[GH-ISSUE #135] Tactical behind a Reverse proxy #2021

New issue

Closed

opened 2026-03-14 02:07:51 +03:00 by kerem · 6 comments

kerem commented 2026-03-14 02:07:51 +03:00

Owner

Copy link

Originally created by @simiplex on GitHub (Oct 9, 2020).
Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/135

I have an apache webserver. I setup it to forward rmm, api and the mesh urls through it to the nginx server and the ssl certificates show up as valid. I have all web interfaces working over the internet and everything works and connects except the mesh agent wont install and this is the error I get in the apache logs

8/Oct/2020:19:54:38 +0000] "GET /api/v2/meshexe/ HTTP/1.1" 401 451 "-" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36"
It works fine on the local LAN as well if I change the NAT rules directly to the Tactical server.
Is what I am trying to do possible, or can I change the port from 443 if needed for the mesh client?

Thanks

Originally created by @simiplex on GitHub (Oct 9, 2020). Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/135 I have an apache webserver. I setup it to forward rmm, api and the mesh urls through it to the nginx server and the ssl certificates show up as valid. I have all web interfaces working over the internet and everything works and connects except the mesh agent wont install and this is the error I get in the apache logs 8/Oct/2020:19:54:38 +0000] "GET /api/v2/meshexe/ HTTP/1.1" 401 451 "-" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36" It works fine on the local LAN as well if I change the NAT rules directly to the Tactical server. Is what I am trying to do possible, or can I change the port from 443 if needed for the mesh client? Thanks

kerem closed this issue 2026-03-14 02:07:57 +03:00

kerem commented 2026-03-14 02:08:03 +03:00

Author

Owner

Copy link

@wh1te909 commented on GitHub (Oct 9, 2020):

Nginx's only purpose in the rmm setup is to act as a reverse proxy, so if you want to use apache there is no need for nginx you should just have apache acting as the proxy. Look at the 3 nginx conf files in /etc/nginx/sites-available (rmm.conf for the django backend, meshcentral.conf and frontend.conf for the vue frontend) and just translate those to apache conf's and you can get rid of ngnix.

<!-- gh-comment-id:705944485 --> @wh1te909 commented on GitHub (Oct 9, 2020): Nginx's only purpose in the rmm setup is to act as a reverse proxy, so if you want to use apache there is no need for nginx you should just have apache acting as the proxy. Look at the 3 nginx conf files in /etc/nginx/sites-available (rmm.conf for the django backend, meshcentral.conf and frontend.conf for the vue frontend) and just translate those to apache conf's and you can get rid of ngnix.

kerem commented 2026-03-14 02:08:08 +03:00

Author

Owner

Copy link

@bradhawkins85 commented on GitHub (Oct 12, 2020):

It is possible to have the whole system behind a reverse proxy. Mine is behind HAProxy for the exact same reason, I have a wildcard certificate on the reverse proxy which covers all my sites and domains. I'll put snippets of the HAProxy config which may or may not be useful for you.

frontend my_frontend
bind *:80 name http
bind *:443 name https ssl crt /etc/letsencrypt/live/mycert.pem
option httplog
option forwardfor
option http-keep-alive
option prefer-last-server
no option httpclose
no option http-server-close
no option forceclose
no option http-tunnel
acl host_rmm hdr(Host) -i rmm.mydomain.com.au
acl host_rmmapi hdr(Host) -i api.mydomain.com.au
acl host_rmmmesh hdr(Host) -i mesh.mydomain.com.au
use_backend bk_tactical if host_rmm
use_backend bk_tactical if host_rmmapi
use_backend bk_tactical if host_rmmmesh

backend bk_tactical
option http-keep-alive
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-check expect string 200\ OK
server tactilermm internalip:443 ssl verify none maxconn 1000 weight 10 check

<!-- gh-comment-id:706935736 --> @bradhawkins85 commented on GitHub (Oct 12, 2020): It is possible to have the whole system behind a reverse proxy. Mine is behind HAProxy for the exact same reason, I have a wildcard certificate on the reverse proxy which covers all my sites and domains. I'll put snippets of the HAProxy config which may or may not be useful for you. frontend my_frontend bind *:80 name http bind *:443 name https ssl crt /etc/letsencrypt/live/mycert.pem option httplog option forwardfor option http-keep-alive option prefer-last-server no option httpclose no option http-server-close no option forceclose no option http-tunnel acl host_rmm hdr(Host) -i rmm.mydomain.com.au acl host_rmmapi hdr(Host) -i api.mydomain.com.au acl host_rmmmesh hdr(Host) -i mesh.mydomain.com.au use_backend bk_tactical if host_rmm use_backend bk_tactical if host_rmmapi use_backend bk_tactical if host_rmmmesh backend bk_tactical option http-keep-alive option forwardfor http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc } http-check expect string 200\ OK server tactilermm internalip:443 ssl verify none maxconn 1000 weight 10 check

kerem commented 2026-03-14 02:08:13 +03:00

Author

Owner

Copy link

@simiplex commented on GitHub (Oct 12, 2020):

Thanks. I was able to get it almost all working except the agent installer seems to fail after downloading the salt minion. If I forward the 443 port directly to the Tactical server it works and installs properly etc...

Installer - Install 165 -ERROR HTTPSConnectionPool (host='api.mydomain.com', port 443) : Max Retries exceed with url: /api/v2/mesexe (Caused by SSLError(SSLCertVerficationError(1, '[SSL:CERTIFCATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate

If I browse to api.mydomain.com/longurlkey...... or rmm or mesh the certificate comes up as valid. I will review my server logs to see if I missed anything. Any pointers will be appreciated.

Thanks

<!-- gh-comment-id:707106571 --> @simiplex commented on GitHub (Oct 12, 2020): Thanks. I was able to get it almost all working except the agent installer seems to fail after downloading the salt minion. If I forward the 443 port directly to the Tactical server it works and installs properly etc... Installer - Install 165 -ERROR HTTPSConnectionPool (host='api.mydomain.com', port 443) : Max Retries exceed with url: /api/v2/mesexe (Caused by SSLError(SSLCertVerficationError(1, '[SSL:CERTIFCATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate If I browse to api.mydomain.com/longurlkey...... or rmm or mesh the certificate comes up as valid. I will review my server logs to see if I missed anything. Any pointers will be appreciated. Thanks

kerem commented 2026-03-14 02:08:18 +03:00

Author

Owner

Copy link

@wh1te909 commented on GitHub (Oct 12, 2020):

Only time I've seen that error is when using a domain CA, see here https://github.com/wh1te909/winagent/issues/3
Support for that has already been added, when you run the installer pass it the --cert C:\path\to\your\ca.pem flag but doesn't seem like that's your issue

What do you mean by if you forward 443 port directly to the server? Are you still using nginx behind apache or did you get rid of nginx and just using apache?

<!-- gh-comment-id:707334868 --> @wh1te909 commented on GitHub (Oct 12, 2020): Only time I've seen that error is when using a domain CA, see here https://github.com/wh1te909/winagent/issues/3 Support for that has already been added, when you run the installer pass it the ```--cert C:\path\to\your\ca.pem``` flag but doesn't seem like that's your issue What do you mean by if you forward 443 port directly to the server? Are you still using nginx behind apache or did you get rid of nginx and just using apache?

kerem commented 2026-03-14 02:08:23 +03:00

Author

Owner

Copy link

@simiplex commented on GitHub (Oct 13, 2020):

Thanks for your help. I followed @bradhawkins85 advice and used HAproxy and it works. My lab setup currently is a mess of different servers built upon previous server and I don't take the time to clean up the routing and design. This forced me to do some reconfiguration to make things run smoother.

<!-- gh-comment-id:707855602 --> @simiplex commented on GitHub (Oct 13, 2020): Thanks for your help. I followed @bradhawkins85 advice and used HAproxy and it works. My lab setup currently is a mess of different servers built upon previous server and I don't take the time to clean up the routing and design. This forced me to do some reconfiguration to make things run smoother.

kerem commented 2026-03-14 02:08:28 +03:00

Author

Owner

Copy link

@bradhawkins85 commented on GitHub (Oct 14, 2020):

@simiplex Glad you got it sorted.

<!-- gh-comment-id:708231703 --> @bradhawkins85 commented on GitHub (Oct 14, 2020): @simiplex Glad you got it sorted.

kerem referenced this issue 2026-03-14 06:51:45 +03:00

[GH-ISSUE #2021] [UI Tweeks] Add more info to the automation policies for checks #3202

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

master

1.0.0

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.20.1

v0.20.0

v0.19.4

v0.19.3

v0.19.2

v0.19.1

v0.19.0

v0.18.2

v0.18.1

v0.18.0

v0.17.5

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.5

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.12

v0.15.11

v0.15.10

v0.15.9

v0.15.8

v0.15.7

v0.15.6

v0.15.5

v0.15.4

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.8

v0.14.7

v0.14.6

v0.14.5

v0.14.4

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.4

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.2

v0.9.1

v0.9.0

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.32

v0.4.31

v0.4.30

v0.4.29

v0.4.28

v0.4.27

v0.4.26

v0.4.25

v0.4.24

v0.4.23

v0.4.22

v0.4.21

v0.4.20

v0.4.19

v0.4.18

v0.4.17

v0.4.16

v0.4.15

v0.4.14

v0.4.13

v0.4.12

v0.4.11

v0.4.10

v0.4.9

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.23

v0.2.22

v0.2.21

v0.2.20

v0.2.19

v0.2.18

v0.2.17

v0.2.16

v0.2.15

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.8

v0.1.7

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels   

In Process

  

bug

  

bug

  

dev-triage

  

documentation

  

duplicate

  

enhancement

  

fixed

  

good first issue

  

help wanted

  

integration

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

requires agent update

  

security

  

ui tweak

  

wontfix

No labels

In Process

bug

bug

dev-triage

documentation

duplicate

enhancement

fixed

good first issue

help wanted

integration

invalid

pull-request

question

requires agent update

security

ui tweak

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/tacticalrmm#2021

No description provided.