MeshCentral behind NethServers Reverse Proxy

Support
,
1

NethServer Version: 7.9.2009
Module: MeshCentral

@mrmarkuz

Hello Markus

A small question with your MeshCentral module. I’m installing it on a new server, locally it works without issues.

At this site there are 2 NethServers, only one has http and https external access. This one is running the reverse proxy for the second NethServer.

Using a reverse proxy traditionally does not work, the page appears as textlike html:

Bildschirmfoto 2021-11-17 um 11.38.48
Bildschirmfoto 2021-11-17 um 11.38.48866×610 58.3 KB

The current settings are as follows:

Bildschirmfoto 2021-11-17 um 11.40.39
Bildschirmfoto 2021-11-17 um 11.40.391202×1334 117 KB

I also tried using the newer “Websocket” option, which does not work - at least without a “path” it does not.
What would be a correct path for MeshCentral, assuming it could work?

Or is it not possible for MeshCentral to work behing NethServers Reverse Proxy at all?

Many thanks!

BTW: The Module is working without issues in several installations. Only here I may need a reverse Proxy…

My 2 cents
Andy

2

Maybe it’s a LAN/reverse proxy issue? Did you try if it works from WAN?

In /etc/httpd/conf.d/zz_meshcentral.conf there are some rewrite lines, maybe they’re needed.

You may add them in a custom reverse proxy conf file like zz_meshcustom.conf instead of the one configured in the server manager on the NethServer with the reverse proxy.

   RewriteCond %{HTTP:Upgrade} websocket [NC]
   RewriteCond %{HTTP:Connection} upgrade [NC]
   RewriteRule . ws://192.168.237.55%{REQUEST_URI} [P]

   ProxyPass / http://192.168.237.55/
   ProxyPassReverse / http://192.168.237.55/

I’m going to test it later today…

2 Likes
3

I only have either OpenVPN access to the LAN or access from outside at the moment… :slight_smile:

4

I can confirm the issue but I didn’t find a way that shows the page correctly.
I’ll try some more and report if I got it working…

1 Like
6

Hi

I actually have valid ssl certs on both Nethservers, and traffic is passed thru as https…

7

It works when you open the port 8989 on the Meshcentral Nethserver by creating a service and set the proxy to redirect to http://192.168.237.55:8989. “Enable Websocket” is needed too.

Meshcentral Nethserver:

grafik
grafik765×446 15.8 KB

Proxying Nethserver:

grafik
grafik768×1075 53 KB

3 Likes
8

@mrmarkuz

Do I still need to forward the normal Ports 80/443?
And how, as NethServer ReverseProxy only allows one IP/Port with that specific name…

Without the port-forwarding for Ports 80/443, the webpages keeps searching until timeout.

Note: The NethServer doing the Reverse Proxy is NOT the firewall, this is an OPNsense box.
I’ve tried forwarding Port 8989 to 192.168.237.20 (ReverseProxy) and directly to 192.168.237.55 (Mesh), both did not work.

Update:

I changed this:

Bildschirmfoto 2021-11-20 um 21.11.49
Bildschirmfoto 2021-11-20 um 21.11.491198×684 42.3 KB

Now:

Opensense forwards ports 80, 443, 8989 to 192.168.237.20, which in turn forwards the ports required to 192.168.237.55.

I get the correct login page for MeshCentral, however, I can’t login anymore.
It always says wrong login / password…

I corrected the sevice by addind a service and setting the originam meshcentral back to localhost (removing red & green solves that). Still no login.

Bildschirmfoto 2021-11-20 um 21.26.03
Bildschirmfoto 2021-11-20 um 21.26.032336×320 39.9 KB

Thanks

My 2 cents
Andy

PS:

Finally got MongoDB monitoring in Zabbix to work, now I need some “traffic” there… :slight_smile:

Bildschirmfoto 2021-11-20 um 21.44.16
Bildschirmfoto 2021-11-20 um 21.44.162480×744 170 KB

1 Like
9

I think it’s enough to have one meshcentral service entry opening the port 8989 to green.

You may try to create an account to login, the following example creates an admin account testuser with password secret:

cd /opt/meshcentral/node_modules/

Create user:

scl enable rh-nodejs10 'node meshcentral --createaccount testuser --pass "secret"'

Enable admin permissions:

scl enable rh-nodejs10 'node meshcentral --adminaccount testuser'

Restart service:

systemctl restart meshcentral

No, as you use reverse proxy, no port forwarding is needed.

You don’t need to open 8989 as it’s just used internal.

I have the same config.
My opnsense port forwards 80 and 443 and to Neth 1.
Neth1 reverse proxies to Neth 2 port 8989.
Neth2 provides Meshcentral and has open port 8989.

Great, thanks for sharing!

1 Like
10

MongoDB gives a lot of data for Zabbix… :slight_smile:

11

@mrmarkuz

Thamks, the testuser worked…

Now to get AD Backend working. Correct SSLs are ready… :slight_smile:

1 Like
12

@mrmarkuz

Hi

A slight detail cropped up:

An external PC can’t register to that Mesh… :frowning:

I tried:

Logging into a test PC via VPN/RDP.
From there via Browser to https://mesh.domain.tld and logging on as admin (AD now working).
Installing an Agent on the PC - no issues.

On the WebInterface of MeshCentral, nothing shows up?

Where you able to connect an external PC in your Setup?

My 2 cents
Andy

13

Yes, I was able to connect a VPS, I didn’t test a PC behind a firewall.

EDIT:

Did you allow the agent IP?

config setprop AgentAllowedIP 192.168.0.0/24,1.2.3.4

See also Neth wiki (under Security)

1 Like