123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284 |
- # This example config is designed for HAProxy. It allows MeshCentral to use and validate Client Certificates.
- # Usernames/Passwords are still required. This will provide a layer for authorization.
- #
- # The MeshID enviorment variable is used for the binary paths. Simply put your MeshID for an incoming group
- # into this variable and the binary paths will use the ID for downloading the agent directly to the client.
- # Simply type in your specific url (https://reallycoolmeshsystem.com/win10full) and the agent will download
- # with the proper meshid for the specified group. In my usage, I have an incoming group assigned.
- #
- # The config also ensures a split between IPv4 and IPv6. Thus if a client attempts to connect on IPv4,
- # it will connect to Meshcentral with IPv4. And if IPv6 is used, IPv6 connection to Meshcentral will be used.
- # This config is written in *long* form, it is written for simplicity and clarity. I'm confident that someone
- # can shorten the script size easily.
- #
- # Please examine the MeshID, location of the certificates, certificate names and OU test for the certificates.
- # CRL and guest connections are not integrated yet.
- #
- #
- # The following specific path names do not require a validated client certificate:
- #
- # /win10background - Windows 10 Background Binary Installer
- # /win10full - Windows 10 Binary Interactive and Background Installer
- # /macosxfull - MacOS 10 Binary Interactive and Background Installer
- # /linuxscript - Linux Script ( See Docs)
- # /linux64full - Linux AMD64 Binary Interactive and Background Installer
- # /linux64background - Linux AMD64 Binary Background Installer
- # /linuxarmfull - Linux ARMhf Binary Interactive and Background Installer
- # /linuxarmbackground - Linux ARMhf Binary Background Installer
- #
- # /agent.ashx - Agent to server connection (Websockets)
- # /meshrelay.ashx - Agent to server relay
- # /meshagents - Default agent download path
- # /meshosxagent - Default agent download path for Mac OS X
- global
- log /dev/log local0
- log /dev/log local1 info
- chroot /var/lib/haproxy
- stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
- stats timeout 30s
- user haproxy
- group haproxy
- daemon
-
- # Set the meshID to the incoming group ID
- setenv meshID {{really long mesh group ID}}
- # Default SSL material locations
- # Probably needs a more secure location
- ca-base /etc/haproxy/
- crt-base /etc/haproxy/
- # Default ciphers to use on SSL-enabled listening sockets.
- # For more information, see ciphers(1SSL). This list is from:
- # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
- # An alternative list with additional directives can be obtained from
- # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
- ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
- ssl-default-bind-options no-sslv3
- defaults
- log global
- mode http
- option httplog
- option dontlognull
- timeout connect 5000
- timeout client 50000
- timeout server 50000
- errorfile 400 /etc/haproxy/errors/400.http
- errorfile 403 /etc/haproxy/errors/403.http
- errorfile 408 /etc/haproxy/errors/408.http
- errorfile 500 /etc/haproxy/errors/500.http
- errorfile 502 /etc/haproxy/errors/502.http
- errorfile 503 /etc/haproxy/errors/503.http
- errorfile 504 /etc/haproxy/errors/504.http
- frontend http
- bind :::80 v4v6
- redirect scheme http code 301 if !{ ssl_fc }
- frontend https
- # Replace Root-ca.pem and mesh.pem with proper certs
- bind :::443 v4v6 ssl crt mesh.pem ca-file Root-ca.pem verify optional crt-ignore-err all ca-ignore-err all
- http-request add-header X-Forwarded-Proto https
- # Testing for Client Certificate used
- acl clientssl ssl_c_used
-
- # Set SSL Cert OU here to verify a proper user
- acl clientssl ssl_c_s_dn(OU) "Bad Ass Mesh Services Inc"
- # Agents for download
- acl meshagent path_beg /meshagents
- acl macmeshagent path_beg /meshosxagent
- # IPV4 vs IPV6 test
- acl meshipv4 src 0.0.0.0/0
- acl meshipv6 src ::/0
- # Websockets ACL
- acl host_ws path_beg /agent.ashx
- # MeshRelay
- acl meshrelay path_beg /meshrelay.ashx
- # Specific Agent installers for each platform
- acl winback path_beg /win10background
- acl winfull path_beg /win10full
- acl macosx path_beg /macosxfull
- acl linuxscript path_beg /linuxscript
- acl linux64full path_beg /linux64full
- acl linux64back path_beg /linux64background
- acl linuxarmfull path_beg /linuxarmfull
- acl linuxarmback path_beg /linuxarmbackground
- # WebSockets
- use_backend meshWebSocket4 if host_ws meshipv4 !clientssl
- use_backend meshWebSocket6 if host_ws meshipv6 !clientssl
- # Mesh Relay
- use_backend meshcentralv4 if meshrelay meshipv4
- use_backend meshcentralv6 if meshrelay meshipv6
- # Client SSL Specific
- use_backend meshcentralv4 if meshipv4 !meshagent !macmeshagent clientssl
- use_backend meshcentralv6 if meshipv6 !meshagent !macmeshagent clientssl
- # Direct Mesh Agent download
- use_backend meshcentralv4 if meshipv4 meshagent
- use_backend meshcentralv6 if meshipv6 meshagent
- use_backend meshcentralv4 if meshipv4 macmeshagent
- use_backend meshcentralv6 if meshipv6 macmeshagent
- # Windows Custom Download
- use_backend Win10full4 if meshipv4 winfull
- use_backend Win10full6 if meshipv6 winfull
- use_backend Win10back4 if meshipv4 winback
- use_backend Win10back6 if meshipv6 winback
- # Mac CUstom Download
- use_backend macosx4 if meshipv4 macosx
- use_backend macosx6 if meshipv6 macosx
- # Linux Script Custom Download
- use_backend linuxSCRIPT4 if meshipv4 linuxscript
- use_backend linuxSCRIPT6 if meshipv6 linuxscript
- # Linux Script Custom Download
- use_backend linux64-bin-full4 if meshipv4 linux64full
- use_backend linux64-bin-full6 if meshipv6 linux64full
- use_backend linux64-bin-back4 if meshipv4 linux64back
- use_backend linux64-bin-back6 if meshipv6 linux64back
- use_backend linuxarm-bin-full4 if meshipv4 linuxarmfull
- use_backend linuxarm-bin-full6 if meshipv6 linuxarmfull
- use_backend linuxarm-bin-back4 if meshipv4 linuxarmback
- use_backend linuxarm-bin-back6 if meshipv6 linuxarmback
- # Fail if none of the above
- http-request deny if !macmeshagent !meshagent !clientssl !host_ws !winback !winfull !macosx !linuxscript !linux64full !linux64back !linuxarmfull !linuxarmback !meshrelay
- # Websockets
- backend meshWebSocket4
- http-request add-header X-Forwarded-Host %[req.hdr(Host)]
- server ipv4 127.0.0.1:444
- backend meshWebSocket6
- http-request add-header X-Forwarded-Host %[req.hdr(Host)]
- server ipv6 [::1]:444
- # Standard Interface
- backend meshcentralv4
- http-request add-header X-Forwarded-Host %[req.hdr(Host)]
- server ipv4 127.0.0.1:444
- backend meshcentralv6
- http-request add-header X-Forwarded-Host %[req.hdr(Host)]
- server ipv6 [::1]:444
- # Windows Agent Download
- backend Win10back4
- http-request add-header X-Forwarded-Host %[req.hdr(Host)]
- http-request set-path /meshagents
- http-request set-query id=4&meshid=%[env(meshID)]&installflags=2
- server ipv4 127.0.0.1:444
- backend Win10back6
- http-request add-header X-Forwarded-Host %[req.hdr(Host)]
- http-request set-path /meshagents
- http-request set-query id=4&meshid=%[env(meshID)]&installflags=2
- server ipv6 [::1]:444
- backend Win10full4
- http-request add-header X-Forwarded-Host %[req.hdr(Host)]
- http-request set-path /meshagents
- http-request set-query id=4&meshid=%[env(meshdID)]&installflags=0
- server ipv4 127.0.0.1:444
- backend Win10full6
- http-request add-header X-Forwarded-Host %[req.hdr(Host)]
- http-request set-path /meshagents
- http-request set-query id=4&meshid=%[env(meshID)]&installflags=0
- server ipv6 [::1]:444
- # MacOS Agent Download
- backend macosx6
- http-request add-header X-Forwarded-Host %[req.hdr(Host)]
- http-request set-path /meshosxagents
- http-request set-query id=100054&meshid=%[env(meshID)]
- server ipv6 [::1]:444
- backend macosx4
- http-request add-header X-Forwarded-Host %[req.hdr(Host)]
- http-request set-path /meshosxagents
- http-request set-query id=100054&meshid=%[env(meshID)]
- server ipv4 127.0.0.1:444
- # Linux Script Downloads
- backend linuxSCRIPT6
- http-request add-header X-Forwarded-Host %[req.hdr(Host)]
- http-request set-path /meshagents
- http-request set-query scrpot=1
- server ipv6 [::1]:444
- backend linuxSCRIPT4
- http-request add-header X-Forwarded-Host %[req.hdr(Host)]
- http-request set-path /meshagents
- http-request set-query scrpot=1
- server ipv4 127.0.0.1:444
- # Linux Binary Downloads
- backend linux64-bin-full6
- http-request add-header X-Forwarded-Host %[req.hdr(Host)]
- http-request set-path /meshagents
- http-request set-query id=%[env(meshID)]&installflags=0&meshinstall=6
- server ipv6 [::1]:444
- backend linux64-bin-full4
- http-request add-header X-Forwarded-Host %[req.hdr(Host)]
- http-request set-path /meshagents
- http-request set-query id=%[env(meshID)]&installflags=0&meshinstall=6
- server ipv4 127.0.0.1:444
- backend linux64-bin-back6
- http-request add-header X-Forwarded-Host %[req.hdr(Host)]
- http-request set-path /meshagents
- http-request set-query id=%[env(meshID)]&installflags=2&meshinstall=6
- server ipv6 [::1]:444
- backend linux64-bin-back4
- http-request add-header X-Forwarded-Host %[req.hdr(Host)]
- http-request set-path /meshagents
- http-request set-query id=%[env(meshID)]&installflags=2&meshinstall=6
- server ipv4 127.0.0.1:444
- backend linuxarm-bin-full6
- http-request add-header X-Forwarded-Host %[req.hdr(Host)]
- http-request set-path /meshagents
- http-request set-query id=%[env(meshID)]&installflags=0&meshinstall=25
- server ipv6 [::1]:444
- backend linuxarm-bin-full4
- http-request add-header X-Forwarded-Host %[req.hdr(Host)]
- http-request set-path /meshagents
- http-request set-query id=%[env(meshID)]&installflags=0&meshinstall=25
- server ipv4 127.0.0.1:444
- backend linuxarm-bin-back6
- http-request add-header X-Forwarded-Host %[req.hdr(Host)]
- http-request set-path /meshagents
- http-request set-query id=%[env(meshID)]&installflags=2&meshinstall=25`
- server ipv6 [::1]:444
- backend linuxarm-bin-back4
- http-request add-header X-Forwarded-Host %[req.hdr(Host)]
- http-request set-path /meshagents
- http-request set-query id=%[env(meshID)]&installflags=2&meshinstall=25
- server ipv4 127.0.0.1:444
|