# This example config is designed for HAProxy. It allows MeshCentral to use and validate Client Certificates. # Usernames/Passwords are still required. This will provide a layer for authorization. # # The MeshID enviorment variable is used for the binary paths. Simply put your MeshID for an incoming group # into this variable and the binary paths will use the ID for downloading the agent directly to the client. # Simply type in your specific url (https://reallycoolmeshsystem.com/win10full) and the agent will download # with the proper meshid for the specified group. In my usage, I have an incoming group assigned. # # The config also ensures a split between IPv4 and IPv6. Thus if a client attempts to connect on IPv4, # it will connect to Meshcentral with IPv4. And if IPv6 is used, IPv6 connection to Meshcentral will be used. # This config is written in *long* form, it is written for simplicity and clarity. I'm confident that someone # can shorten the script size easily. # # Please examine the MeshID, location of the certificates, certificate names and OU test for the certificates. # CRL and guest connections are not integrated yet. # # # The following specific path names do not require a validated client certificate: # # /win10background - Windows 10 Background Binary Installer # /win10full - Windows 10 Binary Interactive and Background Installer # /macosxfull - MacOS 10 Binary Interactive and Background Installer # /linuxscript - Linux Script ( See Docs) # /linux64full - Linux AMD64 Binary Interactive and Background Installer # /linux64background - Linux AMD64 Binary Background Installer # /linuxarmfull - Linux ARMhf Binary Interactive and Background Installer # /linuxarmbackground - Linux ARMhf Binary Background Installer # # /agent.ashx - Agent to server connection (Websockets) # /meshrelay.ashx - Agent to server relay # /meshagents - Default agent download path # /meshosxagent - Default agent download path for Mac OS X global log /dev/log local0 log /dev/log local1 info chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon # Set the meshID to the incoming group ID setenv meshID {{really long mesh group ID}} # Default SSL material locations # Probably needs a more secure location ca-base /etc/haproxy/ crt-base /etc/haproxy/ # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # An alternative list with additional directives can be obtained from # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend http bind :::80 v4v6 redirect scheme http code 301 if !{ ssl_fc } frontend https # Replace Root-ca.pem and mesh.pem with proper certs bind :::443 v4v6 ssl crt mesh.pem ca-file Root-ca.pem verify optional crt-ignore-err all ca-ignore-err all http-request add-header X-Forwarded-Proto https # Testing for Client Certificate used acl clientssl ssl_c_used # Set SSL Cert OU here to verify a proper user acl clientssl ssl_c_s_dn(OU) "Bad Ass Mesh Services Inc" # Agents for download acl meshagent path_beg /meshagents acl macmeshagent path_beg /meshosxagent # IPV4 vs IPV6 test acl meshipv4 src 0.0.0.0/0 acl meshipv6 src ::/0 # Websockets ACL acl host_ws path_beg /agent.ashx # MeshRelay acl meshrelay path_beg /meshrelay.ashx # Specific Agent installers for each platform acl winback path_beg /win10background acl winfull path_beg /win10full acl macosx path_beg /macosxfull acl linuxscript path_beg /linuxscript acl linux64full path_beg /linux64full acl linux64back path_beg /linux64background acl linuxarmfull path_beg /linuxarmfull acl linuxarmback path_beg /linuxarmbackground # WebSockets use_backend meshWebSocket4 if host_ws meshipv4 !clientssl use_backend meshWebSocket6 if host_ws meshipv6 !clientssl # Mesh Relay use_backend meshcentralv4 if meshrelay meshipv4 use_backend meshcentralv6 if meshrelay meshipv6 # Client SSL Specific use_backend meshcentralv4 if meshipv4 !meshagent !macmeshagent clientssl use_backend meshcentralv6 if meshipv6 !meshagent !macmeshagent clientssl # Direct Mesh Agent download use_backend meshcentralv4 if meshipv4 meshagent use_backend meshcentralv6 if meshipv6 meshagent use_backend meshcentralv4 if meshipv4 macmeshagent use_backend meshcentralv6 if meshipv6 macmeshagent # Windows Custom Download use_backend Win10full4 if meshipv4 winfull use_backend Win10full6 if meshipv6 winfull use_backend Win10back4 if meshipv4 winback use_backend Win10back6 if meshipv6 winback # Mac CUstom Download use_backend macosx4 if meshipv4 macosx use_backend macosx6 if meshipv6 macosx # Linux Script Custom Download use_backend linuxSCRIPT4 if meshipv4 linuxscript use_backend linuxSCRIPT6 if meshipv6 linuxscript # Linux Script Custom Download use_backend linux64-bin-full4 if meshipv4 linux64full use_backend linux64-bin-full6 if meshipv6 linux64full use_backend linux64-bin-back4 if meshipv4 linux64back use_backend linux64-bin-back6 if meshipv6 linux64back use_backend linuxarm-bin-full4 if meshipv4 linuxarmfull use_backend linuxarm-bin-full6 if meshipv6 linuxarmfull use_backend linuxarm-bin-back4 if meshipv4 linuxarmback use_backend linuxarm-bin-back6 if meshipv6 linuxarmback # Fail if none of the above http-request deny if !macmeshagent !meshagent !clientssl !host_ws !winback !winfull !macosx !linuxscript !linux64full !linux64back !linuxarmfull !linuxarmback !meshrelay # Websockets backend meshWebSocket4 http-request add-header X-Forwarded-Host %[req.hdr(Host)] server ipv4 127.0.0.1:444 backend meshWebSocket6 http-request add-header X-Forwarded-Host %[req.hdr(Host)] server ipv6 [::1]:444 # Standard Interface backend meshcentralv4 http-request add-header X-Forwarded-Host %[req.hdr(Host)] server ipv4 127.0.0.1:444 backend meshcentralv6 http-request add-header X-Forwarded-Host %[req.hdr(Host)] server ipv6 [::1]:444 # Windows Agent Download backend Win10back4 http-request add-header X-Forwarded-Host %[req.hdr(Host)] http-request set-path /meshagents http-request set-query id=4&meshid=%[env(meshID)]&installflags=2 server ipv4 127.0.0.1:444 backend Win10back6 http-request add-header X-Forwarded-Host %[req.hdr(Host)] http-request set-path /meshagents http-request set-query id=4&meshid=%[env(meshID)]&installflags=2 server ipv6 [::1]:444 backend Win10full4 http-request add-header X-Forwarded-Host %[req.hdr(Host)] http-request set-path /meshagents http-request set-query id=4&meshid=%[env(meshdID)]&installflags=0 server ipv4 127.0.0.1:444 backend Win10full6 http-request add-header X-Forwarded-Host %[req.hdr(Host)] http-request set-path /meshagents http-request set-query id=4&meshid=%[env(meshID)]&installflags=0 server ipv6 [::1]:444 # MacOS Agent Download backend macosx6 http-request add-header X-Forwarded-Host %[req.hdr(Host)] http-request set-path /meshosxagents http-request set-query id=100054&meshid=%[env(meshID)] server ipv6 [::1]:444 backend macosx4 http-request add-header X-Forwarded-Host %[req.hdr(Host)] http-request set-path /meshosxagents http-request set-query id=100054&meshid=%[env(meshID)] server ipv4 127.0.0.1:444 # Linux Script Downloads backend linuxSCRIPT6 http-request add-header X-Forwarded-Host %[req.hdr(Host)] http-request set-path /meshagents http-request set-query scrpot=1 server ipv6 [::1]:444 backend linuxSCRIPT4 http-request add-header X-Forwarded-Host %[req.hdr(Host)] http-request set-path /meshagents http-request set-query scrpot=1 server ipv4 127.0.0.1:444 # Linux Binary Downloads backend linux64-bin-full6 http-request add-header X-Forwarded-Host %[req.hdr(Host)] http-request set-path /meshagents http-request set-query id=%[env(meshID)]&installflags=0&meshinstall=6 server ipv6 [::1]:444 backend linux64-bin-full4 http-request add-header X-Forwarded-Host %[req.hdr(Host)] http-request set-path /meshagents http-request set-query id=%[env(meshID)]&installflags=0&meshinstall=6 server ipv4 127.0.0.1:444 backend linux64-bin-back6 http-request add-header X-Forwarded-Host %[req.hdr(Host)] http-request set-path /meshagents http-request set-query id=%[env(meshID)]&installflags=2&meshinstall=6 server ipv6 [::1]:444 backend linux64-bin-back4 http-request add-header X-Forwarded-Host %[req.hdr(Host)] http-request set-path /meshagents http-request set-query id=%[env(meshID)]&installflags=2&meshinstall=6 server ipv4 127.0.0.1:444 backend linuxarm-bin-full6 http-request add-header X-Forwarded-Host %[req.hdr(Host)] http-request set-path /meshagents http-request set-query id=%[env(meshID)]&installflags=0&meshinstall=25 server ipv6 [::1]:444 backend linuxarm-bin-full4 http-request add-header X-Forwarded-Host %[req.hdr(Host)] http-request set-path /meshagents http-request set-query id=%[env(meshID)]&installflags=0&meshinstall=25 server ipv4 127.0.0.1:444 backend linuxarm-bin-back6 http-request add-header X-Forwarded-Host %[req.hdr(Host)] http-request set-path /meshagents http-request set-query id=%[env(meshID)]&installflags=2&meshinstall=25` server ipv6 [::1]:444 backend linuxarm-bin-back4 http-request add-header X-Forwarded-Host %[req.hdr(Host)] http-request set-path /meshagents http-request set-query id=%[env(meshID)]&installflags=2&meshinstall=25 server ipv4 127.0.0.1:444