Added NGNX reverse-proxy support.

This commit is contained in:
Ylian Saint-Hilaire 2018-11-01 15:01:21 -07:00
parent 829d2e9c83
commit 36cddd5652
5 changed files with 39 additions and 42 deletions

View File

@ -39,7 +39,7 @@ module.exports.CertificateOperations = function () {
} else { func(url, null, tag); }
};
// Return the SHA386 hash of the certificate public key
// Return the SHA384 hash of the certificate public key
obj.getPublicKeyHash = function (cert) {
var publickey = obj.pki.certificateFromPem(cert).publicKey;
return obj.pki.getPublicKeyFingerprint(publickey, { encoding: "hex", md: obj.forge.md.sha384.create() });
@ -122,7 +122,7 @@ module.exports.CertificateOperations = function () {
rcount++;
}
if (args.tlsoffload === true) {
if (args.tlsoffload) {
// If the web certificate already exist, load it. Load just the certificate since we are in TLS offload situation
if (obj.fileExists(parent.getConfigFilePath("webserver-cert-public.crt"))) {
r.web = { cert: obj.fs.readFileSync(parent.getConfigFilePath("webserver-cert-public.crt"), "utf8") };
@ -204,7 +204,7 @@ module.exports.CertificateOperations = function () {
for (i in config.domains) {
if ((i != "") && (config.domains[i] != null) && (config.domains[i].dns != null)) {
dnsname = config.domains[i].dns;
if (args.tlsoffload === true) {
if (args.tlsoffload) {
// If the web certificate already exist, load it. Load just the certificate since we are in TLS offload situation
if (obj.fileExists(parent.getConfigFilePath("webserver-" + i + "-cert-public.crt"))) {
r.dns[i] = { cert: obj.fs.readFileSync(parent.getConfigFilePath("webserver-" + i + "-cert-public.crt"), "utf8") };
@ -370,7 +370,7 @@ module.exports.CertificateOperations = function () {
for (i in config.domains) {
if ((i != "") && (config.domains[i] != null) && (config.domains[i].dns != null)) {
dnsname = config.domains[i].dns;
if (args.tlsoffload != true) {
if (!args.tlsoffload) {
// If the web certificate does not exist, create it
if ((obj.fileExists(parent.getConfigFilePath("webserver-" + i + "-cert-public.crt")) === false) || (obj.fileExists(parent.getConfigFilePath("webserver-" + i + "-cert-private.key")) === false)) {
console.log("Generating HTTPS certificate for " + i + "...");

View File

@ -38,10 +38,10 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
obj.agentInfo = null;
obj.agentUpdate = null;
const agentUpdateBlockSize = 65520;
obj.remoteaddr = obj.ws._socket.remoteAddress;
obj.useSHA386 = false;
obj.agentConnectCount = ++AgentConnectCount;
obj.remoteaddr = req.ip;
if (obj.remoteaddr.startsWith('::ffff:')) { obj.remoteaddr = obj.remoteaddr.substring(7); }
obj.remoteaddrport = obj.remoteaddr + ':' + obj.ws._socket.remotePort;
obj.agentConnectCount = ++AgentConnectCount;
ws._socket.setKeepAlive(true, 240000); // Set TCP keep alive, 4 minutes
// Send a message to the mesh agent
@ -49,8 +49,8 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
// Disconnect this agent
obj.close = function (arg) {
if ((arg == 1) || (arg == null)) { try { obj.ws.close(); if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Soft disconnect ' + obj.nodeid + ' (' + obj.remoteaddr + ')'); } } catch (e) { console.log(e); } } // Soft close, close the websocket
if (arg == 2) { try { obj.ws._socket._parent.end(); if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Hard disconnect ' + obj.nodeid + ' (' + obj.remoteaddr + ')'); } } catch (e) { console.log(e); } } // Hard close, close the TCP socket
if ((arg == 1) || (arg == null)) { try { obj.ws.close(); if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Soft disconnect ' + obj.nodeid + ' (' + obj.remoteaddrport + ')'); } } catch (e) { console.log(e); } } // Soft close, close the websocket
if (arg == 2) { try { obj.ws._socket._parent.end(); if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Hard disconnect ' + obj.nodeid + ' (' + obj.remoteaddrport + ')'); } } catch (e) { console.log(e); } } // Hard close, close the TCP socket
if (arg == 3) { obj.authenticated = -1; } // Don't communicate with this agent anymore, but don't disconnect (Duplicate agent).
if (obj.parent.wsagents[obj.dbNodeKey] == obj) {
delete obj.parent.wsagents[obj.dbNodeKey];
@ -197,8 +197,8 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
if ((msg.length != 98) || ((obj.receivedCommands & 1) != 0)) return;
obj.receivedCommands += 1; // Agent can't send the same command twice on the same connection ever. Block DOS attack path.
// Check that the server hash matches our own web certificate hash (SHA386)
if (getWebCertHash(obj.domain) != msg.substring(2, 50)) { console.log('Agent connected with bad web certificate hash (' + (new Buffer(getWebCertHash(obj.domain), 'binary').toString('hex').substring(0, 10)) + ' != ' + (new Buffer(msg.substring(2, 50), 'binary').toString('hex').substring(0, 10)) + '), holding connection (' + obj.remoteaddr + ').'); return; }
// Check that the server hash matches our own web certificate hash (SHA384)
if (getWebCertHash(obj.domain) != msg.substring(2, 50)) { console.log('Agent connected with bad web certificate hash (' + (new Buffer(getWebCertHash(obj.domain), 'binary').toString('hex').substring(0, 10)) + ' != ' + (new Buffer(msg.substring(2, 50), 'binary').toString('hex').substring(0, 10)) + '), holding connection (' + obj.remoteaddrport + ').'); return; }
// Use our server private key to sign the ServerHash + AgentNonce + ServerNonce
obj.agentnonce = msg.substring(50, 98);
@ -223,7 +223,7 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
// Check the agent signature if we can
if (obj.unauthsign != null) {
if (processAgentSignature(obj.unauthsign) == false) { console.log('Agent connected with bad signature, holding connection (' + obj.remoteaddr + ').'); return; } else { completeAgentConnection(); }
if (processAgentSignature(obj.unauthsign) == false) { console.log('Agent connected with bad signature, holding connection (' + obj.remoteaddrport + ').'); return; } else { completeAgentConnection(); }
}
}
else if (cmd == 2) {
@ -238,7 +238,7 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
obj.unauth.nodeCertPem = '-----BEGIN CERTIFICATE-----\r\n' + new Buffer(msg.substring(4, 4 + certlen), 'binary').toString('base64') + '\r\n-----END CERTIFICATE-----';
// Check the agent signature if we can
if (obj.agentnonce == null) { obj.unauthsign = msg.substring(4 + certlen); } else { if (processAgentSignature(msg.substring(4 + certlen)) == false) { console.log('Agent connected with bad signature, holding connection (' + obj.remoteaddr + ').'); return; } }
if (obj.agentnonce == null) { obj.unauthsign = msg.substring(4 + certlen); } else { if (processAgentSignature(msg.substring(4 + certlen)) == false) { console.log('Agent connected with bad signature, holding connection (' + obj.remoteaddrport + ').'); return; } }
completeAgentConnection();
}
else if (cmd == 3) {
@ -279,8 +279,8 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
ws.on('error', function (err) { console.log('AGENT WSERR: ' + err); });
// If the mesh agent web socket is closed, clean up.
ws.on('close', function (req) { if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Agent disconnect ' + obj.nodeid + ' (' + obj.remoteaddr + ')'); } obj.close(0); });
// obj.ws._socket._parent.on('close', function (req) { if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Agent TCP disconnect ' + obj.nodeid + ' (' + obj.remoteaddr + ')'); } });
ws.on('close', function (req) { if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Agent disconnect ' + obj.nodeid + ' (' + obj.remoteaddrport + ')'); } obj.close(0); });
// obj.ws._socket._parent.on('close', function (req) { if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Agent TCP disconnect ' + obj.nodeid + ' (' + obj.remoteaddrport + ')'); } });
// Start authenticate the mesh agent by sending a auth nonce & server TLS cert hash.
// Send 384 bits SHA384 hash of TLS cert public key + 384 bits nonce
@ -294,8 +294,8 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
// Check that the mesh exists
var mesh = obj.parent.meshes[obj.dbMeshKey];
if (mesh == null) { console.log('Agent connected with invalid domain/mesh, holding connection (' + obj.remoteaddr + ', ' + obj.dbMeshKey + ').'); return; } // If we disconnect, the agnet will just reconnect. We need to log this or tell agent to connect in a few hours.
if (mesh.mtype != 2) { console.log('Agent connected with invalid mesh type, holding connection (' + obj.remoteaddr + ').'); return; } // If we disconnect, the agnet will just reconnect. We need to log this or tell agent to connect in a few hours.
if (mesh == null) { console.log('Agent connected with invalid domain/mesh, holding connection (' + obj.remoteaddrport + ', ' + obj.dbMeshKey + ').'); return; } // If we disconnect, the agnet will just reconnect. We need to log this or tell agent to connect in a few hours.
if (mesh.mtype != 2) { console.log('Agent connected with invalid mesh type, holding connection (' + obj.remoteaddrport + ').'); return; } // If we disconnect, the agnet will just reconnect. We need to log this or tell agent to connect in a few hours.
// Check that the node exists
obj.db.Get(obj.dbNodeKey, function (err, nodes) {
@ -349,7 +349,7 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
obj.parent.wsagents[obj.dbNodeKey] = obj;
if (dupAgent) {
// Close the duplicate agent
if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Duplicate agent ' + obj.nodeid + ' (' + obj.remoteaddr + ':' + obj.ws._socket.remotePort + ')'); }
if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Duplicate agent ' + obj.nodeid + ' (' + obj.remoteaddrport + ')'); }
dupAgent.close(3);
} else {
// Indicate the agent is connected
@ -432,7 +432,7 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
delete obj.agentnonce;
delete obj.unauth;
if (obj.unauthsign) delete obj.unauthsign;
obj.parent.parent.debug(1, 'Verified agent connection to ' + obj.nodeid + ' (' + obj.remoteaddr + ':' + obj.ws._socket.remotePort + ').');
obj.parent.parent.debug(1, 'Verified agent connection to ' + obj.nodeid + ' (' + obj.remoteaddrport + ').');
obj.authenticated = 1;
return true;
}
@ -442,7 +442,7 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
var i;
var str = msg.toString('utf8'), command = null;
if (str[0] == '{') {
try { command = JSON.parse(str); } catch (ex) { console.log('Unable to parse agent JSON (' + obj.remoteaddr + '): ' + str, ex); return; } // If the command can't be parsed, ignore it.
try { command = JSON.parse(str); } catch (ex) { console.log('Unable to parse agent JSON (' + obj.remoteaddrport + '): ' + str, ex); return; } // If the command can't be parsed, ignore it.
if (typeof command != 'object') { return; }
switch (command.action) {
case 'msg':

View File

@ -416,9 +416,11 @@ function CreateMeshCentralServer(config, args) {
var forgeCert = obj.certificateOperations.forge.pki.certificateFromAsn1(obj.certificateOperations.forge.asn1.fromDer(cert.raw.toString('binary')));
var hash = obj.certificateOperations.forge.pki.getPublicKeyFingerprint(forgeCert.publicKey, { md: obj.certificateOperations.forge.md.sha384.create(), encoding: 'hex' });
xdomain.certhash = hash;
console.log('Loaded RSA web certificate at ' + url + ', SHA384: ' + xdomain.certhash + '.');
} catch (ex) {
// This may be a ECDSA certificate, hash the entire cert
xdomain.certhash = obj.crypto.createHash('sha384').update(cert.raw).digest('hex');
console.log('Loaded non-RSA web certificate at ' + url + ', SHA384: ' + xdomain.certhash + '.');
}
} else {
console.log('Failed to load web certificate at: ' + url);

View File

@ -1,6 +1,6 @@
{
"name": "meshcentral",
"version": "0.2.2-o",
"version": "0.2.2-p",
"keywords": [
"Remote Management",
"Intel AMT",

View File

@ -178,23 +178,16 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
// Setup middleware
obj.app.engine('handlebars', obj.exphbs({})); // defaultLayout: 'main'
obj.app.set('view engine', 'handlebars');
if (obj.args.tlsoffload) { obj.app.set('trust proxy', obj.args.tlsoffload); } // Reverse proxy should add the "X-Forwarded-*" headers
obj.app.use(obj.bodyParser.urlencoded({ extended: false }));
if (obj.args.sessiontime != null) {
obj.app.use(obj.session({
var sessionOptions = {
name: 'xid', // Recommanded security practice to not use the default cookie name
httpOnly: true,
keys: [obj.args.sessionkey], // If multiple instances of this server are behind a load-balancer, this secret must be the same for all instances
secure: (obj.args.notls != true), // Use this cookie only over TLS
maxAge: (obj.args.sessiontime * 60 * 1000) // Number of minutes
}));
} else {
obj.app.use(obj.session({
name: 'xid', // Recommanded security practice to not use the default cookie name
httpOnly: true,
keys: [obj.args.sessionkey], // If multiple instances of this server are behind a load-balancer, this secret must be the same for all instances
secure: (obj.args.notls != true) // Use this cookie only over TLS
}));
secure: (obj.args.notls != true) // Use this cookie only over TLS (Check this: https://expressjs.com/en/guide/behind-proxies.html)
}
if (obj.args.sessiontime != null) { sessionOptions.maxAge = (obj.args.sessiontime * 60 * 1000); }
obj.app.use(obj.session(sessionOptions));
// Session-persisted message middleware
obj.app.use(function (req, res, next) {
@ -283,9 +276,9 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
function checkUserIpAddressEx(req, res, allowedIpList) {
if (allowedIpList == null) { return true; }
try {
var ip = null, type = 0;
if (req.connection) { ip = req.connection.remoteAddress; type = 1; } // HTTP(S) request
else if (req._socket) { ip = req._socket.remoteAddress; type = 2; } // WebSocket request
var ip = req.ip, type = 0;
if (req.connection) { type = 1; } // HTTP(S) request
else if (req._socket) { type = 2; } // WebSocket request
if (ip.startsWith('::ffff:')) { ip = ip.substring(7); } // Fix IPv4 IP's encoded in IPv6 form
if ((ip != null) && (allowedIpList.indexOf(ip) >= 0)) { return true; }
if (type == 1) { res.sendStatus(401); }
@ -343,7 +336,6 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
user.login = Date.now();
obj.db.SetUser(user);
// Regenerate session when signing in to prevent fixation
//req.session.regenerate(function () {
// Store the user's primary key in the session store to be retrieved, or in this case the entire user object
@ -369,6 +361,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
res.redirect(domain.url);
});
*/
res.redirect(domain.url); // Temporary
} else {
res.redirect(domain.url);
}
@ -743,7 +736,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
if (obj.args.lanonly == true) { features += 2; } // LAN-only mode
if (obj.args.nousers == true) { features += 4; } // Single user mode
if (domain.userQuota == -1) { features += 8; } // No server files mode
if (obj.args.tlsoffload == true) { features += 16; } // No mutual-auth CIRA
if (obj.args.tlsoffload) { features += 16; } // No mutual-auth CIRA
if ((parent.config != null) && (parent.config.settings != null) && (parent.config.settings.allowframing == true)) { features += 32; } // Allow site within iframe
if ((obj.parent.mailserver != null) && (obj.parent.certificates.CommonName != null) && (obj.parent.certificates.CommonName != 'un-configured') && (obj.args.lanonly != true)) { features += 64; } // Email invites
if (obj.args.webrtc == true) { features += 128; } // Enable WebRTC (Default false for now)
@ -1405,7 +1398,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
if (auth.response === obj.common.ComputeDigesthash(auth.username, amtpass, auth.realm, "POST", auth.uri, auth.qop, auth.nonce, auth.nc, auth.cnonce)) {
// This is an authenticated Intel AMT event, update the host address
var amthost = req.connection.remoteAddress;
var amthost = req.ip;
if (amthost.substring(0, 7) === '::ffff:') { amthost = amthost.substring(7); }
if (node.host != amthost) {
// Get the mesh for this device
@ -1773,6 +1766,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
// Two more headers to take a look at:
// 'Public-Key-Pins': 'pin-sha256="X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg="; max-age=10'
// 'strict-transport-security': 'max-age=31536000; includeSubDomains'
/*
var headers = null;
if (obj.args.notls) {
// Default headers if no TLS is used
@ -1783,6 +1777,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
}
if (parent.config.settings.accesscontrolalloworigin != null) { headers['Access-Control-Allow-Origin'] = parent.config.settings.accesscontrolalloworigin; }
res.set(headers);
*/
return next();
}
});