Abyss Revere Proxy with MeshCentral

 
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions
View previous topic :: View next topic  
Author Message
Paulie
-


Joined: 20 Feb 2016
Posts: 14

PostPosted: Fri Dec 31, 2021 6:46 pm    Post subject: Abyss Revere Proxy with MeshCentral Reply with quote

Is it possible to set up Abyss web server reverse proxy to use with MeshCentral?
It is quite easy to set up with NGINX but not sure if it's even possible with Abyss.

These are the docs to use with NGINX ...
Quote:
In this example, we will:
• MeshCentral on non-standard ports, but alias HTTPS to port 443.
• NGINX will be using standard ports 80 and 443.
• We will have NGINX perform all TLS authentication & encryption.
• MeshCentral will read the NGINX web certificate so agents will perform correct server
authentication.
• NGINX will be setup with long timeouts, because agents have long standard web socket
connections.
Let’s get started by configuring MeshCentral with the following values in config.json:

Code:
{
 "settings": {
 "Cert": "myservername.domain.com"
 "Port": 4430,
 "AliasPort": 443,
 "RedirPort": 800,
 "AgentPong": 300,
 "TlsOffload": "127.0.0.1"
 },
 "domains": {
 "": {
 "certUrl": "https://127.0.0.1:443/"
 }
 }
}


With this configuration, MeshCentral will be using port 4430 instead of port 443, but because
“TlsOffload” is set, TLS will not be performed on port 4430. The server name is set to
“myservername.domain.com”, so that is the name that MeshCentral will give to agents to connect
to. Also, the alias port is set to 443. So agents will be told to connect to
“myservername.domain.com:443”.
The “AgentPong” line instructs the server to send data to the agent each 300 seconds and the
agent by default will send data to the server every 120 seconds. As long as NGINX timeouts are
longer than this, connections should remain open.
When agents connect, they will see the NGINX TLS certificate on port 443. MeshCentral needs to
know about the NGINX certificate so that it can tell the agents this is the correct certificate they
should expect to see. So, “certUrl” is used to tell MeshCentral where to get the certificates that
agents will see when connecting.
When NGINX forwards connections to MeshCentral, extra X-Forwarded headers will be added to
each request. MeshCentral needs to know if these headers can be trusted or not. By setting
“TlsOffload” to “127.0.0.1”, MeshCentral is told to trust these headers when requests come from
“127.0.0.1”.
In this example, make sure to change “127.0.0.1” to the IP address of NGINX and “Cert” to the
external DNS name of the NGINX server.
Next, we need to configure and launch NGINX. Here is an ngnix.conf to get started:

Code:
worker_processes 1;
events {
 worker_connections 1024;
}
http {
 # HTTP server. In this example, we use a wildcard as server name.
 server {
 listen 80;
 server_name _;
 location / {
 proxy_pass http://127.0.0.1:800/;
 proxy_http_version 1.1;
 
 # Inform MeshCentral about the real host, port and protocol
 proxy_set_header X-Forwarded-Host $host:$server_port;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;
 }
 }
 # HTTPS server. In this example, we use a wildcard as server name.
 server {
 listen 443 ssl;
 server_name _;
 # MeshCentral uses long standing web socket connections, set longer timeouts.
 proxy_send_timeout 330s;
 proxy_read_timeout 330s;
 # We can use the MeshCentral generated certificate & key
 ssl_certificate webserver-cert-public.crt;
 ssl_certificate_key webserver-cert-private.key;
 ssl_session_cache shared:WEBSSL:10m;
 ssl_ciphers HIGH:!aNULL:!MD5;
 ssl_prefer_server_ciphers on;
 location / {
 proxy_pass http://127.0.0.1:4430/;
 proxy_http_version 1.1;
 
 # Allows websockets over HTTPS.
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection "upgrade";
 proxy_set_header Host $host;
 # Inform MeshCentral about the real host, port and protocol
 proxy_set_header X-Forwarded-Host $host:$server_port;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;
 }
 }
}

As indicated in the comments of this NGINX configuration file, we set timeouts to be really long.
We forward HTTP port 80 and HTTPS port 443 to the corresponding ports on MeshCentral. In
this example, we happen to use the web certificates that where generated by MeshCentral, but
any certificate is ok. We also add extra “X-Forward” headers, this tells MeshCentral information
that would normally be hidden by NGINX, like the client’s IP address and more.
[/quote]
Back to top View user's profile Send private message
admin
Site Admin


Joined: 03 Mar 2002
Posts: 1225

PostPosted: Sun Jan 02, 2022 9:24 pm    Post subject: Re: Abyss Revere Proxy with MeshCentral Reply with quote

Paulie,

Almost all these settings in NGINX can be summed up to configuring Abyss Web Server to serve a HTTP+HTTPS host which is set to act as a reverse-proxy for your MeshCentral local server on 127.0.0.1 on port 4430.

All the details about the headers and the rest are automatically handled by Abyss Web Server. No need to explain the details to its reverse-proxy.
_________________
Follow @abyssws on Twitter
Subscribe to our newsletter
_________________
Forum Administrator
Aprelium - https://aprelium.com
Back to top View user's profile Send private message
Paulie
-


Joined: 20 Feb 2016
Posts: 14

PostPosted: Mon Jan 03, 2022 10:16 pm    Post subject: Reply with quote

I have tried setting up a host served on both 80 and 443 called
mesh.mydomain.com

and under reverse proxy I added
remote host: 127.0.0.1
remote port: 8080

(I have MeshCentral runninng on port 8080)

When I try to load mesh.mydomain.com in a browser, at best I will see bits of the web page but most of the time it responds with error 502
Back to top View user's profile Send private message
Paulie
-


Joined: 20 Feb 2016
Posts: 14

PostPosted: Tue Jan 04, 2022 6:32 pm    Post subject: Reply with quote

I would gladly purchase another Abyss Web Server license if I could get a working example of MeshCentral reverse proxied through Abyss Web Server.

Windows version of Abyss Web Server: port 80 and 443.
Domain set up as: mesh.mydomain.com
MeshCentral on same computer as Abyss Web Server and listening to port 81 and 8080.

Domain: mydomain.com would server normal web pages.

I would much rather have Abyss handle everything if possible, instead of having to install other software packages.
Back to top View user's profile Send private message
admin
Site Admin


Joined: 03 Mar 2002
Posts: 1225

PostPosted: Tue Jan 04, 2022 10:19 pm    Post subject: Reply with quote

Paulie wrote:
I have tried setting up a host served on both 80 and 443 called
mesh.mydomain.com

and under reverse proxy I added
remote host: 127.0.0.1
remote port: 8080

(I have MeshCentral runninng on port 8080)

When I try to load mesh.mydomain.com in a browser, at best I will see bits of the web page but most of the time it responds with error 502


Do you mean that it worked sometimes but at other attempts you received error 502?

MeshCentral needs configuration on both ends (reverse-proxy and MeshCentral.) So we suggest that you contact us by email for a quicker exchange until we get this running.
_________________
Follow @abyssws on Twitter
Subscribe to our newsletter
_________________
Forum Administrator
Aprelium - https://aprelium.com
Back to top View user's profile Send private message
Paulie
-


Joined: 20 Feb 2016
Posts: 14

PostPosted: Wed Jan 05, 2022 11:17 pm    Post subject: Reply with quote

admin wrote:
So we suggest that you contact us by email for a quicker exchange until we get this running.


Email has been sent. Thanks.
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group