it then assign your real domain name to the CertUrl field and you need to assign your real FQDN through out the configs in nginx and meshcentral.

Regards

killmasta93 commented 5 years ago

Thanks for the reply, yes correct in the part ofmydomain.com i put my real domain i also put in the nginx.config also in the server see config https://pastebin.com/iLxcszyX Thank you again

killmasta93 commented 5 years ago

So after many trail and error what @Ylianst nodejs is not loading the SSL from NGINX which i dont know why when i run node i should get the RSA loaded but this is what i get root@remote:~# node ./node_modules/meshcentral MeshCentral HTTP redirection server running on port 800. MeshCentral v0.3.9-q, WAN mode. MeshCentral Intel(R) AMT server running on remote.mydomain.com:4433. MeshCentral HTTP server running on port 4430, alias port 443.

killmasta93 commented 5 years ago

i had to add this to the settings for it to work "ignoreagenthashcheck": true,

killmasta93 commented 5 years ago

just realized that i had domain i removed and and it loaded the certificate

Ylianst commented 5 years ago

Oh perfect. All the lines or sections that start by _ are ignored. Thanks for the report. I may need to do something to make it more clear that settings are being used.

On Aug 17, 2019 2:01 PM, killmasta93 notifications@github.com wrote:

just realized that i had domain i removed and and it loaded the certificate

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/Ylianst/MeshCentral/issues/426?email_source=notifications&email_token=AAKCAZOUR54JIEFO747BVTDQFA4HZA5CNFSM4IK4XQ42YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4QQSPQ#issuecomment-522258750, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AAKCAZI7NSDZ7X3WHGNDIGDQFA4HZANCNFSM4IK4XQ4Q.

killmasta93 commented 5 years ago

thanks i guess because im not familiar with node but more familiar with NGINX but so far its working great thank you so much