From 36cddd565212da11ba644e5ccd844dbb73c87510 Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Thu, 1 Nov 2018 15:01:21 -0700 Subject: [PATCH] Added NGNX reverse-proxy support. --- certoperations.js | 8 ++++---- meshagent.js | 32 ++++++++++++++++---------------- meshcentral.js | 2 ++ package.json | 2 +- webserver.js | 37 ++++++++++++++++--------------------- 5 files changed, 39 insertions(+), 42 deletions(-) diff --git a/certoperations.js b/certoperations.js index 7b653649..c680cbb6 100644 --- a/certoperations.js +++ b/certoperations.js @@ -39,7 +39,7 @@ module.exports.CertificateOperations = function () { } else { func(url, null, tag); } }; - // Return the SHA386 hash of the certificate public key + // Return the SHA384 hash of the certificate public key obj.getPublicKeyHash = function (cert) { var publickey = obj.pki.certificateFromPem(cert).publicKey; return obj.pki.getPublicKeyFingerprint(publickey, { encoding: "hex", md: obj.forge.md.sha384.create() }); @@ -122,7 +122,7 @@ module.exports.CertificateOperations = function () { rcount++; } - if (args.tlsoffload === true) { + if (args.tlsoffload) { // If the web certificate already exist, load it. Load just the certificate since we are in TLS offload situation if (obj.fileExists(parent.getConfigFilePath("webserver-cert-public.crt"))) { r.web = { cert: obj.fs.readFileSync(parent.getConfigFilePath("webserver-cert-public.crt"), "utf8") }; @@ -204,7 +204,7 @@ module.exports.CertificateOperations = function () { for (i in config.domains) { if ((i != "") && (config.domains[i] != null) && (config.domains[i].dns != null)) { dnsname = config.domains[i].dns; - if (args.tlsoffload === true) { + if (args.tlsoffload) { // If the web certificate already exist, load it. Load just the certificate since we are in TLS offload situation if (obj.fileExists(parent.getConfigFilePath("webserver-" + i + "-cert-public.crt"))) { r.dns[i] = { cert: obj.fs.readFileSync(parent.getConfigFilePath("webserver-" + i + "-cert-public.crt"), "utf8") }; @@ -370,7 +370,7 @@ module.exports.CertificateOperations = function () { for (i in config.domains) { if ((i != "") && (config.domains[i] != null) && (config.domains[i].dns != null)) { dnsname = config.domains[i].dns; - if (args.tlsoffload != true) { + if (!args.tlsoffload) { // If the web certificate does not exist, create it if ((obj.fileExists(parent.getConfigFilePath("webserver-" + i + "-cert-public.crt")) === false) || (obj.fileExists(parent.getConfigFilePath("webserver-" + i + "-cert-private.key")) === false)) { console.log("Generating HTTPS certificate for " + i + "..."); diff --git a/meshagent.js b/meshagent.js index 508816de..f779cf50 100644 --- a/meshagent.js +++ b/meshagent.js @@ -38,10 +38,10 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) { obj.agentInfo = null; obj.agentUpdate = null; const agentUpdateBlockSize = 65520; - obj.remoteaddr = obj.ws._socket.remoteAddress; - obj.useSHA386 = false; - obj.agentConnectCount = ++AgentConnectCount; + obj.remoteaddr = req.ip; if (obj.remoteaddr.startsWith('::ffff:')) { obj.remoteaddr = obj.remoteaddr.substring(7); } + obj.remoteaddrport = obj.remoteaddr + ':' + obj.ws._socket.remotePort; + obj.agentConnectCount = ++AgentConnectCount; ws._socket.setKeepAlive(true, 240000); // Set TCP keep alive, 4 minutes // Send a message to the mesh agent @@ -49,8 +49,8 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) { // Disconnect this agent obj.close = function (arg) { - if ((arg == 1) || (arg == null)) { try { obj.ws.close(); if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Soft disconnect ' + obj.nodeid + ' (' + obj.remoteaddr + ')'); } } catch (e) { console.log(e); } } // Soft close, close the websocket - if (arg == 2) { try { obj.ws._socket._parent.end(); if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Hard disconnect ' + obj.nodeid + ' (' + obj.remoteaddr + ')'); } } catch (e) { console.log(e); } } // Hard close, close the TCP socket + if ((arg == 1) || (arg == null)) { try { obj.ws.close(); if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Soft disconnect ' + obj.nodeid + ' (' + obj.remoteaddrport + ')'); } } catch (e) { console.log(e); } } // Soft close, close the websocket + if (arg == 2) { try { obj.ws._socket._parent.end(); if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Hard disconnect ' + obj.nodeid + ' (' + obj.remoteaddrport + ')'); } } catch (e) { console.log(e); } } // Hard close, close the TCP socket if (arg == 3) { obj.authenticated = -1; } // Don't communicate with this agent anymore, but don't disconnect (Duplicate agent). if (obj.parent.wsagents[obj.dbNodeKey] == obj) { delete obj.parent.wsagents[obj.dbNodeKey]; @@ -197,8 +197,8 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) { if ((msg.length != 98) || ((obj.receivedCommands & 1) != 0)) return; obj.receivedCommands += 1; // Agent can't send the same command twice on the same connection ever. Block DOS attack path. - // Check that the server hash matches our own web certificate hash (SHA386) - if (getWebCertHash(obj.domain) != msg.substring(2, 50)) { console.log('Agent connected with bad web certificate hash (' + (new Buffer(getWebCertHash(obj.domain), 'binary').toString('hex').substring(0, 10)) + ' != ' + (new Buffer(msg.substring(2, 50), 'binary').toString('hex').substring(0, 10)) + '), holding connection (' + obj.remoteaddr + ').'); return; } + // Check that the server hash matches our own web certificate hash (SHA384) + if (getWebCertHash(obj.domain) != msg.substring(2, 50)) { console.log('Agent connected with bad web certificate hash (' + (new Buffer(getWebCertHash(obj.domain), 'binary').toString('hex').substring(0, 10)) + ' != ' + (new Buffer(msg.substring(2, 50), 'binary').toString('hex').substring(0, 10)) + '), holding connection (' + obj.remoteaddrport + ').'); return; } // Use our server private key to sign the ServerHash + AgentNonce + ServerNonce obj.agentnonce = msg.substring(50, 98); @@ -223,7 +223,7 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) { // Check the agent signature if we can if (obj.unauthsign != null) { - if (processAgentSignature(obj.unauthsign) == false) { console.log('Agent connected with bad signature, holding connection (' + obj.remoteaddr + ').'); return; } else { completeAgentConnection(); } + if (processAgentSignature(obj.unauthsign) == false) { console.log('Agent connected with bad signature, holding connection (' + obj.remoteaddrport + ').'); return; } else { completeAgentConnection(); } } } else if (cmd == 2) { @@ -238,7 +238,7 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) { obj.unauth.nodeCertPem = '-----BEGIN CERTIFICATE-----\r\n' + new Buffer(msg.substring(4, 4 + certlen), 'binary').toString('base64') + '\r\n-----END CERTIFICATE-----'; // Check the agent signature if we can - if (obj.agentnonce == null) { obj.unauthsign = msg.substring(4 + certlen); } else { if (processAgentSignature(msg.substring(4 + certlen)) == false) { console.log('Agent connected with bad signature, holding connection (' + obj.remoteaddr + ').'); return; } } + if (obj.agentnonce == null) { obj.unauthsign = msg.substring(4 + certlen); } else { if (processAgentSignature(msg.substring(4 + certlen)) == false) { console.log('Agent connected with bad signature, holding connection (' + obj.remoteaddrport + ').'); return; } } completeAgentConnection(); } else if (cmd == 3) { @@ -279,8 +279,8 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) { ws.on('error', function (err) { console.log('AGENT WSERR: ' + err); }); // If the mesh agent web socket is closed, clean up. - ws.on('close', function (req) { if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Agent disconnect ' + obj.nodeid + ' (' + obj.remoteaddr + ')'); } obj.close(0); }); - // obj.ws._socket._parent.on('close', function (req) { if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Agent TCP disconnect ' + obj.nodeid + ' (' + obj.remoteaddr + ')'); } }); + ws.on('close', function (req) { if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Agent disconnect ' + obj.nodeid + ' (' + obj.remoteaddrport + ')'); } obj.close(0); }); + // obj.ws._socket._parent.on('close', function (req) { if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Agent TCP disconnect ' + obj.nodeid + ' (' + obj.remoteaddrport + ')'); } }); // Start authenticate the mesh agent by sending a auth nonce & server TLS cert hash. // Send 384 bits SHA384 hash of TLS cert public key + 384 bits nonce @@ -294,8 +294,8 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) { // Check that the mesh exists var mesh = obj.parent.meshes[obj.dbMeshKey]; - if (mesh == null) { console.log('Agent connected with invalid domain/mesh, holding connection (' + obj.remoteaddr + ', ' + obj.dbMeshKey + ').'); return; } // If we disconnect, the agnet will just reconnect. We need to log this or tell agent to connect in a few hours. - if (mesh.mtype != 2) { console.log('Agent connected with invalid mesh type, holding connection (' + obj.remoteaddr + ').'); return; } // If we disconnect, the agnet will just reconnect. We need to log this or tell agent to connect in a few hours. + if (mesh == null) { console.log('Agent connected with invalid domain/mesh, holding connection (' + obj.remoteaddrport + ', ' + obj.dbMeshKey + ').'); return; } // If we disconnect, the agnet will just reconnect. We need to log this or tell agent to connect in a few hours. + if (mesh.mtype != 2) { console.log('Agent connected with invalid mesh type, holding connection (' + obj.remoteaddrport + ').'); return; } // If we disconnect, the agnet will just reconnect. We need to log this or tell agent to connect in a few hours. // Check that the node exists obj.db.Get(obj.dbNodeKey, function (err, nodes) { @@ -349,7 +349,7 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) { obj.parent.wsagents[obj.dbNodeKey] = obj; if (dupAgent) { // Close the duplicate agent - if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Duplicate agent ' + obj.nodeid + ' (' + obj.remoteaddr + ':' + obj.ws._socket.remotePort + ')'); } + if (obj.nodeid != null) { obj.parent.parent.debug(1, 'Duplicate agent ' + obj.nodeid + ' (' + obj.remoteaddrport + ')'); } dupAgent.close(3); } else { // Indicate the agent is connected @@ -432,7 +432,7 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) { delete obj.agentnonce; delete obj.unauth; if (obj.unauthsign) delete obj.unauthsign; - obj.parent.parent.debug(1, 'Verified agent connection to ' + obj.nodeid + ' (' + obj.remoteaddr + ':' + obj.ws._socket.remotePort + ').'); + obj.parent.parent.debug(1, 'Verified agent connection to ' + obj.nodeid + ' (' + obj.remoteaddrport + ').'); obj.authenticated = 1; return true; } @@ -442,7 +442,7 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) { var i; var str = msg.toString('utf8'), command = null; if (str[0] == '{') { - try { command = JSON.parse(str); } catch (ex) { console.log('Unable to parse agent JSON (' + obj.remoteaddr + '): ' + str, ex); return; } // If the command can't be parsed, ignore it. + try { command = JSON.parse(str); } catch (ex) { console.log('Unable to parse agent JSON (' + obj.remoteaddrport + '): ' + str, ex); return; } // If the command can't be parsed, ignore it. if (typeof command != 'object') { return; } switch (command.action) { case 'msg': diff --git a/meshcentral.js b/meshcentral.js index 4f948b20..bf9ab8f5 100644 --- a/meshcentral.js +++ b/meshcentral.js @@ -416,9 +416,11 @@ function CreateMeshCentralServer(config, args) { var forgeCert = obj.certificateOperations.forge.pki.certificateFromAsn1(obj.certificateOperations.forge.asn1.fromDer(cert.raw.toString('binary'))); var hash = obj.certificateOperations.forge.pki.getPublicKeyFingerprint(forgeCert.publicKey, { md: obj.certificateOperations.forge.md.sha384.create(), encoding: 'hex' }); xdomain.certhash = hash; + console.log('Loaded RSA web certificate at ' + url + ', SHA384: ' + xdomain.certhash + '.'); } catch (ex) { // This may be a ECDSA certificate, hash the entire cert xdomain.certhash = obj.crypto.createHash('sha384').update(cert.raw).digest('hex'); + console.log('Loaded non-RSA web certificate at ' + url + ', SHA384: ' + xdomain.certhash + '.'); } } else { console.log('Failed to load web certificate at: ' + url); diff --git a/package.json b/package.json index 4e2d61fb..e3770b18 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "meshcentral", - "version": "0.2.2-o", + "version": "0.2.2-p", "keywords": [ "Remote Management", "Intel AMT", diff --git a/webserver.js b/webserver.js index 4d433b35..0a8f5420 100644 --- a/webserver.js +++ b/webserver.js @@ -178,23 +178,16 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { // Setup middleware obj.app.engine('handlebars', obj.exphbs({})); // defaultLayout: 'main' obj.app.set('view engine', 'handlebars'); + if (obj.args.tlsoffload) { obj.app.set('trust proxy', obj.args.tlsoffload); } // Reverse proxy should add the "X-Forwarded-*" headers obj.app.use(obj.bodyParser.urlencoded({ extended: false })); - if (obj.args.sessiontime != null) { - obj.app.use(obj.session({ - name: 'xid', // Recommanded security practice to not use the default cookie name - httpOnly: true, - keys: [obj.args.sessionkey], // If multiple instances of this server are behind a load-balancer, this secret must be the same for all instances - secure: (obj.args.notls != true), // Use this cookie only over TLS - maxAge: (obj.args.sessiontime * 60 * 1000) // Number of minutes - })); - } else { - obj.app.use(obj.session({ - name: 'xid', // Recommanded security practice to not use the default cookie name - httpOnly: true, - keys: [obj.args.sessionkey], // If multiple instances of this server are behind a load-balancer, this secret must be the same for all instances - secure: (obj.args.notls != true) // Use this cookie only over TLS - })); + var sessionOptions = { + name: 'xid', // Recommanded security practice to not use the default cookie name + httpOnly: true, + keys: [obj.args.sessionkey], // If multiple instances of this server are behind a load-balancer, this secret must be the same for all instances + secure: (obj.args.notls != true) // Use this cookie only over TLS (Check this: https://expressjs.com/en/guide/behind-proxies.html) } + if (obj.args.sessiontime != null) { sessionOptions.maxAge = (obj.args.sessiontime * 60 * 1000); } + obj.app.use(obj.session(sessionOptions)); // Session-persisted message middleware obj.app.use(function (req, res, next) { @@ -283,9 +276,9 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { function checkUserIpAddressEx(req, res, allowedIpList) { if (allowedIpList == null) { return true; } try { - var ip = null, type = 0; - if (req.connection) { ip = req.connection.remoteAddress; type = 1; } // HTTP(S) request - else if (req._socket) { ip = req._socket.remoteAddress; type = 2; } // WebSocket request + var ip = req.ip, type = 0; + if (req.connection) { type = 1; } // HTTP(S) request + else if (req._socket) { type = 2; } // WebSocket request if (ip.startsWith('::ffff:')) { ip = ip.substring(7); } // Fix IPv4 IP's encoded in IPv6 form if ((ip != null) && (allowedIpList.indexOf(ip) >= 0)) { return true; } if (type == 1) { res.sendStatus(401); } @@ -343,7 +336,6 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { user.login = Date.now(); obj.db.SetUser(user); - // Regenerate session when signing in to prevent fixation //req.session.regenerate(function () { // Store the user's primary key in the session store to be retrieved, or in this case the entire user object @@ -369,6 +361,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { res.redirect(domain.url); }); */ + res.redirect(domain.url); // Temporary } else { res.redirect(domain.url); } @@ -743,7 +736,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { if (obj.args.lanonly == true) { features += 2; } // LAN-only mode if (obj.args.nousers == true) { features += 4; } // Single user mode if (domain.userQuota == -1) { features += 8; } // No server files mode - if (obj.args.tlsoffload == true) { features += 16; } // No mutual-auth CIRA + if (obj.args.tlsoffload) { features += 16; } // No mutual-auth CIRA if ((parent.config != null) && (parent.config.settings != null) && (parent.config.settings.allowframing == true)) { features += 32; } // Allow site within iframe if ((obj.parent.mailserver != null) && (obj.parent.certificates.CommonName != null) && (obj.parent.certificates.CommonName != 'un-configured') && (obj.args.lanonly != true)) { features += 64; } // Email invites if (obj.args.webrtc == true) { features += 128; } // Enable WebRTC (Default false for now) @@ -1405,7 +1398,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { if (auth.response === obj.common.ComputeDigesthash(auth.username, amtpass, auth.realm, "POST", auth.uri, auth.qop, auth.nonce, auth.nc, auth.cnonce)) { // This is an authenticated Intel AMT event, update the host address - var amthost = req.connection.remoteAddress; + var amthost = req.ip; if (amthost.substring(0, 7) === '::ffff:') { amthost = amthost.substring(7); } if (node.host != amthost) { // Get the mesh for this device @@ -1773,6 +1766,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { // Two more headers to take a look at: // 'Public-Key-Pins': 'pin-sha256="X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg="; max-age=10' // 'strict-transport-security': 'max-age=31536000; includeSubDomains' + /* var headers = null; if (obj.args.notls) { // Default headers if no TLS is used @@ -1783,6 +1777,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { } if (parent.config.settings.accesscontrolalloworigin != null) { headers['Access-Control-Allow-Origin'] = parent.config.settings.accesscontrolalloworigin; } res.set(headers); + */ return next(); } });