mirror of
https://github.com/Ylianst/MeshCentral.git
synced 2024-12-23 05:42:13 +03:00
Added NGNX reverse-proxy support.
This commit is contained in:
parent
829d2e9c83
commit
36cddd5652
@ -39,7 +39,7 @@ module.exports.CertificateOperations = function () {
|
||||
} else { func(url, null, tag); }
|
||||
};
|
||||
|
||||
// Return the SHA386 hash of the certificate public key
|
||||
// Return the SHA384 hash of the certificate public key
|
||||
obj.getPublicKeyHash = function (cert) {
|
||||
var publickey = obj.pki.certificateFromPem(cert).publicKey;
|
||||
return obj.pki.getPublicKeyFingerprint(publickey, { encoding: "hex", md: obj.forge.md.sha384.create() });
|
||||
@ -122,7 +122,7 @@ module.exports.CertificateOperations = function () {
|
||||
rcount++;
|
||||
}
|
||||
|
||||
if (args.tlsoffload === true) {
|
||||
if (args.tlsoffload) {
|
||||
// If the web certificate already exist, load it. Load just the certificate since we are in TLS offload situation
|
||||
if (obj.fileExists(parent.getConfigFilePath("webserver-cert-public.crt"))) {
|
||||
r.web = { cert: obj.fs.readFileSync(parent.getConfigFilePath("webserver-cert-public.crt"), "utf8") };
|
||||
@ -204,7 +204,7 @@ module.exports.CertificateOperations = function () {
|
||||
for (i in config.domains) {
|
||||
if ((i != "") && (config.domains[i] != null) && (config.domains[i].dns != null)) {
|
||||
dnsname = config.domains[i].dns;
|
||||
if (args.tlsoffload === true) {
|
||||
if (args.tlsoffload) {
|
||||
// If the web certificate already exist, load it. Load just the certificate since we are in TLS offload situation
|
||||
if (obj.fileExists(parent.getConfigFilePath("webserver-" + i + "-cert-public.crt"))) {
|
||||
r.dns[i] = { cert: obj.fs.readFileSync(parent.getConfigFilePath("webserver-" + i + "-cert-public.crt"), "utf8") };
|
||||
@ -370,7 +370,7 @@ module.exports.CertificateOperations = function () {
|
||||
for (i in config.domains) {
|
||||
if ((i != "") && (config.domains[i] != null) && (config.domains[i].dns != null)) {
|
||||
dnsname = config.domains[i].dns;
|
||||
if (args.tlsoffload != true) {
|
||||
if (!args.tlsoffload) {
|
||||
// If the web certificate does not exist, create it
|
||||
if ((obj.fileExists(parent.getConfigFilePath("webserver-" + i + "-cert-public.crt")) === false) || (obj.fileExists(parent.getConfigFilePath("webserver-" + i + "-cert-private.key")) === false)) {
|
||||
console.log("Generating HTTPS certificate for " + i + "...");
|
||||
|
32
meshagent.js
32
meshagent.js
@ -38,10 +38,10 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
|
||||
obj.agentInfo = null;
|
||||
obj.agentUpdate = null;
|
||||
const agentUpdateBlockSize = 65520;
|
||||
obj.remoteaddr = obj.ws._socket.remoteAddress;
|
||||
obj.useSHA386 = false;
|
||||
obj.agentConnectCount = ++AgentConnectCount;
|
||||
obj.remoteaddr = req.ip;
|
||||
if (obj.remoteaddr.startsWith('::ffff:')) { obj.remoteaddr = obj.remoteaddr.substring(7); }
|
||||
obj.remoteaddrport = obj.remoteaddr + ':' + obj.ws._socket.remotePort;
|
||||
obj.agentConnectCount = ++AgentConnectCount;
|
||||
ws._socket.setKeepAlive(true, 240000); // Set TCP keep alive, 4 minutes
|
||||
|
||||
// Send a message to the mesh agent
|
||||
@ -49,8 +49,8 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
|
||||
|
||||
// Disconnect this agent
|
||||
obj.close = function (arg) {
|
||||
if ((arg == 1) || (arg == null)) { try { obj.ws.close(); if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Soft disconnect ' + obj.nodeid + ' (' + obj.remoteaddr + ')'); } } catch (e) { console.log(e); } } // Soft close, close the websocket
|
||||
if (arg == 2) { try { obj.ws._socket._parent.end(); if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Hard disconnect ' + obj.nodeid + ' (' + obj.remoteaddr + ')'); } } catch (e) { console.log(e); } } // Hard close, close the TCP socket
|
||||
if ((arg == 1) || (arg == null)) { try { obj.ws.close(); if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Soft disconnect ' + obj.nodeid + ' (' + obj.remoteaddrport + ')'); } } catch (e) { console.log(e); } } // Soft close, close the websocket
|
||||
if (arg == 2) { try { obj.ws._socket._parent.end(); if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Hard disconnect ' + obj.nodeid + ' (' + obj.remoteaddrport + ')'); } } catch (e) { console.log(e); } } // Hard close, close the TCP socket
|
||||
if (arg == 3) { obj.authenticated = -1; } // Don't communicate with this agent anymore, but don't disconnect (Duplicate agent).
|
||||
if (obj.parent.wsagents[obj.dbNodeKey] == obj) {
|
||||
delete obj.parent.wsagents[obj.dbNodeKey];
|
||||
@ -197,8 +197,8 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
|
||||
if ((msg.length != 98) || ((obj.receivedCommands & 1) != 0)) return;
|
||||
obj.receivedCommands += 1; // Agent can't send the same command twice on the same connection ever. Block DOS attack path.
|
||||
|
||||
// Check that the server hash matches our own web certificate hash (SHA386)
|
||||
if (getWebCertHash(obj.domain) != msg.substring(2, 50)) { console.log('Agent connected with bad web certificate hash (' + (new Buffer(getWebCertHash(obj.domain), 'binary').toString('hex').substring(0, 10)) + ' != ' + (new Buffer(msg.substring(2, 50), 'binary').toString('hex').substring(0, 10)) + '), holding connection (' + obj.remoteaddr + ').'); return; }
|
||||
// Check that the server hash matches our own web certificate hash (SHA384)
|
||||
if (getWebCertHash(obj.domain) != msg.substring(2, 50)) { console.log('Agent connected with bad web certificate hash (' + (new Buffer(getWebCertHash(obj.domain), 'binary').toString('hex').substring(0, 10)) + ' != ' + (new Buffer(msg.substring(2, 50), 'binary').toString('hex').substring(0, 10)) + '), holding connection (' + obj.remoteaddrport + ').'); return; }
|
||||
|
||||
// Use our server private key to sign the ServerHash + AgentNonce + ServerNonce
|
||||
obj.agentnonce = msg.substring(50, 98);
|
||||
@ -223,7 +223,7 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
|
||||
|
||||
// Check the agent signature if we can
|
||||
if (obj.unauthsign != null) {
|
||||
if (processAgentSignature(obj.unauthsign) == false) { console.log('Agent connected with bad signature, holding connection (' + obj.remoteaddr + ').'); return; } else { completeAgentConnection(); }
|
||||
if (processAgentSignature(obj.unauthsign) == false) { console.log('Agent connected with bad signature, holding connection (' + obj.remoteaddrport + ').'); return; } else { completeAgentConnection(); }
|
||||
}
|
||||
}
|
||||
else if (cmd == 2) {
|
||||
@ -238,7 +238,7 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
|
||||
obj.unauth.nodeCertPem = '-----BEGIN CERTIFICATE-----\r\n' + new Buffer(msg.substring(4, 4 + certlen), 'binary').toString('base64') + '\r\n-----END CERTIFICATE-----';
|
||||
|
||||
// Check the agent signature if we can
|
||||
if (obj.agentnonce == null) { obj.unauthsign = msg.substring(4 + certlen); } else { if (processAgentSignature(msg.substring(4 + certlen)) == false) { console.log('Agent connected with bad signature, holding connection (' + obj.remoteaddr + ').'); return; } }
|
||||
if (obj.agentnonce == null) { obj.unauthsign = msg.substring(4 + certlen); } else { if (processAgentSignature(msg.substring(4 + certlen)) == false) { console.log('Agent connected with bad signature, holding connection (' + obj.remoteaddrport + ').'); return; } }
|
||||
completeAgentConnection();
|
||||
}
|
||||
else if (cmd == 3) {
|
||||
@ -279,8 +279,8 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
|
||||
ws.on('error', function (err) { console.log('AGENT WSERR: ' + err); });
|
||||
|
||||
// If the mesh agent web socket is closed, clean up.
|
||||
ws.on('close', function (req) { if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Agent disconnect ' + obj.nodeid + ' (' + obj.remoteaddr + ')'); } obj.close(0); });
|
||||
// obj.ws._socket._parent.on('close', function (req) { if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Agent TCP disconnect ' + obj.nodeid + ' (' + obj.remoteaddr + ')'); } });
|
||||
ws.on('close', function (req) { if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Agent disconnect ' + obj.nodeid + ' (' + obj.remoteaddrport + ')'); } obj.close(0); });
|
||||
// obj.ws._socket._parent.on('close', function (req) { if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Agent TCP disconnect ' + obj.nodeid + ' (' + obj.remoteaddrport + ')'); } });
|
||||
|
||||
// Start authenticate the mesh agent by sending a auth nonce & server TLS cert hash.
|
||||
// Send 384 bits SHA384 hash of TLS cert public key + 384 bits nonce
|
||||
@ -294,8 +294,8 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
|
||||
|
||||
// Check that the mesh exists
|
||||
var mesh = obj.parent.meshes[obj.dbMeshKey];
|
||||
if (mesh == null) { console.log('Agent connected with invalid domain/mesh, holding connection (' + obj.remoteaddr + ', ' + obj.dbMeshKey + ').'); return; } // If we disconnect, the agnet will just reconnect. We need to log this or tell agent to connect in a few hours.
|
||||
if (mesh.mtype != 2) { console.log('Agent connected with invalid mesh type, holding connection (' + obj.remoteaddr + ').'); return; } // If we disconnect, the agnet will just reconnect. We need to log this or tell agent to connect in a few hours.
|
||||
if (mesh == null) { console.log('Agent connected with invalid domain/mesh, holding connection (' + obj.remoteaddrport + ', ' + obj.dbMeshKey + ').'); return; } // If we disconnect, the agnet will just reconnect. We need to log this or tell agent to connect in a few hours.
|
||||
if (mesh.mtype != 2) { console.log('Agent connected with invalid mesh type, holding connection (' + obj.remoteaddrport + ').'); return; } // If we disconnect, the agnet will just reconnect. We need to log this or tell agent to connect in a few hours.
|
||||
|
||||
// Check that the node exists
|
||||
obj.db.Get(obj.dbNodeKey, function (err, nodes) {
|
||||
@ -349,7 +349,7 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
|
||||
obj.parent.wsagents[obj.dbNodeKey] = obj;
|
||||
if (dupAgent) {
|
||||
// Close the duplicate agent
|
||||
if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Duplicate agent ' + obj.nodeid + ' (' + obj.remoteaddr + ':' + obj.ws._socket.remotePort + ')'); }
|
||||
if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Duplicate agent ' + obj.nodeid + ' (' + obj.remoteaddrport + ')'); }
|
||||
dupAgent.close(3);
|
||||
} else {
|
||||
// Indicate the agent is connected
|
||||
@ -432,7 +432,7 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
|
||||
delete obj.agentnonce;
|
||||
delete obj.unauth;
|
||||
if (obj.unauthsign) delete obj.unauthsign;
|
||||
obj.parent.parent.debug(1, 'Verified agent connection to ' + obj.nodeid + ' (' + obj.remoteaddr + ':' + obj.ws._socket.remotePort + ').');
|
||||
obj.parent.parent.debug(1, 'Verified agent connection to ' + obj.nodeid + ' (' + obj.remoteaddrport + ').');
|
||||
obj.authenticated = 1;
|
||||
return true;
|
||||
}
|
||||
@ -442,7 +442,7 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
|
||||
var i;
|
||||
var str = msg.toString('utf8'), command = null;
|
||||
if (str[0] == '{') {
|
||||
try { command = JSON.parse(str); } catch (ex) { console.log('Unable to parse agent JSON (' + obj.remoteaddr + '): ' + str, ex); return; } // If the command can't be parsed, ignore it.
|
||||
try { command = JSON.parse(str); } catch (ex) { console.log('Unable to parse agent JSON (' + obj.remoteaddrport + '): ' + str, ex); return; } // If the command can't be parsed, ignore it.
|
||||
if (typeof command != 'object') { return; }
|
||||
switch (command.action) {
|
||||
case 'msg':
|
||||
|
@ -416,9 +416,11 @@ function CreateMeshCentralServer(config, args) {
|
||||
var forgeCert = obj.certificateOperations.forge.pki.certificateFromAsn1(obj.certificateOperations.forge.asn1.fromDer(cert.raw.toString('binary')));
|
||||
var hash = obj.certificateOperations.forge.pki.getPublicKeyFingerprint(forgeCert.publicKey, { md: obj.certificateOperations.forge.md.sha384.create(), encoding: 'hex' });
|
||||
xdomain.certhash = hash;
|
||||
console.log('Loaded RSA web certificate at ' + url + ', SHA384: ' + xdomain.certhash + '.');
|
||||
} catch (ex) {
|
||||
// This may be a ECDSA certificate, hash the entire cert
|
||||
xdomain.certhash = obj.crypto.createHash('sha384').update(cert.raw).digest('hex');
|
||||
console.log('Loaded non-RSA web certificate at ' + url + ', SHA384: ' + xdomain.certhash + '.');
|
||||
}
|
||||
} else {
|
||||
console.log('Failed to load web certificate at: ' + url);
|
||||
|
@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "meshcentral",
|
||||
"version": "0.2.2-o",
|
||||
"version": "0.2.2-p",
|
||||
"keywords": [
|
||||
"Remote Management",
|
||||
"Intel AMT",
|
||||
|
37
webserver.js
37
webserver.js
@ -178,23 +178,16 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
// Setup middleware
|
||||
obj.app.engine('handlebars', obj.exphbs({})); // defaultLayout: 'main'
|
||||
obj.app.set('view engine', 'handlebars');
|
||||
if (obj.args.tlsoffload) { obj.app.set('trust proxy', obj.args.tlsoffload); } // Reverse proxy should add the "X-Forwarded-*" headers
|
||||
obj.app.use(obj.bodyParser.urlencoded({ extended: false }));
|
||||
if (obj.args.sessiontime != null) {
|
||||
obj.app.use(obj.session({
|
||||
name: 'xid', // Recommanded security practice to not use the default cookie name
|
||||
httpOnly: true,
|
||||
keys: [obj.args.sessionkey], // If multiple instances of this server are behind a load-balancer, this secret must be the same for all instances
|
||||
secure: (obj.args.notls != true), // Use this cookie only over TLS
|
||||
maxAge: (obj.args.sessiontime * 60 * 1000) // Number of minutes
|
||||
}));
|
||||
} else {
|
||||
obj.app.use(obj.session({
|
||||
name: 'xid', // Recommanded security practice to not use the default cookie name
|
||||
httpOnly: true,
|
||||
keys: [obj.args.sessionkey], // If multiple instances of this server are behind a load-balancer, this secret must be the same for all instances
|
||||
secure: (obj.args.notls != true) // Use this cookie only over TLS
|
||||
}));
|
||||
var sessionOptions = {
|
||||
name: 'xid', // Recommanded security practice to not use the default cookie name
|
||||
httpOnly: true,
|
||||
keys: [obj.args.sessionkey], // If multiple instances of this server are behind a load-balancer, this secret must be the same for all instances
|
||||
secure: (obj.args.notls != true) // Use this cookie only over TLS (Check this: https://expressjs.com/en/guide/behind-proxies.html)
|
||||
}
|
||||
if (obj.args.sessiontime != null) { sessionOptions.maxAge = (obj.args.sessiontime * 60 * 1000); }
|
||||
obj.app.use(obj.session(sessionOptions));
|
||||
|
||||
// Session-persisted message middleware
|
||||
obj.app.use(function (req, res, next) {
|
||||
@ -283,9 +276,9 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
function checkUserIpAddressEx(req, res, allowedIpList) {
|
||||
if (allowedIpList == null) { return true; }
|
||||
try {
|
||||
var ip = null, type = 0;
|
||||
if (req.connection) { ip = req.connection.remoteAddress; type = 1; } // HTTP(S) request
|
||||
else if (req._socket) { ip = req._socket.remoteAddress; type = 2; } // WebSocket request
|
||||
var ip = req.ip, type = 0;
|
||||
if (req.connection) { type = 1; } // HTTP(S) request
|
||||
else if (req._socket) { type = 2; } // WebSocket request
|
||||
if (ip.startsWith('::ffff:')) { ip = ip.substring(7); } // Fix IPv4 IP's encoded in IPv6 form
|
||||
if ((ip != null) && (allowedIpList.indexOf(ip) >= 0)) { return true; }
|
||||
if (type == 1) { res.sendStatus(401); }
|
||||
@ -343,7 +336,6 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
user.login = Date.now();
|
||||
obj.db.SetUser(user);
|
||||
|
||||
|
||||
// Regenerate session when signing in to prevent fixation
|
||||
//req.session.regenerate(function () {
|
||||
// Store the user's primary key in the session store to be retrieved, or in this case the entire user object
|
||||
@ -369,6 +361,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
res.redirect(domain.url);
|
||||
});
|
||||
*/
|
||||
res.redirect(domain.url); // Temporary
|
||||
} else {
|
||||
res.redirect(domain.url);
|
||||
}
|
||||
@ -743,7 +736,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
if (obj.args.lanonly == true) { features += 2; } // LAN-only mode
|
||||
if (obj.args.nousers == true) { features += 4; } // Single user mode
|
||||
if (domain.userQuota == -1) { features += 8; } // No server files mode
|
||||
if (obj.args.tlsoffload == true) { features += 16; } // No mutual-auth CIRA
|
||||
if (obj.args.tlsoffload) { features += 16; } // No mutual-auth CIRA
|
||||
if ((parent.config != null) && (parent.config.settings != null) && (parent.config.settings.allowframing == true)) { features += 32; } // Allow site within iframe
|
||||
if ((obj.parent.mailserver != null) && (obj.parent.certificates.CommonName != null) && (obj.parent.certificates.CommonName != 'un-configured') && (obj.args.lanonly != true)) { features += 64; } // Email invites
|
||||
if (obj.args.webrtc == true) { features += 128; } // Enable WebRTC (Default false for now)
|
||||
@ -1405,7 +1398,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
if (auth.response === obj.common.ComputeDigesthash(auth.username, amtpass, auth.realm, "POST", auth.uri, auth.qop, auth.nonce, auth.nc, auth.cnonce)) {
|
||||
|
||||
// This is an authenticated Intel AMT event, update the host address
|
||||
var amthost = req.connection.remoteAddress;
|
||||
var amthost = req.ip;
|
||||
if (amthost.substring(0, 7) === '::ffff:') { amthost = amthost.substring(7); }
|
||||
if (node.host != amthost) {
|
||||
// Get the mesh for this device
|
||||
@ -1773,6 +1766,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
// Two more headers to take a look at:
|
||||
// 'Public-Key-Pins': 'pin-sha256="X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg="; max-age=10'
|
||||
// 'strict-transport-security': 'max-age=31536000; includeSubDomains'
|
||||
/*
|
||||
var headers = null;
|
||||
if (obj.args.notls) {
|
||||
// Default headers if no TLS is used
|
||||
@ -1783,6 +1777,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
}
|
||||
if (parent.config.settings.accesscontrolalloworigin != null) { headers['Access-Control-Allow-Origin'] = parent.config.settings.accesscontrolalloworigin; }
|
||||
res.set(headers);
|
||||
*/
|
||||
return next();
|
||||
}
|
||||
});
|
||||
|
Loading…
Reference in New Issue
Block a user