search

Ylianst / MeshCentral

A complete web-based remote monitoring and management web site. Once setup you can install agents and perform remote desktop session to devices on the local network or over the Internet.
https://meshcentral.com
Apache License 2.0
3.68k stars 511 forks source link

Agent invite link not working with non standard port #4812

Open elkekou opened 1 year ago

elkekou commented 1 year ago

Hi,

I've a little problem on my meshcentral server.

I have configured it behind an nginx proxy with 2 differents URL serving 2 differents port on mesh central. One url is for agent connexion (https://help.fqdn.com), and the other one (https://remote.fqdn.com) for meshcentral operator who use remote assistance. I managed to install agent and take control remotely without problem.

My problem is about the "invite link" which is not working, the error is : "cannot GET /agentinvite". But if I use the FQDN for operator (https://remote.fqdn.com) and the end of the generated URL for invite link, it's working.

I think I forgot something in mesh config but fail to see what's wrong, could you please help me?

Thank you, for your wonderfull product :)

Here is my meshcentral conf:

{
  "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json",
  "settings": {
    "cert": "help.fqdn.com",
    "port": 4430,
    "aliasPort": 443,
    "agentAliasPort": 443,
    "agentPort": 4431,
    "AgentPong": 300,
    "TlsOffload": "127.0.0.1",
    "userAllowedIP" : "192.168.2.0/24,192.168.52.0/24",    
    "AgentTimeStampServer": false,
    "syslog": true
  },
  "domains": {
    "": {      
      "certUrl": "https://help.fqdn.com:443/"
    }
  }
}

Nginx conf for Agent URL : https://help.fqdn.com


server {
    listen 443 ssl http2;
    server_name help.fqdn.com  W.X.Y.Z;
    server_tokens off;
    proxy_send_timeout 330s;
    proxy_read_timeout 330s;
    ssl_certificate /etc/pki/tls/certs/help.fqdn.com.crt;
    ssl_certificate_key /etc/pki/tls/private/help.fqdn.com.key;
    ssl_session_cache builtin:1000 shared:SSL:10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
    ssl_prefer_server_ciphers on;

location / {
    proxy_pass http://127.0.0.1:4431;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-Host $host:$server_port;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    }
}

Nginx conf for web interface (remote assitance ): https://remote.fqdn.com

server {
    listen 8443 ssl http2;
    server_name remote.fqdn.com  localhost A.B.C.D;
    server_tokens off;
    proxy_send_timeout 330s;
    proxy_read_timeout 330s;
    ssl_certificate /etc/pki/tls/certs/remote.fqdn.com.crt;
    ssl_certificate_key /etc/pki/tls/private/remote.fqdn.com.key;
    ssl_session_cache builtin:1000 shared:SSL:10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
    ssl_prefer_server_ciphers on;

location / {
    proxy_pass http://127.0.0.1:4430;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-Host $host:$server_port;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    }
}
Ylianst commented 1 year ago

Try the agentAliasDNS setting like this:

{
  "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json",
  "settings": {
    "cert": "remote.fqdn.com",
    "port": 4430,
    "aliasPort": 443,
    "agentPort": 4431,
    "agentAliasDNS": "help.fqdn.com",                     <-----------
    "agentAliasPort": 443,
    "AgentPong": 300,
    "TlsOffload": "127.0.0.1",
    "userAllowedIP" : "192.168.2.0/24,192.168.52.0/24",    
    "AgentTimeStampServer": false,
    "syslog": true
  },
  "domains": {
    "": {      
      "certUrl": "https://remote.fqdn.com:443/"
    }
  }
}

This could setup the server with the correct DNS name for the main HTTPS server and the correct DNS name for the agent port. Let me know if that works.

elkekou commented 1 year ago

I've tried all the permutation possibilities (help.fqdn.com / remote.fqdn.com) and it does not work. I really don't understand. I have a workaround though, the email invitation works. I will continue to look for these "cert/agentaliasdns" options. Thanks for your help,