Self hosted GLPI (latest) accessible via LAN and Internet?

Hi all,

I would like to host GLPI-latest in a larger environment with abt ~250 user and make it accessible via LAN and Internet.

Nethserver will be added to a already existing windows 2019 AD. A firewall appliance also exists… What would be the most secure best practice scenario in this setup?

IMVHO VPN. No internet, only VPN access.

My first thought was reverse-proxy but I do not have any experience with it. VPN would be to much work and a problem on BYOD…

GLPi with Fusion Inventory and Flyve MDM try this leaving out nethserver steps and flyve etc on debian with lamp use nethserver as reverse proxy point DNS record externally (for the glpi url) to nethserver and have nethserver reverse proxy to the glpi server internal ip I currently have this working on proxmox at the moment as for security while I agree with using vpn I also agree about the hassle

Thank you for your answer, I will test it as soon as possible…

1 Like

Somone here with a working GLPI-latest / Fusioninventory plugin combination?

I try to get the Fusioninventory agent working… I always get this error:

Do you mean the glpi agent or the fusion inventory module

Ignore that I didn’t read the issue properly

What version of windows are you trying to run the agent on also the agent is trying to run on http instead of https

You may have already looked over the manual but Incase someone else comes across this to get the manual from windows cmd run

C:\> fusioninventory-agent_windows-<platform>_<version>.exe /help

additional information can be found here Microsoft Windows installation for Fusioninventory Agent - FusionInventory

I havent tried using the agent without flyve so I’m testing on my macbook looks like it’s a similar setup for all os with minor tweeks

I mean the Windows 64-bit OS: fusioninventory-agent_windows-x64_2.6.exe from here to work with the FusionInventory Plugin installed on GLPI-latest.

on the install page it gives away to do it with a visual basic script see https://raw.githubusercontent.com/fusioninventory/fusioninventory-agent/develop/contrib/windows/fusioninventory-agent-deployment.vbs

but as for your error 2.6 is the latest the error message makes me think two things

  1. it’s trying to connect to http://192.168.100.168:444 instead of https://192.168.100.168 (or if I’m wrong about that it’s working but after being redirected to https it’s getting confused)

  2. Permissions it may be that the agent is working correctly but trying to connect to http://ip/glpi/plugins/fusioninventory it’s getting denied

so just to check a few things is your glpi gui accessable from https://ip/glpi or https://ip

also what are the settings you used during install on windows if your steps were like

did you put https://192.168.100.168/glpi/plugins/fusioninventory/ or http://192.168.100.168/glpi/plugins/fusioninventory/

also some discussion on running glpi on dmz some relevance

also on the pc your trying to make it work with did you select the built in web server option if so make sure you can see the service page at http://localhost:62354/

PS C:\Program Files\FusionInventory-Agent> .\fusioninventory-agent.bat --logger=Stderr --debug --server=http://192.168.100.168/glpi/plugins/fusioninventory/
[debug] Logger backend File initialised
[debug] FusionInventory Agent (2.6)
[debug] Configuration directory: C:\Program Files\FusionInventory-Agent\etc
[debug] Data directory: C:\Program Files\FusionInventory-Agent/share
[debug] Storage directory: C:\Program Files\FusionInventory-Agent/var
[debug] Lib directory: C:\Program Files\FusionInventory-Agent/perl/agent
[debug] [target server0] Next server contact planned for Mon Dec  6 01:40:43 2021
[debug] Available tasks:
[debug] - Maintenance: 1.1
[debug] - WMI: 0.3
[debug] - NetInventory: 4.2
[debug] - NetDiscovery: 4.2
[debug] - Collect: 2.6
[debug] - Inventory: 1.10
[debug] - ESX: 2.6
[debug] - Deploy: 2.8
[debug] - WakeOnLan: 2.2
[debug] target server0: server http://192.168.100.168/glpi/plugins/fusioninventory/
[debug] Planned tasks for server0:
[debug] - WMI: 0.3
[debug] - NetInventory: 4.2
[debug] - NetDiscovery: 4.2
[debug] - Collect: 2.6
[debug] - Inventory: 1.10
[debug] - ESX: 2.6
[debug] - Deploy: 2.8
[debug] - WakeOnLan: 2.2
[debug] target scheduler0: scheduler
[debug] Planned tasks for scheduler0:
[debug] - Maintenance: 1.1
[debug] Provided by Fusioninventory
[debug] Installer built with Appveyor on Fri Nov 27 15:35:24 UTC 2020
[debug] Logger backend File initialised
[debug] Running in foreground mode
[info] target server0: server http://192.168.100.168/glpi/plugins/fusioninventory/
[debug] [http client] Using Compress::Zlib for compression
[info] sending prolog request to server0
[error] [http client] communication error: 500 Can't connect to 192.168.100.168:443 (Bad file descriptor)
[error] No answer from server at http://192.168.100.168/glpi/plugins/fusioninventory/
[info] running task Maintenance

Accessable on https://192.168.100.168/glpi/

http://192.168.100.168/glpi/plugins/fusioninventory/

my understanding is it should be set to https://192.168.100.168/glpi/plugins/fusioninventory/

should be able to edit the bat file C:\Program Files\FusionInventory-Agent\fusioninventory-agent.bat

I’m checking to see if permissions are potential issue as the agent AFAIK queries the pc then generates a report in xml format then uploads it to glpi

Ive found a work around I’m testing it now if it works ill post the steps

while testing the work around i tried curl http://host/glpi/plugins/fusioninventory/
and got

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://host/plugins/fusioninventory/">here</a>.</p>
</body></html>

so I’m thinking the agent is trying to querry the server to get instructions but is being met with the redirection notice and giving up try changing the http to https in the bat file and try again and post the results

update:

I was wrong keep the http:// in the batfile and make sure to unhash local = /tmp

in my agent.cfg (it’s mac not windows so bat file would be windows equivilent)

truncated
# send tasks results to a FusionInventory for GLPI server
server = http://ip/glpi/plugins/fusioninventory/
# write tasks results in a directory
local = /tmp

also make sure the permissions on the server have apache user ie www-data (if ubuntu or debian) or httpd (if centos or redhat)
chown www-data:www-data -R path(ie /var/www/html)/glpi/plugins/fusioninventory
restart the machine and run force inventory and in a few minutes it should appear in fusion inventory

Let me know if you have issues with the above advise if so ill try to get access to a windows machine and test

I’ve just successfully tested with the glpi inventory app on my Phone using the above settings

I was able to do it with the portable version of the agent: fusioninventory-agent_windows-x64_2.6-portable.exe

I just changed two things in the /etc/agent.conf:

server = https://192.168.100.168/glpi/plugins/fusioninventory/
no-ssl-check = 1

The full agent.conf is here:

# fusioninventory agent configuration

# all defined values match default

# all commented values are examples

#

# Target definition options

#

# send tasks results to an OCS server

#server = http://server.domain.com/ocsinventory

# send tasks results to a FusionInventory for GLPI server

server = https://192.168.100.168/glpi/plugins/fusioninventory/

# write tasks results in a directory

#local = /tmp

#

# Task definition options

#

# disable software deployment tasks

#no-task = deploy

#tasks = inventory,deploy,inventory

#

# Target scheduling options

#

# maximum delay before first target, in seconds

# Also the maximum delay on network error. Delay on network error starts

# from 60, is doubled at each new failed attempt until reaching delaytime.

delaytime = 3600

# do not contact the target before next scheduled time

lazy = 0

#

# Inventory task specific options

#

# do not list local printers

# no-category = printer

# allow to scan user home directories

scan-homedirs = 0

# allow to scan user profiles

scan-profiles = 0

# save the inventory as HTML

html = 0

# timeout for inventory modules execution

backend-collect-timeout = 180

# always send data to server

force = 0

# additional inventory content file

additional-content =

#

# Package deployment task specific options

#

# do not use peer to peer to download files

no-p2p = 0

#

# Network options

#

# proxy address

proxy =

# user name for server authentication

user =

# password for server authentication

password =

# CA certificates directory

ca-cert-dir =

# CA certificates file

ca-cert-file =

# do not check server SSL certificate

no-ssl-check = 1

# connection timeout, in seconds

timeout = 180

#

# Web interface options

#

# disable embedded web server

no-httpd = 0

# network interface to listen to

httpd-ip = 0.0.0.0

# network port to listen to

httpd-port = 62354

# trust requests without authentication token

httpd-trust = 127.0.0.1/32

#

# Logging options

#

# Logger backend, either Stderr, File or Syslog (Stderr)

logger = File

# log file

logfile = 'C:\Program Files\FusionInventory-Agent\logs\fusioninventory-agent.log'

# maximum log file size, in MB

#logfile-maxsize = 0

# Syslog facility

logfacility = LOG_USER

# Use color in the console

color = 0

#

# Execution mode options

#

# add given tag to inventory results

tag =

# debug mode

debug = 0

# time to wait to reload config (0 means no reload, it's default value)

# conf-reload-interval = 0

# Since 2.4, you can include all .cfg files from a folder or any given file

# For example:

#   1. file "conf.d/tag.cfg" contains "tag = 'entity123'"

#      using "include 'conf.d' will set tag to 'entity123'

#   2. file "/etc/production/glpi-tag" contains "tag = 'entity123'"

#      using "include '/etc/production/glpi-tag' will set tag to 'entity123'

# Remark:

#   1. Prefer to use full path to avoid confusion, but be aware relative paths are

#      relative against current config file folder

#   2. A parameter set in included file can be over-rided if set again after the directive

#   3. *.cfg files are read in order in folder, it's better to prefix them with a number

#   4. Package maintainers are encouraged to use this feature to avoid conflict

#      during upgrades after configuration update

#

#include "conf.d/"

#include "agent.local"

include "conf.d/"

I used Powershell with admin-rights with or without debug option:

PS C:\Users\support\Downloads\FusionInventory-Agent> .\fusioninventory-agent.bat --debug

Now lets see HowTo deploy the agent to all clients automatically…

1 Like

Are they with ad (nethserver or Ms) if so just deploy with group policy should be able to use the bat script instead of exe or make a bat script with parameter to run once and have it call the install in silent mode

1 Like

GPO: Installing the FusionInventory Agent

1 Like

exactly

I use this startup script now to install the Fusioninventory Agent:

@echo off
if exist "C:\Program Files\FusionInventory-Agent\fusioninventory-agent.bat" (
  echo "Installed!"
) else (
\\ad.mydomain.lan\sysvol\ad.mydomain.lan\programs\fusioninventory\fusioninventory-agent_windows-x64_2.6.exe /acceptlicense /execmode=service /installtasks=Collect,Deploy,Inventory,NetDiscovery,NetInventory /runnow /S /httpd /httpd-ip=0.0.0.0 /httpd-port=62354 /httpd-trust='192.168.100.0/24,fe80::/64,127.0.0.0/8,::1/128' /server='https://192.168.100.168/glpi/plugins/fusioninventory' /logfile=64 /no-ssl-check /password=admin /user=admin /scan-homedirs /scan-profiles /tag='mydomain.lan' /tasks=Collect,Deploy,Inventory,NetDiscovery,NetInventory /add-firewall-exception
)
1 Like