Docker behind HAProxy, port 4222 issue #754
-
I've managed to get everything else working seemingly without issue, and was even able to cut out some of the somewhat redundant HAProxy (on PFSense) ACLs. However, I cannot get the agent to work properly because port 4222 refuses the connection. I've tried port forwarding with opening the port on the server firewall, and it still fails. The only thing I have t tried is setting up an HAProxy listener on 4222 to direct the traffic, only because I have no idea what URL it uses. Any thoughts? |
Beta Was this translation helpful? Give feedback.
Replies: 24 comments 20 replies
-
HAproxy shouldn't be needed for 4222 that should just be port forwarded directly. Are you using a custom certificate or the letsencrypt one? |
Beta Was this translation helpful? Give feedback.
-
I'm using a LetsEncrypt cert managed by the PFSense. Exported the cert and key, input them into the env file per instructions. Everything else seems fine. I can log in, go through set up, access the site, download the agent, etc, all using that imported cert info. So dumb question: when port forwarding, it should be forwarded to the host IP address, as docker listens for exposed ports on all interfaces, prior to any other rules, correct? |
Beta Was this translation helpful? Give feedback.
-
Yes I think it should be port forwarding to the docker host (I don't use docker). SSL setup sounds fine, was just checking. Feel free to give us the HAProxy setup steps you used if you don't mind to help others. |
Beta Was this translation helpful? Give feedback.
-
This is an unsupported configuration. You can use this for reference: Discussing in the Discord #unsupported channel is another option if you're still having problems |
Beta Was this translation helpful? Give feedback.
-
@silversword411 I'm aware it's an unsupported config. Unfortunately that example has nothing aside from making sure the port is forwarded included for 4222. It would be remarkably simple to forward it with HAProxy if I could simply find out what URL it's supposed to be directed to. |
Beta Was this translation helpful? Give feedback.
-
I thought that example had everything necessary for haproxy to work. There's only 3 URL's. rmm, api, and mesh. 4222 is api.yourdomain.com This may also be of help: https://github.com/wh1te909/tacticalrmm/blob/c4ffffeec8e32d1317272a1470c70899cb5eb3ed/docs/docs/unsupported_scripts.md#general-notes-on-proxies-and-tactical-rmm |
Beta Was this translation helpful? Give feedback.
-
It should be pointed at the host as it's a port forward URLs/haproxy etc are irrelevant |
Beta Was this translation helpful? Give feedback.
-
But yes dinger is right....a port forward is IP:port only, no URL's necessary :) |
Beta Was this translation helpful? Give feedback.
-
That's what I thought, but it always refused the connection during the agent install on a device. |
Beta Was this translation helpful? Give feedback.
-
And thank you for the clarification of which URL it's for. |
Beta Was this translation helpful? Give feedback.
-
Gotta be something else wrong. Do you have ufw enabled on the host? Maybe need to open ports on there? It's TCP port forward you need. To be honest the URL is irrelevant as it's all hosted on the same IP and just a TCP forward. Can you share your port forward tile? Blank out anything private |
Beta Was this translation helpful? Give feedback.
-
I use iptables with no management interface. I'll work on getting things ready to post images of current configs. |
Beta Was this translation helpful? Give feedback.
-
On your host? Can you check 4222 is open? Presumably you used pfsense for the port forward? |
Beta Was this translation helpful? Give feedback.
-
Problem solved by adding HAProxy listener on 4222 and forwarding it properly. Appear to have a fully working setup with ALL services proxied via HAProxy. It absolutely refused to forward via port forward. Working on editing HAProxy config and screen caps to post. |
Beta Was this translation helpful? Give feedback.
-
Not sure if proxying the nats traffic is going to work. It is a TLS connection, so I am guessing that the TLS handshake is failing. |
Beta Was this translation helpful? Give feedback.
-
It's fully functional using a let'sencrypt cert, exporting it, and importing it into the env file. I edited the docker-compose file to use different exposed ports (rather than 80 and 443) since I have multiple services running on my server. HAProxy config on my PFSense device, edited to remove actual URLs and other services: Automaticaly generated, dont edit manually.Generated on: 2021-10-09 14:34global listen HAProxyLocalStats frontend http_shared frontend https_shared-merged frontend api.example.com backend rmm.example.com_ipvANY backend mesh.example.com-websocket_ipvANY backend mesh.example.com_ipvANY backend api.example.com_ipvANY Photos of PFSense gui and functional rmm and mesh connection coming after editing. |
Beta Was this translation helpful? Give feedback.
-
Prereqs: PFSense, ACME cert management configured with valid cert, HAProxy, exported cert/key imported into docker env file per existing docker instructions. In HAProxy on PFSense, setup the standard http to https redirect frontend on port 80 (make sure to add all used URLs into the ACLs and Actions in config). Should be able to run this along side as many other sites and services as you want to. |
Beta Was this translation helpful? Give feedback.
-
Damn. After a while it looks like the connection drops. The agent originally pulled all the info (hardware, software, etc), but won't refresh after it sat idle for some time, and won't reconnect. I'll try playing with the timeouts and keep-alive settings. |
Beta Was this translation helpful? Give feedback.
-
I'll try some further troubleshooting and dumpster dive into logs later this evening. Maybe I'll find something that'll give me a clue. There's got to be a way to get this working properly, and I'll find it if it kills me! Muahahahaha! |
Beta Was this translation helpful? Give feedback.
-
Was able to figure out a few issues by looking through logs. Port forwarding for 4222 wasn't working because I had to set up both lan and wan rules, as I'm testing on my lan (derp). Also determined that PFSense exports the cert only, not the full chain cert, which needs to be manually copied and pasted into a file to be imported. This was causing nats to fail. To get the fullchain cert from PFSense when using acme and Let'sEncrypt, ssh into PFSense, enter the shell (option 8), install nano with 'pkg install nano', then 'nano /conf/acme/fqdn.fullchain' and copy and paste the cert text into the CRT file you're going to import. Haven't worked out the port 4222 api proxy yet, going over previously posted backend configs. |
Beta Was this translation helpful? Give feedback.
-
I'm aware it doesn't need to be proxied, I've got it all working now. Nats was failing due to the cert PFSense exports by default via the GUI not containing the full chain info, per the logs. Using the process I mentioned above solves the issue. |
Beta Was this translation helpful? Give feedback.
-
Looks like I did figure out how to proxy (sort of) 4222 using HAProxy, no port forwarding needed. The reason I've been so on that is because I don't care for leaving exposed open ports as a rule without something filtering what gets through. I've tested everything I can think of, including installing notepad++ on the remote PC via the RMM web interface. |
Beta Was this translation helpful? Give feedback.
-
Here is the current config I'm working with, fully proxied. Only posting screen captures of settings that have been changed: frontend https_shared-merged frontend api.example.com backend rmm.example.com_ipvANY backend mesh.example.com-websocket_ipvANY backend mesh.example.com_ipvANY backend api.example.com_ipvANY |
Beta Was this translation helpful? Give feedback.
-
@silversword411 I ran into random issues regarding the networking using the docker-compose file as it is. Changing the network section to this solved the issue:
Haven't had a single issue since making that change. Obviously the subnets/gateways except for the proxy network are arbitrary, so long as they're defined. |
Beta Was this translation helpful? Give feedback.
Here is the current config I'm working with, fully proxied. Only posting screen captures of settings that have been changed:
frontend https_shared-merged
bind 0.0.0.0:443 name 0.0.0.0:443 ssl crt-list /var/etc/haproxy/https_shared.crt_list
mode http
log global
option socket-stats
option dontlognull
option http-server-close
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
acl aclcrt_https_shared var(txn.txnhost) -m reg -i ^([^\.]*).example.com(:([0-9]){1,5})?$
acl rmm var(txn.txnhost) -m str -i rmm.example.com
acl api var(txn.txnhost) -m str -i api.example.com
acl api422…