Dies ist eine alte Version des Dokuments!
Inhaltsverzeichnis
Connect Wise Control
(formerly ScreenConnect)
On-premises setup using only port 443 and SSL by Let's Encrypt on Debian Linux with Apache
The problem(s)
- Mono SSL setup is pretty complicated.
- No access to SSL ciphers etc.
- No good way to use Let's Encrypt.
- Two ports are required, one for the web interface and one for the relay.
The solution
- Use two IPs to be able to use port 443 for web and relay.
- Use Apache (or Nginx) as reverse proxy for the web interface.
Limitation: „Browser URL Check“ on the status page will fail due to the reverse proxy.
Extra: Webinterface could be made reachable by IPv6!
Requirements on Debian Linux
- Two public IP addesses.
- Corresponding DNS A records.
Example data for this document:
| IP | Name |
|---|---|
| 1.2.3.4 | web.example.com |
| 5.6.7.8 | relay.exmaple.com |
Prepare Let's Encrypt
„certbot“ could be found in Debian Jessie back ports. So add back ports:
echo "deb http://ftp.debian.org/debian jessie-backports main" >> /etc/apt/sources.list apt update
And install „certbot“ for Apache:
apt-get install python-certbot-apache -t jessie-backports
Apache configuration
Port 80 for Let's Encrypt setup. Initially comment out the rewrite rules, run
certbot --apache
This will create the file „000-default-le-ssl.conf“.
/etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>
ServerName web.example.com
ServerAdmin webmaster@example.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} = web.example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
It is important to explicitly bind Apache to the IP addresses intended for the web interfaces as Apache by default binds to all IP addresses and we want to use port 443 on the second address for the relay. Run:
certbot --apache
and follow the instructions.
Then modify the file „/etc/apache2/sites-enabled/000-default-le-ssl.conf“ to read:
<VirtualHost 109.75.177.113:443>
ServerName web.example.com
ServerAdmin webmaster@example.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/web.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/web.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ProxyPass / http://127.0.0.1:8040/
ProxyPassReverse / http://127.0.0.1:8040/
</VirtualHost>
If you want to make the web interface available by IPv6 add:
<VirtualHost [2a00:100:200:300::1]:443>
ServerName web.example.com
ServerAdmin webmaster@example.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/web.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/web.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ProxyPass / http://127.0.0.1:8040/
ProxyPassReverse / http://127.0.0.1:8040/
</VirtualHost>
Connect Wise Control configuration
Edit „/opt/screenconnect/web.config“ and change „WebServerListenUri“ to:
<add key="WebServerListenUri" value="http://127.0.0.1:8040/"> </add>
Because we do not want to make the original web interface accessible to the and it should be only reachable by the reverse proxy.
Add the key „WebServerAddressableUri“ to inform Connect Wise Control about the real web interface URL:
<add key="WebServerAddressableUri" value="https://sc.mhcsoftware.de/"> </add>
Edit the key „RelayListenUri“ to bind the relay to the additional IP and port 443:
<add key="RelayListenUri" value="relay://93.190.68.37:443/"> </add>
Add the key „RelayAddressableUri“ to inform Connect Wise Control about the real URL and port:
<add key="RelayAddressableUri" value="relay://relay.mhcsoftware.de:443/"> </add>