diff --git a/docs/Example configs/haproxy-with-client-certs.cfg.example b/docs/Example configs/haproxy-with-client-certs.cfg.example new file mode 100644 index 00000000..6d6d3280 --- /dev/null +++ b/docs/Example configs/haproxy-with-client-certs.cfg.example @@ -0,0 +1,284 @@ +# This example config is designed for HAProxy. It allows MeshCentral to use and validate Client Certificates. +# Usernames/Passwords are still required. This will provide a layer for authorization. +# +# The MeshID enviorment variable is used for the binary paths. Simply put your MeshID for an incoming group +# into this variable and the binary paths will use the ID for downloading the agent directly to the client. +# Simply type in your specific url (https://reallycoolmeshsystem.com/win10full) and the agent will download +# with the proper meshid for the specified group. In my usage, I have an incoming group assigned. +# +# The config also ensures a split between IPv4 and IPv6. Thus if a client attempts to connect on IPv4, +# it will connect to Meshcentral with IPv4. And if IPv6 is used, IPv6 connection to Meshcentral will be used. +# This config is written in *long* form, it is written for simplicity and clarity. I'm confident that someone +# can shorten the script size easily. +# +# Please examine the MeshID, location of the certificates, certificate names and OU test for the certificates. +# CRL and guest connections are not integrated yet. +# +# +# The following specific path names do not require a validated client certificate: +# +# /win10background - Windows 10 Background Binary Installer +# /win10full - Windows 10 Binary Interactive and Background Installer +# /macosxfull - MacOS 10 Binary Interactive and Background Installer +# /linuxscript - Linux Script ( See Docs) +# /linux64full - Linux AMD64 Binary Interactive and Background Installer +# /linux64background - Linux AMD64 Binary Background Installer +# /linuxarmfull - Linux ARMhf Binary Interactive and Background Installer +# /linuxarmbackground - Linux ARMhf Binary Background Installer +# +# /agent.ashx - Agent to server connection (Websockets) +# /meshrelay.ashx - Agent to server relay +# /meshagents - Default agent download path +# /meshosxagent - Default agent download path for Mac OS X + + +global + log /dev/log local0 + log /dev/log local1 info + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners + stats timeout 30s + user haproxy + group haproxy + daemon + + # Set the meshID to the incoming group ID + setenv meshID {{really long mesh group ID}} + + # Default SSL material locations + # Probably needs a more secure location + ca-base /etc/haproxy/ + crt-base /etc/haproxy/ + + + # Default ciphers to use on SSL-enabled listening sockets. + # For more information, see ciphers(1SSL). This list is from: + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + # An alternative list with additional directives can be obtained from + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy + ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS + ssl-default-bind-options no-sslv3 + + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + +frontend http + bind :::80 v4v6 + redirect scheme http code 301 if !{ ssl_fc } + +frontend https + # Replace Root-ca.pem and mesh.pem with proper certs + bind :::443 v4v6 ssl crt mesh.pem ca-file Root-ca.pem verify optional crt-ignore-err all ca-ignore-err all + http-request add-header X-Forwarded-Proto https + +# Testing for Client Certificate used + acl clientssl ssl_c_used + +# Set SSL Cert OU here to verify a proper user + acl clientssl ssl_c_s_dn(OU) "Bad Ass Mesh Services Inc" + +# Agents for download + acl meshagent path_beg /meshagents + acl macmeshagent path_beg /meshosxagent + +# IPV4 vs IPV6 test + acl meshipv4 src 0.0.0.0/0 + acl meshipv6 src ::/0 + +# Websockets ACL + acl host_ws path_beg /agent.ashx + +# MeshRelay + acl meshrelay path_beg /meshrelay.ashx + +# Specific Agent installers for each platform + acl winback path_beg /win10background + acl winfull path_beg /win10full + acl macosx path_beg /macosxfull + acl linuxscript path_beg /linuxscript + acl linux64full path_beg /linux64full + acl linux64back path_beg /linux64background + acl linuxarmfull path_beg /linuxarmfull + acl linuxarmback path_beg /linuxarmbackground + +# WebSockets + use_backend meshWebSocket4 if host_ws meshipv4 !clientssl + use_backend meshWebSocket6 if host_ws meshipv6 !clientssl + +# Mesh Relay + use_backend meshcentralv4 if meshrelay meshipv4 + use_backend meshcentralv6 if meshrelay meshipv6 + +# Client SSL Specific + use_backend meshcentralv4 if meshipv4 !meshagent !macmeshagent clientssl + use_backend meshcentralv6 if meshipv6 !meshagent !macmeshagent clientssl + +# Direct Mesh Agent download + use_backend meshcentralv4 if meshipv4 meshagent + use_backend meshcentralv6 if meshipv6 meshagent + + use_backend meshcentralv4 if meshipv4 macmeshagent + use_backend meshcentralv6 if meshipv6 macmeshagent + +# Windows Custom Download + use_backend Win10full4 if meshipv4 winfull + use_backend Win10full6 if meshipv6 winfull + + use_backend Win10back4 if meshipv4 winback + use_backend Win10back6 if meshipv6 winback + +# Mac CUstom Download + use_backend macosx4 if meshipv4 macosx + use_backend macosx6 if meshipv6 macosx + +# Linux Script Custom Download + use_backend linuxSCRIPT4 if meshipv4 linuxscript + use_backend linuxSCRIPT6 if meshipv6 linuxscript + +# Linux Script Custom Download + use_backend linux64-bin-full4 if meshipv4 linux64full + use_backend linux64-bin-full6 if meshipv6 linux64full + + use_backend linux64-bin-back4 if meshipv4 linux64back + use_backend linux64-bin-back6 if meshipv6 linux64back + + use_backend linuxarm-bin-full4 if meshipv4 linuxarmfull + use_backend linuxarm-bin-full6 if meshipv6 linuxarmfull + + use_backend linuxarm-bin-back4 if meshipv4 linuxarmback + use_backend linuxarm-bin-back6 if meshipv6 linuxarmback +# Fail if none of the above + http-request deny if !macmeshagent !meshagent !clientssl !host_ws !winback !winfull !macosx !linuxscript !linux64full !linux64back !linuxarmfull !linuxarmback !meshrelay + + +# Websockets +backend meshWebSocket4 + http-request add-header X-Forwarded-Host %[req.hdr(Host)] + server ipv4 127.0.0.1:444 + +backend meshWebSocket6 + http-request add-header X-Forwarded-Host %[req.hdr(Host)] + server ipv6 [::1]:444 + +# Standard Interface +backend meshcentralv4 + http-request add-header X-Forwarded-Host %[req.hdr(Host)] + server ipv4 127.0.0.1:444 + +backend meshcentralv6 + http-request add-header X-Forwarded-Host %[req.hdr(Host)] + server ipv6 [::1]:444 + +# Windows Agent Download +backend Win10back4 + http-request add-header X-Forwarded-Host %[req.hdr(Host)] + http-request set-path /meshagents + http-request set-query id=4&meshid=%[env(meshID)]&installflags=2 + server ipv4 127.0.0.1:444 + +backend Win10back6 + http-request add-header X-Forwarded-Host %[req.hdr(Host)] + http-request set-path /meshagents + http-request set-query id=4&meshid=%[env(meshID)]&installflags=2 + server ipv6 [::1]:444 + +backend Win10full4 + http-request add-header X-Forwarded-Host %[req.hdr(Host)] + http-request set-path /meshagents + http-request set-query id=4&meshid=%[env(meshdID)]&installflags=0 + server ipv4 127.0.0.1:444 + +backend Win10full6 + http-request add-header X-Forwarded-Host %[req.hdr(Host)] + http-request set-path /meshagents + http-request set-query id=4&meshid=%[env(meshID)]&installflags=0 + server ipv6 [::1]:444 + +# MacOS Agent Download +backend macosx6 + http-request add-header X-Forwarded-Host %[req.hdr(Host)] + http-request set-path /meshosxagents + http-request set-query id=100054&meshid=%[env(meshID)] + server ipv6 [::1]:444 + +backend macosx4 + http-request add-header X-Forwarded-Host %[req.hdr(Host)] + http-request set-path /meshosxagents + http-request set-query id=100054&meshid=%[env(meshID)] + server ipv4 127.0.0.1:444 + +# Linux Script Downloads +backend linuxSCRIPT6 + http-request add-header X-Forwarded-Host %[req.hdr(Host)] + http-request set-path /meshagents + http-request set-query scrpot=1 + server ipv6 [::1]:444 + +backend linuxSCRIPT4 + http-request add-header X-Forwarded-Host %[req.hdr(Host)] + http-request set-path /meshagents + http-request set-query scrpot=1 + server ipv4 127.0.0.1:444 + +# Linux Binary Downloads +backend linux64-bin-full6 + http-request add-header X-Forwarded-Host %[req.hdr(Host)] + http-request set-path /meshagents + http-request set-query id=%[env(meshID)]&installflags=0&meshinstall=6 + server ipv6 [::1]:444 + +backend linux64-bin-full4 + http-request add-header X-Forwarded-Host %[req.hdr(Host)] + http-request set-path /meshagents + http-request set-query id=%[env(meshID)]&installflags=0&meshinstall=6 + server ipv4 127.0.0.1:444 + +backend linux64-bin-back6 + http-request add-header X-Forwarded-Host %[req.hdr(Host)] + http-request set-path /meshagents + http-request set-query id=%[env(meshID)]&installflags=2&meshinstall=6 + server ipv6 [::1]:444 + +backend linux64-bin-back4 + http-request add-header X-Forwarded-Host %[req.hdr(Host)] + http-request set-path /meshagents + http-request set-query id=%[env(meshID)]&installflags=2&meshinstall=6 + server ipv4 127.0.0.1:444 + +backend linuxarm-bin-full6 + http-request add-header X-Forwarded-Host %[req.hdr(Host)] + http-request set-path /meshagents + http-request set-query id=%[env(meshID)]&installflags=0&meshinstall=25 + server ipv6 [::1]:444 + +backend linuxarm-bin-full4 + http-request add-header X-Forwarded-Host %[req.hdr(Host)] + http-request set-path /meshagents + http-request set-query id=%[env(meshID)]&installflags=0&meshinstall=25 + server ipv4 127.0.0.1:444 + +backend linuxarm-bin-back6 + http-request add-header X-Forwarded-Host %[req.hdr(Host)] + http-request set-path /meshagents + http-request set-query id=%[env(meshID)]&installflags=2&meshinstall=25` + server ipv6 [::1]:444 + +backend linuxarm-bin-back4 + http-request add-header X-Forwarded-Host %[req.hdr(Host)] + http-request set-path /meshagents + http-request set-query id=%[env(meshID)]&installflags=2&meshinstall=25 + server ipv4 127.0.0.1:444