connect_wise_controll
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
connect_wise_controll [2017/05/13 12:26] – angelegt matthias | connect_wise_controll [Unbekanntes Datum] (aktuell) – gelöscht - Externe Bearbeitung (Unbekanntes Datum) 127.0.0.1 | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | ====== Connect Wise Control ====== | ||
- | (formerly ScreenConnect) | ||
- | ===== On-premises setup using only port 443 and SSL by Let's Encrypt on Debian Linux with Apache ===== | ||
- | ==== The problem(s) ==== | ||
- | * Mono SSL setup is pretty complicated. | ||
- | * No access to SSL ciphers etc. | ||
- | * No good way to use Let's Encrypt. | ||
- | * Two ports are required, one for the web interface and one for the relay. | ||
- | ==== The solution ==== | ||
- | * Use two IPs to be able to use port 443 for web and relay. | ||
- | * Use Apache (or Nginx) as reverse proxy for the web interface. | ||
- | |||
- | Limitation: " | ||
- | |||
- | Extra: Webinterface could be made reachable by IPv6! | ||
- | |||
- | ==== Requirements on Debian Linux ==== | ||
- | * Two public IP addesses. | ||
- | * Corresponding DNS A records. | ||
- | Example data for this document: | ||
- | ^IP^Name^ | ||
- | |1.2.3.4|web.example.com| | ||
- | |5.6.7.8|relay.exmaple.com| | ||
- | ==== Prepare Let's Encrypt ==== | ||
- | " | ||
- | |||
- | echo "deb http:// | ||
- | apt update | ||
- | And install " | ||
- | apt-get install python-certbot-apache -t jessie-backports | ||
- | ==== Apache configuration ==== | ||
- | |||
- | Port 80 for Let's Encrypt setup. Initially comment out the rewrite rules, run | ||
- | |||
- | certbot --apache | ||
- | |||
- | This will create the file " | ||
- | |||
- | / | ||
- | |||
- | < | ||
- | < | ||
- | ServerName web.example.com | ||
- | |||
- | ServerAdmin webmaster@example.com | ||
- | DocumentRoot / | ||
- | |||
- | ErrorLog ${APACHE_LOG_DIR}/ | ||
- | CustomLog ${APACHE_LOG_DIR}/ | ||
- | |||
- | RewriteEngine on | ||
- | RewriteCond %{SERVER_NAME} = web.example.com | ||
- | RewriteRule ^ https:// | ||
- | </ | ||
- | </ | ||
- | |||
- | It is important to explicitly bind Apache to the IP addresses intended for the web interfaces as Apache by default binds to all IP addresses and we want to use port 443 on the second address for the relay. Run: | ||
- | |||
- | certbot --apache | ||
- | |||
- | and follow the instructions. | ||
- | |||
- | Then modify the file "/ | ||
- | |||
- | < | ||
- | < | ||
- | ServerName web.example.com | ||
- | |||
- | ServerAdmin webmaster@example.com | ||
- | DocumentRoot / | ||
- | |||
- | ErrorLog ${APACHE_LOG_DIR}/ | ||
- | CustomLog ${APACHE_LOG_DIR}/ | ||
- | |||
- | SSLCertificateFile / | ||
- | SSLCertificateKeyFile / | ||
- | Include / | ||
- | |||
- | ProxyPass / http:// | ||
- | ProxyPassReverse / http:// | ||
- | |||
- | </ | ||
- | </ | ||
- | If you want to make the web interface available by IPv6 add: | ||
- | < | ||
- | < | ||
- | ServerName web.example.com | ||
- | |||
- | ServerAdmin webmaster@example.com | ||
- | DocumentRoot / | ||
- | |||
- | ErrorLog ${APACHE_LOG_DIR}/ | ||
- | CustomLog ${APACHE_LOG_DIR}/ | ||
- | |||
- | SSLCertificateFile / | ||
- | SSLCertificateKeyFile / | ||
- | Include / | ||
- | |||
- | ProxyPass / http:// | ||
- | ProxyPassReverse / http:// | ||
- | |||
- | </ | ||
- | |||
- | </ | ||
- | |||
- | ==== Connect Wise Control configuration ==== | ||
- | Edit "/ | ||
- | |||
- | <add key=" | ||
- | </ | ||
- | |||
- | Because we do not want to make the original web interface accessible to the and it should be only reachable by the reverse proxy. | ||
- | |||
- | Add the key " | ||
- | |||
- | <add key=" | ||
- | </ | ||
- | |||
- | Edit the key " | ||
- | |||
- | <add key=" | ||
- | </ | ||
- | |||
- | Add the key " | ||
- | <add key=" | ||
- | </ | ||
- | |||
connect_wise_controll.1494678368.txt.gz · Zuletzt geändert: 2017/05/13 12:26 von matthias