Open netw0rk-noob opened 2 months ago
You have agentaliasport
uncommented, you need to remove the _
Then restart meshcentral
Then uninstall/reinstall all ur meshagents as the port number will of changed
Edit: also you haven't set agentPortTls
either
You have
agentaliasport
uncommented, you need to remove the_
Then restart meshcentral Then uninstall/reinstall all ur meshagents as the port number will of changed
I did indeed uncomment agentAliasPort
, because I assumed that it is not needed if it is the same as agentPort
which it would be in my case. (8443) I removed the underscore for testing nonetheless.
Edit: also you haven't set
agentPortTls
either
Yes, I've set that to false
explicitly now, which leads to the following config.js:
{
"$schema": "https://raw.githubusercontent.com/Ylianst/MeshCentral/master/meshcentral-config-schema.json",
"settings": {
"cert": "publicdomain.tld",
"WANonly": true,
"port": 4443,
"aliasPort": 443,
"agentPort": 8443,
"agentAliasPort": 8443,
"agentAliasDNS": "publicdomain.tld",
"agentPortTls": false,
"tlsOffload": "127.0.0.1,192.168.179.143,::1",
"mpsPort": 0,
},
"_domaindefaults": {
"__comment__": "Any settings in this section is used as default setting for all domains",
"title": "MyDefaultTitle",
"footer": "Default page footer",
"allowedOrigin": true,
"newAccounts": false
},
"domains": {
"": {
"allowedOrigin": [ "publicdomain.tld", "localdomain.tld" ],
"certUrl": "https://publicdomain.tld:"
}
}
}
and the following debug log at startup:
# node node_modules/meshcentral --debug agent,web,webrequest
MeshCentral HTTP redirection server running on port 81.
MeshCentral v1.1.22, Hybrid (LAN + WAN) mode.
MeshCentral HTTP server running on port 4443, alias port 443.
MeshCentral HTTP agent-only server running on port 8443, alias port 8443.
Loaded web certificate from "https://publicdomain.tld:", host: "publicdomain.tld"
SHA384 cert hash: .....
SHA384 key hash: .....
WEBREQUEST: (MeshAgentPublicIP) AgentPort: /agent.ashx
The (reinstalled) meshagents (I tried with android + debian) still do not connect and at least the Linux/BSD install commands still does not reflect the agent(Alias)Port
8443
.
What I did notice though is the fact that even when I manually correct the Linux/BSD install commands to point to port 8443, they cant successfully download their meshsettings from publicdomain.tld:8443
but get a 404: Not Found
. The meshagent is downloaded successfully from publicdomain.tld:8443
though. From the output of sudo -E ./meshinstall.sh https://publicdomain.tld:8443 'A9pqunopaAn5st5sqzvE4rpDxsAtDbvxz9nCFhidhpqwrnympwq32fwF5mwzyon5'
:
https://publicdomain.tld:8443/meshsettings?id=A9pqunopaAn5st5sqzvE4rpDxsAtDbvxz9nCFhidhpqwrnympwq32fwF5mwzyon5
[…]
ERROR 404: Not Found.
If I try to download the meshsettings from https://localdomain.tld/meshsettings?id=A9pqunopaAn5st5sqzvE4rpDxsAtDbvxz9nCFhidhpqwrnympwq32fwF5mwzyon5
, it is available for download.
When I try to connect using the android app (the according connection string does reflect the agentPort 8443
, but it also did before the recent changes, it immediately aborts. (i.e. it it does switch to Connected
for abourt a quarter of a second when tapping on connect
before it flips back to Disconnected
again.) The server logs one line with the follwing content for every connection attempt:
WEBREQUEST: (MeshAgentPublicIP) AgentPort: /agent.ashx
Anyone got a hint for me, what else I could try to debug this? I havent gotten any further on my own.
One additional information that might be relevant: The Meshcentral server and the reverse proxy for external agent connections are in different Subnets. Routes are set up in both directions, both can ping each other.
@netw0rk-noob can u share ur config.json
as of today please?
im gunna try have alook when i get chance
it sounds like its getting confused because you want to use 2 different DNS names, one for the web ui and 1 for the agent
then making it more confused as ur using a reverse proxy to do the tls and not meshcentral
My config is still the same it was in my last post, as I've rolled back to that config after each failed try to change something.
Regarding the different hostnames / reverse proxies: I'd like to handle the TLS for the publicly reachable agentport by my main nginx reverse proxy because it automatically renews the TLS certs for everything I'm selfhosting. Therefore I needed to enable tlsOffloading on Meshcentral, which is why I need the additional, local nginx on the MeshCentral machine to be able to access the MeshCentral Webserver with TLS (using a cert by my own LAN CA). Thats the rationale behind this setup.
If there is a better way to archive the same (Webserver only reachable from LAN, with my own TLS cert, AgentPort reachable from the internet with an automatically renewed Letsencrypt TLS cert), feel free to suggest that.
I've messed around some more and set up another instance with a different approach.
I directly forward the AgentPort
8443
to my MeshCentral server, working around the reverse proxy for agent connections.
MeshCentral handles TLS on its own, using the letsencrypt certificate which gets issued and renewed by my ReverseProxy m(which also uses it for another service which is running on 443/TCP), using the certURL
option. So on every (MeshCentral) server start MeshCentral downloads the certificate for publicdomain.tld
from the ReverseProxy.
Local access to the MeshCentral WebUI is realized with a nginx on the same machine, listening on 443
, using the localdomain.tld
certificate issued my by LAN ca. It forwards traffic to https://127.0.0.1:4443
where MeshCentral is listening on. I actually have no idea why/how this works because afaik a direct https connection to an ip address without specifying the requested domain yields an error due to missing SNI(?), at least when using a webbrowser.
The config.json
of my new test instance:
{
"$schema": "https://raw.githubusercontent.com/Ylianst/MeshCentral/master/meshcentral-config-schema.json",
"settings": {
"Cert": "publicdomain.tld",
"Port": 4443,
"AliasPort": 443,
"AgentPort": 8443,
"AgentPong": 300,
"trustedProxy": [ "127.0.0.1", "::1" ],
"mpsPort": 0
},
"domains": {
"": {
"CertUrl": "https://publicdomain.tld",
"allowedOrigin": [ "publicdomain.tld", "localdomain.tld" ]
}
}
}
The nginx
site config on my new test instance:
erver {
listen 80;
server_name localdomain.tld;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name localdomain.tld;
# MeshCentral uses long standing web socket connections, set longer timeouts.
proxy_send_timeout 330s;
proxy_read_timeout 330s;
ssl_certificate /etc/nginx/certificates/localdomain.tld.pem;
ssl_certificate_key /etc/nginx/certificates/localdomain.tld.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_session_timeout 5m;
ssl_dhparam /etc/nginx/dh4096.pem;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:E>
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# MeshCentral Dashboard
location / {
proxy_pass https://127.0.0.1:4443/;
proxy_read_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header X-Powered-By;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
client_max_body_size 0;
}
This setup works so far (only did some testing yet). Are there any caveats/negative implications (e.g. security-wise) running it this way?
Btw. I also tried combining this with the old setup (proxying connections through the central nginx which redirects them to https://{{MeshCentralLocalIP}}:8443
), but that only returns the known error I got before (WEBREQUEST: (X.X.X.X) AgentPort: /agent.ashx
), so somehow the central nginx seems to be the problem here, though I still have no idea why.
Edit: Even though it does work this way I'd still like to know why this error happens, because in the long run being able to proxy agent requests through nginx
allow the agents to connect on 443/tcp
which does even work in most of the locked down networks (e.g. public wifis) where 8443/tcp
often does not.
I aim for the following setup: Dashboard / WebUI only accesible from LAN, via a .local domain name with a cert from my LAN CA which is served via nginx on the same host as the meshcentral server. Meshagents / clients connecting from the internet through my reverse proxy (nginx on another host) which handles TLS with a letsencrypt cert. Connection scheme: meshAgent --publicDomain.tld:8443--> Router (NAT) --reverseProxyIP:8443-->reverseProxy (handles TLS) --meshCentralIP:8443--> MeshCentral admin --localDomain.tld:443--> nginx on MeshCentralHost (handles TLS) --127.0.0.1:4443--> MeshCentral on MeshCentralHost
The admin connections work without any problems. When a meshagent (I tried with windows, debian and android) tries to connect, the meshcentral server (run with
--debug agent,web,webrequest
) logs the following:WEBREQUEST: (MeshAgentPublicIP) AgentPort: /agent.ashx
and the client does not connect / show up in dashboard.server logs at startup:
Besides that (but thats a minor problem) the download-links (and script-links, when using the scripted linux-install) do not reflect my changes to
config.json
regardingagentPort
and/oragentAliasPort
: The download/script links point to port:443
(which is thealiasPort
of the dashboard), not to port:8443
(which is theagentPort
) and therfore do not work unless manually edited to point to port:8443
.I assume that this is a configuration mistake on my end and would be very grateful if someone could take a look at my setup. If any relevant information is missing, please ask for it.
Server Software:
Client Device:
Remote Device 1 (external):
Remote Device 2 (internal):
config.json:
nginx localdomain.tld.conf on the same host as meshCentral:
nginx publicdomain.tld.conf on the reverseProxyl: