From bfacd5ed731693cb220b28b90a99588ba92ceab9 Mon Sep 17 00:00:00 2001 From: silversword411 Date: Mon, 20 Jun 2022 07:25:03 -0400 Subject: [PATCH 1/3] Adding more items to advanced json --- sample-config-advanced.json | 84 +++++++++++++++++++++++-------------- 1 file changed, 52 insertions(+), 32 deletions(-) diff --git a/sample-config-advanced.json b/sample-config-advanced.json index 5cab7390..622064f1 100644 --- a/sample-config-advanced.json +++ b/sample-config-advanced.json @@ -10,7 +10,7 @@ "_WANonly": true, "_LANonly": true, "_maintenanceMode": true, - "_certificatePrivateKeyPassword": [ "password1", "password2" ], + "_certificatePrivateKeyPassword": ["password1", "password2"], "_sessionTime": 60, "_sessionKey": "MyReallySecretPassword1", "_sessionSameSite": "strict", @@ -38,7 +38,6 @@ "_agentCoreDump": true, "_agentCoreDumpUsers": "user1,user2", "_agentSignLock": true, - "_agentTimeStampServer": "http://timestamp.digicert.com", "_ignoreAgentHashCheck": true, "_exactPorts": true, "_allowLoginToken": true, @@ -73,14 +72,15 @@ "_webPush": { "email": "xxxxx@xxxxx.com" }, "_publicPushNotifications": true, "_desktopMultiplex": true, + "_ipBlockedUserRedirect": "https://www.youtube.com/watch?v=dQw4w9WgXcQ", "_userAllowedIP": "127.0.0.1,192.168.1.0/24", "_userBlockedIP": "127.0.0.1,::1,192.168.0.100", "_agentAllowedIP": "192.168.0.100/24", "_agentBlockedIP": "127.0.0.1,::1", "_authLog": "c:\\temp\\auth.log", - "_InterUserMessaging": [ "user//admin" ], - "_manageAllDeviceGroups": [ "user//admin" ], - "_manageCrossDomain": [ "user//admin" ], + "_InterUserMessaging": ["user//admin"], + "_manageAllDeviceGroups": ["user//admin"], + "_manageCrossDomain": ["user//admin"], "_localDiscovery": { "name": "Local server name", "info": "Information about this server" @@ -92,6 +92,7 @@ "_mpsAliasPort": 4433, "_mpsAliasHost": "mps.mydomain.com", "_mpsTlsOffload": true, + "_mpsHighSecurity": true, "_no2FactorAuth": true, "_runOnServerStarted": "c:\\tmp\\mcstart.bat", "_runOnServerUpdated": "c:\\tmp\\mcupdate.bat", @@ -163,19 +164,21 @@ "title2": "Servername", "_titlePicture": "title-sample.png", "_loginPicture": "title-sample.png", + "_rootRedirect": "https://www.youtube.com/watch?v=Gs069dndIYk", + "_mobileSite": false, + "_unknownUserRootRedirect": "https://www.youtube.com/watch?v=2Q_ZzBGPdqE", + "_nightMode": 1, "_userQuota": 1048576, "_meshQuota": 248576, + "_loginKey": ["abc", "123"], + "_agentKey": ["abc", "123"], + "_ipkvm": false, "minify": true, - "_guestDeviceSharing" : false, - "_AutoRemoveInactiveDevices": 37, - "_DeviceSearchBarServerAndClientName": false, - "_loginKey": [ "abc", "123" ], - "_agentKey": [ "abc", "123" ], "_newAccounts": true, - "_newAccountsUserGroups": [ "ugrp//xxxxxxxxxxxxxxxxx" ], + "_newAccountsUserGroups": ["ugrp//xxxxxxxxxxxxxxxxx"], "_userNameIsEmail": true, - "_newAccountEmailDomains": [ "sample.com" ], - "_newAccountsRights": [ "nonewgroups", "notools" ], + "_newAccountEmailDomains": ["sample.com"], + "_newAccountsRights": ["nonewgroups", "notools"], "_welcomeText": "Sample Text on Login Page.", "_welcomePicture": "mainwelcome.jpg", "_welcomePictureFullScreen": false, @@ -185,6 +188,13 @@ "_hide": 4, "_footer": "Twitter", "_loginfooter": "This is a private server.", + "_allowSavingDeviceCredentials": false, + "_guestDeviceSharing": false, + "_AutoRemoveInactiveDevices": 37, + "_DeviceSearchBarServerAndClientName": false, + "_agentSelfGuestSharing": { + "expire": 120 + }, "_certUrl": "https://192.168.2.106:443/", "_altMessenging": { "name": "Jitsi", @@ -200,7 +210,7 @@ "protocol": "http", "port": 80, "_ip": "192.168.1.100", - "_filter": [ "mesh/(domainid)/(meshid)", "node/(domainid)/(nodeid)" ] + "_filter": ["mesh/(domainid)/(meshid)", "node/(domainid)/(nodeid)"] }, { "name": "HTTPS", @@ -211,7 +221,7 @@ }, "PreconfiguredRemoteInput": [ { - "name": "CompagnyUrl", + "name": "CompanyUrl", "value": "https://help.mycompany.com/" }, { @@ -222,7 +232,7 @@ "name": "Welcome", "value": "Default welcome text" } - ], + ], "myServer": { "Backup": false, "Restore": false, @@ -325,14 +335,24 @@ "log": "amtactivation.log", "certs": { "mycertname": { - "certfiles": [ "amtacm-leafcert.crt", "amtacm-intermediate1.crt", "amtacm-intermediate2.crt", "amtacm-rootcert.crt" ], + "certfiles": [ + "amtacm-leafcert.crt", + "amtacm-intermediate1.crt", + "amtacm-intermediate2.crt", + "amtacm-rootcert.crt" + ], "keyfile": "amtacm-leafcert.key" } } }, "_amtManager": { "adminAccounts": [{ "user": "admin", "pass": "MyP@ssw0rd" }], - "environmentDetection": [ "domain1.com", "domain2.com", "domain3.com", "domain4.com" ], + "environmentDetection": [ + "domain1.com", + "domain2.com", + "domain3.com", + "domain4.com" + ], "wifiProfiles": [ { "name": "Profile1", @@ -355,8 +375,8 @@ "Strict-Transport-Security": "max-age=360000", "x-frame-options": "SAMEORIGIN" }, - "_agentConfig": [ "webSocketMaskOverride=1", "coreDumpEnabled=1" ], - "_assistantConfig": [ "disableUpdate=1" ], + "_agentConfig": ["webSocketMaskOverride=1", "coreDumpEnabled=1"], + "_assistantConfig": ["disableUpdate=1"], "_sessionRecording": { "_onlySelectedUsers": true, "_onlySelectedUserGroups": true, @@ -367,42 +387,42 @@ "_maxRecordingDays": 15, "_maxRecordingSizeMegabytes": 3, "__protocols__": "Is an array: 1 = Terminal, 2 = Desktop, 5 = Files, 100 = Intel AMT WSMAN, 101 = Intel AMT Redirection, 200 = Messenger", - "protocols": [ 1, 2, 101 ] + "protocols": [1, 2, 101] }, "_authStrategies": { "__comment__": "This section is used to allow users to login using other accounts. You will need to get an API key from the services and register callback URL's", "twitter": { "_callbackurl": "https://server/auth-twitter-callback", "newAccounts": true, - "_newAccountsUserGroups": [ "ugrp//xxxxxxxxxxxxxxxxx" ], + "_newAccountsUserGroups": ["ugrp//xxxxxxxxxxxxxxxxx"], "clientid": "xxxxxxxxxxxxxxxxxxxxxxx", "clientsecret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" }, "google": { "_callbackurl": "https://server/auth-google-callback", "newAccounts": true, - "_newAccountsUserGroups": [ "ugrp//xxxxxxxxxxxxxxxxx" ], + "_newAccountsUserGroups": ["ugrp//xxxxxxxxxxxxxxxxx"], "clientid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com", "clientsecret": "xxxxxxxxxxxxxxxxxxxxxxx" }, "github": { "_callbackurl": "https://server/auth-github-callback", "newAccounts": true, - "_newAccountsUserGroups": [ "ugrp//xxxxxxxxxxxxxxxxx" ], + "_newAccountsUserGroups": ["ugrp//xxxxxxxxxxxxxxxxx"], "clientid": "xxxxxxxxxxxxxxxxxxxxxxx", "clientsecret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" }, "reddit": { "_callbackurl": "https://server/auth-reddit-callback", "newAccounts": true, - "_newAccountsUserGroups": [ "ugrp//xxxxxxxxxxxxxxxxx" ], + "_newAccountsUserGroups": ["ugrp//xxxxxxxxxxxxxxxxx"], "clientid": "xxxxxxxxxxxxxxxxxxxxxxx", "clientsecret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" }, "azure": { "_callbackurl": "https://server/auth-azure-callback", "newAccounts": true, - "_newAccountsUserGroups": [ "ugrp//xxxxxxxxxxxxxxxxx" ], + "_newAccountsUserGroups": ["ugrp//xxxxxxxxxxxxxxxxx"], "clientid": "00000000-0000-0000-0000-000000000000", "clientsecret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "tenantid": "00000000-0000-0000-0000-000000000000" @@ -410,7 +430,7 @@ "jumpcloud": { "_callbackurl": "https://server/auth-jumpcloud-callback", "newAccounts": true, - "_newAccountsUserGroups": [ "ugrp//xxxxxxxxxxxxxxxxx" ], + "_newAccountsUserGroups": ["ugrp//xxxxxxxxxxxxxxxxx"], "entityid": "meshcentral", "idpurl": "https://sso.jumpcloud.com/saml2/saml2", "cert": "jumpcloud-saml.pem" @@ -419,8 +439,8 @@ "_callbackurl": "https://server/auth-saml-callback", "_disableRequestedAuthnContext": true, "newAccounts": true, - "_newAccountsUserGroups": [ "ugrp//xxxxxxxxxxxxxxxxx" ], - "_newAccountsRights": [ "nonewgroups", "notools" ], + "_newAccountsUserGroups": ["ugrp//xxxxxxxxxxxxxxxxx"], + "_newAccountsRights": ["nonewgroups", "notools"], "entityid": "meshcentral", "idpurl": "https://server/saml2", "cert": "saml.pem" @@ -456,7 +476,7 @@ "uid": "anneonyme", "mail": "anneonyme@example.com", "email": "anneonyme@example.com", - "otherMail": [ "other.anneonyme@example.com", "anneonyme@example.com" ] + "otherMail": ["other.anneonyme@example.com", "anneonyme@example.com"] }, "so": { "displayName": "Sticker Sophie", @@ -464,7 +484,7 @@ "uid": "ssticker", "mail": "ssticker@example.com", "email": "ssticker@example.com", - "otherMail": [ "other.ssticker@example.com", "ssticker@example.com" ] + "otherMail": ["other.ssticker@example.com", "ssticker@example.com"] } }, "__LDAPOptions": { @@ -513,7 +533,7 @@ "_sendmail": { "newline": "unix", "path": "/usr/sbin/sendmail", - "_args": [ "-f", "foo@example.com" ] + "_args": ["-f", "foo@example.com"] }, "_sms": { "provider": "twilio", From 10fc9ba2bc71ca634203b5fd06cb8337dcf3edb2 Mon Sep 17 00:00:00 2001 From: silversword411 Date: Mon, 20 Jun 2022 07:32:17 -0400 Subject: [PATCH 2/3] docs - adding meshcentral commandline options --- docs/docs/meshcentral/index.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/docs/docs/meshcentral/index.md b/docs/docs/meshcentral/index.md index 6b40222c..38d51490 100644 --- a/docs/docs/meshcentral/index.md +++ b/docs/docs/meshcentral/index.md @@ -458,6 +458,34 @@ This first line will load many of the “meshcentral-data” files into the data Note that MeshCentral does not currently support placing a Let’s Encrypt certificate in the database. Generally, one would use a reverse proxy with Let’s Encrypt support and TLS offload in the reverse proxy and then run MeshCentral in state-less mode in a Docket container. +## Commandline Options + +In general, doing `--option value` is the same as adding `"option": value` in the settings section of the config.json. + +Here are the most common options found by running `meshcentral --help` + +``` +Run as a background service + --install/uninstall Install MeshCentral as a background service. + --start/stop/restart Control MeshCentral background service. + +Run standalone, console application + --user [username] Always login as [username] if account exists. + --port [number] Web server port number. + --redirport [number] Creates an additional HTTP server to redirect users to the HTTPS server. + --exactports Server must run with correct ports or exit. + --noagentupdate Server will not update mesh agent native binaries. + --nedbtodb Transfer all NeDB records into current database. + --listuserids Show a list of a user identifiers in the database. + --cert [name], (country), (org) Create a web server certificate with [name] server name. + country and organization can optionally be set. + +Server recovery commands, use only when MeshCentral is offline. + --createaccount [userid] Create a new user account. + --resetaccount [userid] Unlock an account, disable 2FA and set a new account password. + --adminaccount [userid] Promote account to site administrator. +``` + ## TLS Offloading A good way for MeshCentral to handle a high traffic is to setup a TLS offload device at front of the server that takes care of doing all the TLS negotiation and encryption so that the server could offload this. There are many vendors who offer TLS or SSL offload as a software module (Nginx* or Apache*) so please contact your network administrator for the best solution that suits your setup. From 025daa3a1358be0b7be38c5bc4599841a4d167c7 Mon Sep 17 00:00:00 2001 From: silversword411 Date: Mon, 20 Jun 2022 07:46:19 -0400 Subject: [PATCH 3/3] Adding back agentTimeStampServer --- sample-config-advanced.json | 1 + 1 file changed, 1 insertion(+) diff --git a/sample-config-advanced.json b/sample-config-advanced.json index 622064f1..69218339 100644 --- a/sample-config-advanced.json +++ b/sample-config-advanced.json @@ -38,6 +38,7 @@ "_agentCoreDump": true, "_agentCoreDumpUsers": "user1,user2", "_agentSignLock": true, + "_agentTimeStampServer": "http://timestamp.digicert.com", "_ignoreAgentHashCheck": true, "_exactPorts": true, "_allowLoginToken": true,