Merge branch 'master' of https://github.com/Ylianst/MeshCentral

docs/Example configs/haproxy-with-sni-sample.cfg

@@ -1,12 +1,10 @@
 # Uses proxy protocol in HAProxy in combination with SNI to preserve the original host address
 # Update the config.json to work with HAProxy
+# Specify the IP addrehostname that the traffic will come from HAProxy (this might not be the address that is bound to the listener)
+# "tlsOffload": "10.1.1.10",
 # 
-# Specify the hostname and port that has the public certificate
-# "tlsOffload": "https://mc.publicdomain.com:443",
-# 
-# Specify the IP address of the HAProxy instance (this might not be the address that is bound to the listener).
-# "TrustedProxy": "10.1.1.10",
-
+# Specify the HAPRoxy URL with the hostname to get the certificate
+# "certUrl": "https://mc.publicdomain.com:443/"
 
 frontend sni-front
         bind 10.1.1.10:443
@@ -38,3 +36,9 @@ backend mc-back-HTTPS
         option http-server-close
         server mc-01 10.1.1.30:443 check port 443 verify none
 
+# In the event that it is required to have TLS between HAProxy and Meshcentral, 
+# Remove the tls_Offload line and replace with trustedProxy
+# Specify the IP addrehostname that the traffic will come from HAProxy (this might not be the address that is bound to the listener)
+# "trustedProxy": "10.1.1.10",
+# and change the last line of backend mc-back-HTTPS to use HTTPS by adding the ssl keyword
+# server mc-01 10.1.1.30:443 check ssl port 443 verify none

docs/docs/meshcentral/agents.md

@@ -31,6 +31,13 @@ Default Install Path: `/usr/local/mesh_services/meshagent/meshagent`
 
 Launches from `/Library/LaunchAgents/meshagent.plist`
 
+Controlling agent
+
+```bash
+launchctl stop meshagent
+launchctl start meshagent
+```
+
 ## Apple macOS Universal
 
 For OSx 11+ including Big Sur, Monterey and later

docs/docs/meshcentral/config.md

@@ -42,6 +42,7 @@ See description for information about each item.
             }
           }
         },
+        "sqlite3": { "type": "boolean", "default": false, "description": "Set true to use SQLite3 as a local MeshCentral database." },
         "mySQL": {
           "type": "object",
           "description": "Add this section to connect MeshCentral to a MySQL database instance.",
@@ -75,6 +76,11 @@ See description for information about each item.
             "database": { "type": "string", "default": "meshcentral", "description": "Name of PostgreSQL database used" }
           }
         },
+        "acebase": {
+          "type": "object",
+          "description": "Add this section to enable AceBase database support, this is a local database system much like NeDB.",
+          "properties": { "sponsor": { "type": "boolean", "default": false, "description": "Set true to remove the AceBase banner on startup." } }
+        },
         "WANonly": { "type": "boolean", "default": false, "description": "When enabled, only MeshCentral WAN features are enabled and agents will connect to the server using a well known DNS name." },
         "LANonly": { "type": "boolean", "default": false, "description": "When enabled, only MeshCentral LAN features are enabled and agents will find the server using multicast LAN packets." },
         "maintenanceMode": { "type": "boolean", "default": false, "description": "When enabled the server is in maintenance mode, only administrators can login. Use the maintenance command in server console to change." },
@@ -581,13 +587,14 @@ See description for information about each item.
             "additionalProperties": false,
             "description": "Use this section to set resource metadata of the Windows agents prior to signing. In Windows, you can right-click and select properties to view these values.",
             "properties": {
+              "icon": { "type": "string", "description": "Sets the agent icon, this is the name of a .ico file with the file placed in the meshcentral-data folder." },
               "fileDescription": { "type": "string", "description": "Executable file description." },
-              "fileVersion": { "type": "string", "description": "Executable file version, generally in the form of 1.2.3.4." },
+              "fileVersion": { "type": "string", "description": "Executable file version, in the form of 'n.n.n.n', for example: '1.2.3.4'." },
               "internalName":  { "type": "string", "description": "Executable internal name." },
               "legalCopyright":  { "type": "string", "description": "Executable legal copyright." },
               "originalFilename":  { "type": "string", "description": "Executable original file name." },
               "productName":  { "type": "string", "description": "Executable product name." },
-              "productVersion":  { "type": "string", "description": "Executable product version, generally in the form of 1.2.3.4." }
+              "productVersion":  { "type": "string", "description": "Executable product version. Any string format will work, but a alphabetic character is required for this value to show correctly in the Windows property box. For example: 'v1.2.3.4' will work, but '1.2.3.4' will not." }
             }
           },
           "assistantCustomization": {
@@ -934,6 +941,7 @@ See description for information about each item.
             "additionalProperties": false,
             "properties": {
               "log": { "type": "string" },
+              "strictCommonName": { "type": "boolean", "default": false, "description": "When set to true, the certificate common name needs to match exactly the Intel AMT trusted FQDN or DHCP Option 15. If false, some flexibility may be given to the matching." },
               "certs": {
                 "type": "object",
                 "additionalProperties": {
@@ -1265,5 +1273,4 @@ See description for information about each item.
   },
   "required": [ "settings", "domains" ]
 }
-
 ```

docs/docs/meshcentral/debugging.md

@@ -37,7 +37,7 @@ cd C:\Program Files\Open Source\MeshCentral\node_modules\meshcentral
 node meshcentral
 ```
 
-The problem with the second command is that NPM may install missing modules are the incorrect location.
+The problem with the second command is that NPM may install missing modules in the incorrect location.
 
 Also, in general I recommend not using the MeshCentral MSI Installer and just install manually unless you are very much scared of the command prompt. Anyone that knows about bit about the shell should install MeshCentral like this:
 
@@ -203,6 +203,12 @@ service meshcentral restart
 
 ## MeshAgent
 
+Troubleshooting agent
+
+```bash
+./meshagent -state
+```
+
 ### Agent Debug Logs to server
 
 This automatically downloads all agent error logs into `meshcentral-data/agenterrorlogs.txt`

docs/docs/meshcentral/index.md

@@ -577,6 +577,42 @@ IP addresses are separated by a comma. As a result, only users coming these IP a
 
 **Note**:  When IP address whitelist is effective, Mesh Agent connection from any IP address will be not affected. 
 
+You can also use files for IP lists
+
+```json
+"userAllowedIp": "file:userallowedips.txt",
+"userBlockedIp": "file:userblockedips.txt",
+"agentAllowedIp": "file:agentallowedips.txt"
+```
+
+Place the file in the `meshcentral-data` folder.
+
+All the lines that start with a number or `:` will be used, everything else is ignored. So, you can put comments anyway you like, but probably best to start then with a `#` or something to make it clear.
+
+```txt
+# My list of blocked IP's
+185.101.70.0/24
+185.46.85.0/24
+37.9.44.0/24
+37.9.45.0/24
+5.189.205.0/24
+5.189.206.0/24
+5.189.207.0/24
+5.62.153.0/24
+5.62.156.0/24
+5.62.158.0/24
+
+# One more list
+5.8.44.0/24
+5.8.45.0/24
+5.8.46.0/24
+79.110.28.0/24
+79.110.31.0/24
+91.204.14.0/24
+95.181.218.0/24
+95.85.81.0/24
+```
+
 ## Email Setup
 
 We highly recommend the use of an email server (SMTP) because we could allow MeshCentral to verify user account’s email address by sending a confirmation request to the user to complete the account registration and for password recovery, should a user forget account password as illustrated below
@@ -1155,6 +1191,18 @@ To get this features setup, users will need to go to the “My Account” tab or
 
 Note that if a user performs a password recovery using email, the 2-step authentication is then turned off and will need to be turned on again. This is not idea as someone being able to intercept the user’s email could still log into the web site. Users should make sure to properly protect their email account.
 
+Another form of MFA or Multi-factor Authentication is hardware based OTP (One Time Password) solution providing 2FA or Two-factor authentication. Yubikey is fully supported in MeshCentral.
+
+<div class="video-wrapper">
+  <iframe width="320" height="180" src="https://www.youtube.com/embed/FvDHlcdNepQ" frameborder="0" allowfullscreen></iframe>
+</div>
+
+And taking authentication to the next step is removing the login page entirely. Use LoginKey 3FA with MeshCentral.
+
+<div class="video-wrapper">
+  <iframe width="320" height="180" src="https://www.youtube.com/embed/-WKY8Wy0Huk" frameborder="0" allowfullscreen></iframe>
+</div>
+
 ## Branding & Terms of use
 
 Once MeshCentral is setup, you may want to customize the web site with your own brand and terms of use. This is important to personalize the web site to your organization. We also want to customize the web site in such a way that updating to the latest version will keep the branding as-is.
@@ -1194,6 +1242,10 @@ If, for example, MeshCentral is running on a Raspberry Pi. You may want to put a
 
 This is great to personalize the look of the server within the web site.
 
+### Agent Branding
+
+![](images/2022-08-24-06-42-40.png)
+
 ### Terms of use
 
 You can change the terms of use of the web site by adding a “terms.txt” file in the “meshcentral-data” folder. The file can include HTML markup. Once set, the server does not need to be restarted, the updated terms.txt file will get used the next time it’s requested.
@@ -1404,6 +1456,10 @@ Before you get started, your MeshCentral server must be publicly facing on the i
 
 ### LDAP
 
+<div class="video-wrapper">
+  <iframe width="320" height="180" src="https://www.youtube.com/embed/UQMbNQk85g8" frameborder="0" allowfullscreen></iframe>
+</div>
+
 You can integrate LDAP using [these](https://github.com/Ylianst/MeshCentral/blob/f05eb9a198bed249c2b1a969ce17a41404ef70a6/meshcentral-config-schema.json#L505-L513) configuration options
 
 ![](images/ldap_integration.png)