[GH-ISSUE #2091] Trying to open my rmm server to an external proxy server #3245

New issue

Closed

opened 2026-03-14 06:57:32 +03:00 by kerem · 0 comments

kerem commented 2026-03-14 06:57:32 +03:00

Owner

Copy link

Originally created by @gabmega on GitHub (Dec 3, 2024).
Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/2091

I have some servers that have to run on the same public ip, for this I use an nginx server, however I need to install rmm on a server, and it must be accessible via the same public ip and with a subdomain of the same dns name

I've made great progress, and I can now log in and manage things via rmm. However, I am still facing 2 problems, in the api log there is an error with natsws, and the mesh cannot connect to the computer remotely, the "connect" button is disabled when I use "take control"

My rmm server: 192.168.1.41
My Nginx server: 192.168.1.54

Nginx log error:
2024/12/03 18:47:39 [error] 817#817: *1085253 recv() failed (104: Unknown error) while proxying upgraded connection, client: (my public ip), server: api.example.com, request: "GET /natsws HTTP/1.1", upstream: "http://192.168.1.41:8080/natsws", host: "api.example.com"

Rmm api log error:
2024/12/03 20:25:12 [error] 735#735: *14458 recv() failed (104: Connection reset by peer) while proxying upgraded connection, client: 192.168.1.54, server: , request: "GET /natsws HTTP/1.1", upstream: "http://127.0.0.1:9235/natsws", host: "api.example.com"

Nginx server > /etc/nginx/sites-available/rmm.conf

server {
    listen 80;
    server_name rmm.example.com api.example.com mesh.example.com;

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
        listen 443 ssl;
        listen [::]:443 ssl;
        server_name rmm.example.com;

        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
        ssl_ecdh_curve secp384r1;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header X-Content-Type-Options nosniff;

        error_log  /var/log/nginx/rmm-frontend-error.log;
        access_log /var/log/nginx/rmm-frontend-access.log;

        location / {

                proxy_pass http://192.168.1.41:80;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;

        }
}

server {
        listen 443 ssl;
        listen [::]:443 ssl;
        server_name mesh.example.com;

        proxy_send_timeout 330s;
        proxy_read_timeout 330s;

        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

        ssl_session_cache shared:WEBSSL:10m;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
        ssl_ecdh_curve secp384r1;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header X-Content-Type-Options nosniff;

        error_log  /var/log/nginx/rmm-mesh-error.log;
        access_log /var/log/nginx/rmm-api-access.log;

        location / {

                proxy_pass http://192.168.1.41:4430/;
                proxy_http_version 1.1;

                proxy_set_header Host $host;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header X-Forwarded-Host $host:$server_port;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;

        }

}


server {

        listen 443 ssl reuseport;
        listen [::]:443 ssl;
        server_name api.example.com;

        client_max_body_size 300M;

        error_log  /var/log/nginx/rmm-api-error.log;
        access_log /var/log/nginx/rmm-api-access.log;

        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
        ssl_ecdh_curve secp384r1;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header X-Content-Type-Options nosniff;

        location / {

                proxy_pass http://192.168.1.41:8080/;
                proxy_http_version 1.1;

                proxy_set_header Host $host;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-Host $host:$server_port;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;

                uwsgi_read_timeout 300s;
                uwsgi_ignore_client_abort on;

        }
}

Rmm server > /etc/nginx/sites-available/rmm.conf

server_tokens off;

upstream tacticalrmm {
    server unix:////rmm/api/tacticalrmm/tacticalrmm.sock;
}

map $http_user_agent $ignore_ua {
    "~python-requests.*" 0;
    "~go-resty.*" 0;
    default 1;
}

server {
    listen 8080 default_server;
    listen [::]:8080 default_server;

    client_max_body_size 300M;

    access_log /rmm/api/tacticalrmm/tacticalrmm/private/log/access.log combined if=$ignore_ua;
    error_log /rmm/api/tacticalrmm/tacticalrmm/private/log/error.log;

    location /static/ {
        root /rmm/api/tacticalrmm;
        add_header "Access-Control-Allow-Origin" "https://rmm.example.com";
    }

    location /private/ {
        internal;
        add_header "Access-Control-Allow-Origin" "https://rmm.example.com";
        alias /rmm/api/tacticalrmm/tacticalrmm/private/;
    }

    location /assets/ {
        internal;
        add_header "Access-Control-Allow-Origin" "https://rmm.example.com";
        alias /opt/tactical/reporting/assets/;
    }

    location ~ ^/ws/ {
        proxy_pass http://unix:/rmm/daphne.sock;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_redirect     off;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host $server_name;
    }

    location ~ ^/natsws {
        proxy_pass http://127.0.0.1:9235;
        proxy_http_version 1.1;

        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location / {
        uwsgi_pass  tacticalrmm;
        include     /etc/nginx/uwsgi_params;
        uwsgi_read_timeout 300s;
        uwsgi_ignore_client_abort on;
    }
}

Rmm server > /etc/nginx/sites-available/frontend.conf

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    charset utf-8;

    location / {
        root /var/www/rmm/dist;
        try_files $uri $uri/ /index.html;
        add_header Cache-Control "no-store, no-cache, must-revalidate";
        add_header Pragma "no-cache";
    }

    error_log  /var/log/nginx/frontend-error.log;
    access_log /var/log/nginx/frontend-access.log;

}

Any advice on how to solve my problem would be a great help.

Originally created by @gabmega on GitHub (Dec 3, 2024). Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/2091 I have some servers that have to run on the same public ip, for this I use an nginx server, however I need to install rmm on a server, and it must be accessible via the same public ip and with a subdomain of the same dns name I've made great progress, and I can now log in and manage things via rmm. However, I am still facing 2 problems, in the api log there is an error with natsws, and the mesh cannot connect to the computer remotely, the "connect" button is disabled when I use "take control" My rmm server: 192.168.1.41 My Nginx server: 192.168.1.54 Nginx log error: `2024/12/03 18:47:39 [error] 817#817: *1085253 recv() failed (104: Unknown error) while proxying upgraded connection, client: (my public ip), server: api.example.com, request: "GET /natsws HTTP/1.1", upstream: "http://192.168.1.41:8080/natsws", host: "api.example.com"` Rmm api log error: `2024/12/03 20:25:12 [error] 735#735: *14458 recv() failed (104: Connection reset by peer) while proxying upgraded connection, client: 192.168.1.54, server: , request: "GET /natsws HTTP/1.1", upstream: "http://127.0.0.1:9235/natsws", host: "api.example.com"` Nginx server > /etc/nginx/sites-available/rmm.conf ``` server { listen 80; server_name rmm.example.com api.example.com mesh.example.com; location / { return 301 https://$host$request_uri; } } server { listen 443 ssl; listen [::]:443 ssl; server_name rmm.example.com; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers EECDH+AESGCM:EDH+AESGCM; ssl_ecdh_curve secp384r1; ssl_stapling on; ssl_stapling_verify on; add_header X-Content-Type-Options nosniff; error_log /var/log/nginx/rmm-frontend-error.log; access_log /var/log/nginx/rmm-frontend-access.log; location / { proxy_pass http://192.168.1.41:80; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } server { listen 443 ssl; listen [::]:443 ssl; server_name mesh.example.com; proxy_send_timeout 330s; proxy_read_timeout 330s; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ssl_session_cache shared:WEBSSL:10m; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers EECDH+AESGCM:EDH+AESGCM; ssl_ecdh_curve secp384r1; ssl_stapling on; ssl_stapling_verify on; add_header X-Content-Type-Options nosniff; error_log /var/log/nginx/rmm-mesh-error.log; access_log /var/log/nginx/rmm-api-access.log; location / { proxy_pass http://192.168.1.41:4430/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } server { listen 443 ssl reuseport; listen [::]:443 ssl; server_name api.example.com; client_max_body_size 300M; error_log /var/log/nginx/rmm-api-error.log; access_log /var/log/nginx/rmm-api-access.log; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers EECDH+AESGCM:EDH+AESGCM; ssl_ecdh_curve secp384r1; ssl_stapling on; ssl_stapling_verify on; add_header X-Content-Type-Options nosniff; location / { proxy_pass http://192.168.1.41:8080/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; uwsgi_read_timeout 300s; uwsgi_ignore_client_abort on; } } ``` Rmm server > /etc/nginx/sites-available/rmm.conf ``` server_tokens off; upstream tacticalrmm { server unix:////rmm/api/tacticalrmm/tacticalrmm.sock; } map $http_user_agent $ignore_ua { "~python-requests.*" 0; "~go-resty.*" 0; default 1; } server { listen 8080 default_server; listen [::]:8080 default_server; client_max_body_size 300M; access_log /rmm/api/tacticalrmm/tacticalrmm/private/log/access.log combined if=$ignore_ua; error_log /rmm/api/tacticalrmm/tacticalrmm/private/log/error.log; location /static/ { root /rmm/api/tacticalrmm; add_header "Access-Control-Allow-Origin" "https://rmm.example.com"; } location /private/ { internal; add_header "Access-Control-Allow-Origin" "https://rmm.example.com"; alias /rmm/api/tacticalrmm/tacticalrmm/private/; } location /assets/ { internal; add_header "Access-Control-Allow-Origin" "https://rmm.example.com"; alias /opt/tactical/reporting/assets/; } location ~ ^/ws/ { proxy_pass http://unix:/rmm/daphne.sock; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $server_name; } location ~ ^/natsws { proxy_pass http://127.0.0.1:9235; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location / { uwsgi_pass tacticalrmm; include /etc/nginx/uwsgi_params; uwsgi_read_timeout 300s; uwsgi_ignore_client_abort on; } } ``` Rmm server > /etc/nginx/sites-available/frontend.conf ``` server { listen 80 default_server; listen [::]:80 default_server; charset utf-8; location / { root /var/www/rmm/dist; try_files $uri $uri/ /index.html; add_header Cache-Control "no-store, no-cache, must-revalidate"; add_header Pragma "no-cache"; } error_log /var/log/nginx/frontend-error.log; access_log /var/log/nginx/frontend-access.log; } ``` Any advice on how to solve my problem would be a great help.

kerem closed this issue 2026-03-14 06:57:37 +03:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

master

1.0.0

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.20.1

v0.20.0

v0.19.4

v0.19.3

v0.19.2

v0.19.1

v0.19.0

v0.18.2

v0.18.1

v0.18.0

v0.17.5

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.5

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.12

v0.15.11

v0.15.10

v0.15.9

v0.15.8

v0.15.7

v0.15.6

v0.15.5

v0.15.4

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.8

v0.14.7

v0.14.6

v0.14.5

v0.14.4

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.4

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.2

v0.9.1

v0.9.0

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.32

v0.4.31

v0.4.30

v0.4.29

v0.4.28

v0.4.27

v0.4.26

v0.4.25

v0.4.24

v0.4.23

v0.4.22

v0.4.21

v0.4.20

v0.4.19

v0.4.18

v0.4.17

v0.4.16

v0.4.15

v0.4.14

v0.4.13

v0.4.12

v0.4.11

v0.4.10

v0.4.9

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.23

v0.2.22

v0.2.21

v0.2.20

v0.2.19

v0.2.18

v0.2.17

v0.2.16

v0.2.15

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.8

v0.1.7

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels   

In Process

  

bug

  

bug

  

dev-triage

  

documentation

  

duplicate

  

enhancement

  

fixed

  

good first issue

  

help wanted

  

integration

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

requires agent update

  

security

  

ui tweak

  

wontfix

No labels

In Process

bug

bug

dev-triage

documentation

duplicate

enhancement

fixed

good first issue

help wanted

integration

invalid

pull-request

question

requires agent update

security

ui tweak

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/tacticalrmm#3245

No description provided.