Ylianst/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2024-12-26 07:23:03 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4146 from silversword411/master

Browse Source 
Adding docs and more items added to sample-config-advanced
This commit is contained in:
Ylian Saint-Hilaire 2022-06-20 11:04:49 -07:00 committed by GitHub
commit 0b9d0eb60a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 80 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
docs/docs/meshcentral/index.md
View File

@ -458,6 +458,34 @@ This first line will load many of the “meshcentral-data” files into the data
Note that MeshCentral does not currently support placing a Lets Encrypt certificate in the database. Generally, one would use a reverse proxy with Lets Encrypt support and TLS offload in the reverse proxy and then run MeshCentral in state-less mode in a Docket container.
## Commandline Options
In general, doing `--option value` is the same as adding `"option": value` in the settings section of the config.json.
Here are the most common options found by running `meshcentral --help`
```
Run as a background service
--install/uninstall Install MeshCentral as a background service.
--start/stop/restart Control MeshCentral background service.
Run standalone, console application
--user [username] Always login as [username] if account exists.
--port [number] Web server port number.
--redirport [number] Creates an additional HTTP server to redirect users to the HTTPS server.
--exactports Server must run with correct ports or exit.
--noagentupdate Server will not update mesh agent native binaries.
--nedbtodb Transfer all NeDB records into current database.
--listuserids Show a list of a user identifiers in the database.
--cert [name], (country), (org) Create a web server certificate with [name] server name.
country and organization can optionally be set.
Server recovery commands, use only when MeshCentral is offline.
--createaccount [userid] Create a new user account.
--resetaccount [userid] Unlock an account, disable 2FA and set a new account password.
--adminaccount [userid] Promote account to site administrator.
```
## TLS Offloading
A good way for MeshCentral to handle a high traffic is to setup a TLS offload device at front of the server that takes care of doing all the TLS negotiation and encryption so that the server could offload this. There are many vendors who offer TLS or SSL offload as a software module (Nginx* or Apache*) so please contact your network administrator for the best solution that suits your setup.

83
sample-config-advanced.json
View File

@ -10,7 +10,7 @@
"_WANonly": true,
"_LANonly": true,
"_maintenanceMode": true,
"_certificatePrivateKeyPassword": [ "password1", "password2" ],
"_certificatePrivateKeyPassword": ["password1", "password2"],
"_sessionTime": 60,
"_sessionKey": "MyReallySecretPassword1",
"_sessionSameSite": "strict",
@ -73,14 +73,15 @@
"_webPush": { "email": "xxxxx@xxxxx.com" },
"_publicPushNotifications": true,
"_desktopMultiplex": true,
"_ipBlockedUserRedirect": "https://www.youtube.com/watch?v=dQw4w9WgXcQ",
"_userAllowedIP": "127.0.0.1,192.168.1.0/24",
"_userBlockedIP": "127.0.0.1,::1,192.168.0.100",
"_agentAllowedIP": "192.168.0.100/24",
"_agentBlockedIP": "127.0.0.1,::1",
"_authLog": "c:\\temp\\auth.log",
"_InterUserMessaging": [ "user//admin" ],
"_manageAllDeviceGroups": [ "user//admin" ],
"_manageCrossDomain": [ "user//admin" ],
"_InterUserMessaging": ["user//admin"],
"_manageAllDeviceGroups": ["user//admin"],
"_manageCrossDomain": ["user//admin"],
"_localDiscovery": {
"name": "Local server name",
"info": "Information about this server"
@ -92,6 +93,7 @@
"_mpsAliasPort": 4433,
"_mpsAliasHost": "mps.mydomain.com",
"_mpsTlsOffload": true,
"_mpsHighSecurity": true,
"_no2FactorAuth": true,
"_runOnServerStarted": "c:\\tmp\\mcstart.bat",
"_runOnServerUpdated": "c:\\tmp\\mcupdate.bat",
@ -163,19 +165,21 @@
"title2": "Servername",
"_titlePicture": "title-sample.png",
"_loginPicture": "title-sample.png",
"_rootRedirect": "https://www.youtube.com/watch?v=Gs069dndIYk",
"_mobileSite": false,
"_unknownUserRootRedirect": "https://www.youtube.com/watch?v=2Q_ZzBGPdqE",
"_nightMode": 1,
"_userQuota": 1048576,
"_meshQuota": 248576,
"_loginKey": ["abc", "123"],
"_agentKey": ["abc", "123"],
"_ipkvm": false,
"minify": true,
"_guestDeviceSharing" : false,
"_AutoRemoveInactiveDevices": 37,
"_DeviceSearchBarServerAndClientName": false,
"_loginKey": [ "abc", "123" ],
"_agentKey": [ "abc", "123" ],
"_newAccounts": true,
"_newAccountsUserGroups": [ "ugrp//xxxxxxxxxxxxxxxxx" ],
"_newAccountsUserGroups": ["ugrp//xxxxxxxxxxxxxxxxx"],
"_userNameIsEmail": true,
"_newAccountEmailDomains": [ "sample.com" ],
"_newAccountsRights": [ "nonewgroups", "notools" ],
"_newAccountEmailDomains": ["sample.com"],
"_newAccountsRights": ["nonewgroups", "notools"],
"_welcomeText": "Sample Text on Login Page.",
"_welcomePicture": "mainwelcome.jpg",
"_welcomePictureFullScreen": false,
@ -185,6 +189,13 @@
"_hide": 4,
"_footer": "<a href='https://twitter.com/mytwitter'>Twitter</a>",
"_loginfooter": "This is a private server.",
"_allowSavingDeviceCredentials": false,
"_guestDeviceSharing": false,
"_AutoRemoveInactiveDevices": 37,
"_DeviceSearchBarServerAndClientName": false,
"_agentSelfGuestSharing": {
"expire": 120
},
"_certUrl": "https://192.168.2.106:443/",
"_altMessenging": {
"name": "Jitsi",
@ -200,7 +211,7 @@
"protocol": "http",
"port": 80,
"_ip": "192.168.1.100",
"_filter": [ "mesh/(domainid)/(meshid)", "node/(domainid)/(nodeid)" ]
"_filter": ["mesh/(domainid)/(meshid)", "node/(domainid)/(nodeid)"]
},
{
"name": "HTTPS",
@ -211,7 +222,7 @@
},
"PreconfiguredRemoteInput": [
{
"name": "CompagnyUrl",
"name": "CompanyUrl",
"value": "https://help.mycompany.com/"
},
{
@ -222,7 +233,7 @@
"name": "Welcome",
"value": "Default welcome text"
}
],
],
"myServer": {
"Backup": false,
"Restore": false,
@ -325,14 +336,24 @@
"log": "amtactivation.log",
"certs": {
"mycertname": {
"certfiles": [ "amtacm-leafcert.crt", "amtacm-intermediate1.crt", "amtacm-intermediate2.crt", "amtacm-rootcert.crt" ],
"certfiles": [
"amtacm-leafcert.crt",
"amtacm-intermediate1.crt",
"amtacm-intermediate2.crt",
"amtacm-rootcert.crt"
],
"keyfile": "amtacm-leafcert.key"
}
}
},
"_amtManager": {
"adminAccounts": [{ "user": "admin", "pass": "MyP@ssw0rd" }],
"environmentDetection": [ "domain1.com", "domain2.com", "domain3.com", "domain4.com" ],
"environmentDetection": [
"domain1.com",
"domain2.com",
"domain3.com",
"domain4.com"
],
"wifiProfiles": [
{
"name": "Profile1",
@ -355,8 +376,8 @@
"Strict-Transport-Security": "max-age=360000",
"x-frame-options": "SAMEORIGIN"
},
"_agentConfig": [ "webSocketMaskOverride=1", "coreDumpEnabled=1" ],
"_assistantConfig": [ "disableUpdate=1" ],
"_agentConfig": ["webSocketMaskOverride=1", "coreDumpEnabled=1"],
"_assistantConfig": ["disableUpdate=1"],
"_sessionRecording": {
"_onlySelectedUsers": true,
"_onlySelectedUserGroups": true,
@ -367,42 +388,42 @@
"_maxRecordingDays": 15,
"_maxRecordingSizeMegabytes": 3,
"__protocols__": "Is an array: 1 = Terminal, 2 = Desktop, 5 = Files, 100 = Intel AMT WSMAN, 101 = Intel AMT Redirection, 200 = Messenger",
"protocols": [ 1, 2, 101 ]
"protocols": [1, 2, 101]
},
"_authStrategies": {
"__comment__": "This section is used to allow users to login using other accounts. You will need to get an API key from the services and register callback URL's",
"twitter": {
"_callbackurl": "https://server/auth-twitter-callback",
"newAccounts": true,
"_newAccountsUserGroups": [ "ugrp//xxxxxxxxxxxxxxxxx" ],
"_newAccountsUserGroups": ["ugrp//xxxxxxxxxxxxxxxxx"],
"clientid": "xxxxxxxxxxxxxxxxxxxxxxx",
"clientsecret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
"google": {
"_callbackurl": "https://server/auth-google-callback",
"newAccounts": true,
"_newAccountsUserGroups": [ "ugrp//xxxxxxxxxxxxxxxxx" ],
"_newAccountsUserGroups": ["ugrp//xxxxxxxxxxxxxxxxx"],
"clientid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com",
"clientsecret": "xxxxxxxxxxxxxxxxxxxxxxx"
},
"github": {
"_callbackurl": "https://server/auth-github-callback",
"newAccounts": true,
"_newAccountsUserGroups": [ "ugrp//xxxxxxxxxxxxxxxxx" ],
"_newAccountsUserGroups": ["ugrp//xxxxxxxxxxxxxxxxx"],
"clientid": "xxxxxxxxxxxxxxxxxxxxxxx",
"clientsecret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
"reddit": {
"_callbackurl": "https://server/auth-reddit-callback",
"newAccounts": true,
"_newAccountsUserGroups": [ "ugrp//xxxxxxxxxxxxxxxxx" ],
"_newAccountsUserGroups": ["ugrp//xxxxxxxxxxxxxxxxx"],
"clientid": "xxxxxxxxxxxxxxxxxxxxxxx",
"clientsecret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
"azure": {
"_callbackurl": "https://server/auth-azure-callback",
"newAccounts": true,
"_newAccountsUserGroups": [ "ugrp//xxxxxxxxxxxxxxxxx" ],
"_newAccountsUserGroups": ["ugrp//xxxxxxxxxxxxxxxxx"],
"clientid": "00000000-0000-0000-0000-000000000000",
"clientsecret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"tenantid": "00000000-0000-0000-0000-000000000000"
@ -410,7 +431,7 @@
"jumpcloud": {
"_callbackurl": "https://server/auth-jumpcloud-callback",
"newAccounts": true,
"_newAccountsUserGroups": [ "ugrp//xxxxxxxxxxxxxxxxx" ],
"_newAccountsUserGroups": ["ugrp//xxxxxxxxxxxxxxxxx"],
"entityid": "meshcentral",
"idpurl": "https://sso.jumpcloud.com/saml2/saml2",
"cert": "jumpcloud-saml.pem"
@ -419,8 +440,8 @@
"_callbackurl": "https://server/auth-saml-callback",
"_disableRequestedAuthnContext": true,
"newAccounts": true,
"_newAccountsUserGroups": [ "ugrp//xxxxxxxxxxxxxxxxx" ],
"_newAccountsRights": [ "nonewgroups", "notools" ],
"_newAccountsUserGroups": ["ugrp//xxxxxxxxxxxxxxxxx"],
"_newAccountsRights": ["nonewgroups", "notools"],
"entityid": "meshcentral",
"idpurl": "https://server/saml2",
"cert": "saml.pem"
@ -456,7 +477,7 @@
"uid": "anneonyme",
"mail": "anneonyme@example.com",
"email": "anneonyme@example.com",
"otherMail": [ "other.anneonyme@example.com", "anneonyme@example.com" ]
"otherMail": ["other.anneonyme@example.com", "anneonyme@example.com"]
},
"so": {
"displayName": "Sticker Sophie",
@ -464,7 +485,7 @@
"uid": "ssticker",
"mail": "ssticker@example.com",
"email": "ssticker@example.com",
"otherMail": [ "other.ssticker@example.com", "ssticker@example.com" ]
"otherMail": ["other.ssticker@example.com", "ssticker@example.com"]
}
},
"__LDAPOptions": {
@ -513,7 +534,7 @@
"_sendmail": {
"newline": "unix",
"path": "/usr/sbin/sendmail",
"_args": [ "-f", "foo@example.com" ]
"_args": ["-f", "foo@example.com"]
},
"_sms": {
"provider": "twilio",