logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error
[Step by Step] Linux, TLS & Nginx.
Options
Go to last post Go to first unread
Previous Topic Next Topic
Paul Moore  
#1 Posted : Wednesday, December 4, 2013 1:00:23 PM(UTC)
Paul Moore


Rank: Advanced Member

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 9/16/2011(UTC)
Posts: 334

Thanks: 5 times
Was thanked: 70 time(s) in 44 post(s)
The ScreenConnect w/Linux & Mono setup is tricky and is limited due to a lack of support for intermediate certificates.

The fix? Nginx.

Assuming you have it installed, let's dive in. If you're logged in as root, you won't need to prefix commands with "sudo". Replace "domainname" with your domain, removing dots etc. So "forumscreenconnectcom.key" for example. I'll also assume you have the latest OpenSSL installed (1.0.1e)

Step 1.
Create a directory to house the TLS certificate.

Code:
sudo mkdir /etc/nginx/tls
cd /etc/nginx/tls


Step 2.
Create the Server key.

If you want to password protect your key, run ONE of the following 3 commands. You will have to enter this password every time you start Nginx.

Weak Security:
Code:
sudo openssl genrsa -des3 -out domainname.key 1024


High Security:
Code:
sudo openssl genrsa -des3 -out domainname.key 2048


Highest Security (thus slightly slower):
Code:
sudo openssl genrsa -des3 -out domainname.key 4096


It will ask you to provide a password/passphrase. Make it unique, lengthy and cryptographically sound. If you're still managing passwords manually, use 1Password.

If you don't want to password protect your key, run ONE of the following 3 commands. Nginx will start/stop as usual (service nginx restart)

Weak Security:
Code:
sudo openssl genrsa -out domainname.key 1024


High Security:
Code:
sudo openssl genrsa -out domainname.key 2048


Highest Security (thus slightly slower):
Code:
sudo openssl genrsa -out domainname.key 4096


Step 3.
Create the certificate signing request. You will need to give this to a CA. If you'd prefer to self-sign, your certs will not work with ClickOnce deployment without manually adding the cert to the browser store. Completely free, 12 month TLS certificates are available from StartSSL.com.

Code:
sudo openssl req -new -key domainname.key -sha256 -out domainname.csr


You will be asked to provide your country code, state/province, locality/city, company name, OU, common name and email address.

The "common name" is your server's fully qualified domain name (FQDN). So if your SC installation resides at http://screenconnect.mydomain.com/v4, your "common name" is "screenconnect.mydomain.com".

When you're finished with step 3, you'll have a domainname.csr file. Copy/paste the entire contents to your CA, making sure you keep the format/layout.

Step 4.
Remove the passphrase. ONLY FOLLOW THIS STEP IF YOU PASSWORD PROTECTED YOUR KEY

Code:
sudo cp domainname.key domainname.key.org
sudo openssl rsa -in domainname.key.org -out domainname.key


Step 5.
You'll receive your certificate (either in plain text or in a .crt file).

If it's a file, simply copy it to

Code:
/etc/nginx/tls/domainname.crt


If it's in text format... throw the entire text including ---- BEGIN and END ----- lines into your clipboard.

Code:

cd /etc/nginx/tls
vi domainname.crt


Press i to enter insert mode.
Right click to paste your file.
Press ESC twice.
Type :wq
Press Enter.

Step 6.
Create your Nginx config file.

Code:

cd /etc/nginx/sites-enabled/
nano domainname.conf


Right click and paste the following...

Code:

 server {
	# DEFINE OUR PORTS (443) AND SET THIS AS OUR DEFAULT TLS CERTIFICATE
	listen       443 default_server ssl;
    server_name  insert_your_domain_name_here;
    
	## WE'LL BE USING TLS, SO LET'S ENABLE IT.
	ssl on;
	
	## WHERE'S THE CERTIFICATE AND KEY?
	ssl_certificate      /etc/nginx/tls/domainname.crt;
    ssl_certificate_key  /etc/nginx/tls/domainname.key;
	
	## PERFORMANCE OPTIONS
    ssl_session_cache    shared:SSL:10m;
    ssl_session_timeout  5m;
    keepalive_timeout 60;
	
	## SSL/TLS PROTOCOL - POOR DESCRIPTION AS WE WON'T BE USING SSL, ONLY TLSv1.
	ssl_protocols TLSv1;
	
	## TLSv1 AND TLSv1.1;
	# ssl_protocols TLSv1 TLSv1.1;
	
	## TLSv1 AND TLSv1.1 AND TLSv1.2;
	# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ## ALWAYS SAFER TO DEFINE AN ORDER - THINK CAREFULLY IF YOU DISABLE THIS.
	ssl_prefer_server_ciphers on;
	
	## OUR SUPPORTED CIPHERS.  GOOD FOR A QUALYS "A" RATING (100/95/80/90).
    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
    
	## WANT A QUALYS "A" RATING (100/100/100/100)? BE SURE TO REMOVE/COMMENT ABOVE LINE, ENABLE TLSv1.2 ONLY AND BE MINDFUL THAT CLICKONCE/JNLP DEPLOYMENT MAY NOT WORK.
	# ssl_ciphers "ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA";
	## ENABLE IF YOU INTEND TO USE ELLIPTIC CURVE DHE
	# ssl_ecdh_curve secp521r1;
	
	## OPTIONS
	## ENABLE HSTS - CHROME & FIREFOX ONLY. ONCE ENABLED, ALL SUBSEQUENT REQUESTS WILL BE DIRECTED TO HTTPS.
	# add_header Strict-Transport-Security max-age=86400;

    location / {
		## WHERE ARE WE PASSING OUR REQUEST TO?
		# IN THIS EXAMPLE, THE NATIVE SCREENCONNECT UI IS NO LONGER ACCESSIBLE DIRECTLY.  ALL REQUESTS MUST COME THROUGH NGINX PROXY.
		# BE SURE TO SET SCREENCONNECT WEB.CONFIG FILE TO LISTEN ON 127.0.0.1:PORT.
		proxy_pass http://127.0.0.1:10050/;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_max_temp_file_size 0;
        client_max_body_size 50m;
        client_body_buffer_size 256k;
        proxy_connect_timeout 180;
        proxy_send_timeout 180;
        proxy_read_timeout 90;
        proxy_buffer_size 16k;
        proxy_buffers 4 64k;
        proxy_busy_buffers_size 128k;
        proxy_temp_file_write_size 128k;
        }
}


Step 7.

Open your web.config file and alter the following line to reflect...

Code:

<add key="WebServerListenUri" value="http://127.0.0.1:10050/">
</add>


Add the following line to ensure installers use the public URI rather than the internal address. [Credit to "weehooey" for spotting this omission.]

Code:

<add key="WebServerAddressableUri" value="https://domain.name/"></add>


Step 8.

When creating sessions, your agent/Host will be prompted to provide a URL to allow the guest to join. You may wish to change the "SessionHelpPanel.InstructionsGuestCodeFormat" value under SC Administration -> Appearance and replace both instances of {0} with your new address & port number. Standard hyperlink restrictions apply.

That's it. Restart ScreenConnect and Nginx ("service screenconnect restart" & "service nginx restart" respectively) and you're done.

Edited by user Saturday, October 18, 2014 5:20:44 PM(UTC)  | Reason: Not specified

ScreenConnect Reporting - Collects live & historical information including session times.
http://goo.gl/nrF3e9
Back to top
thanks 4 users thanked Paul Moore for this useful post.
weehooey on 1/12/2014(UTC), Mike on 3/2/2016(UTC), igor on 10/29/2016(UTC), Will H on 7/25/2017(UTC)

Back to top  
Jeff  
#2 Posted : Monday, December 23, 2013 9:14:08 PM(UTC)
Jeff


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/14/2010(UTC)
Posts: 1,785
Man
Location: Raleigh, NC

Thanks: 8 times
Was thanked: 156 time(s) in 122 post(s)
Thanks so much for taking the time to post this for the community.
ScreenConnect Team
Back to top
WWW BLOG
weehooey  
#3 Posted : Sunday, January 12, 2014 7:10:52 PM(UTC)
weehooey


Rank: Newbie

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 1/11/2014(UTC)
Posts: 3
Canada
Location: Kingston

Thanks: 3 times
Was thanked: 2 time(s) in 2 post(s)
Cresona thank you for posting the detailed Nginx instructions. It got us 90% there.

Support Sessions, ScreenConnect(SC) prompts the Host to "Instruct your guest to navigate to "http://domainname.com:10050/" which is the internal port number but not the correct external (either 80 or 443). How did you get SC to not display the internal port in this instance? Or, did you just tell your users to ignore the port number?
Back to top
thanks 1 user thanked weehooey for this useful post.
Paul Moore on 1/21/2014(UTC)
Paul Moore  
#4 Posted : Sunday, January 12, 2014 7:34:35 PM(UTC)
Paul Moore


Rank: Advanced Member

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 9/16/2011(UTC)
Posts: 334

Thanks: 5 times
Was thanked: 70 time(s) in 44 post(s)
Go into SC Administration->Appearance and change "SessionHelpPanel.InstructionsGuestCodeFormat"

The {0} within the existing value is replaced dynamically when that variable is used.

Simply replace {0} with the fully qualified domain name (and port number where applicable) for both the href="{0}" and target="_blank">{0}</a>

For example...

Instruct your guest to navigate to "<a href="protocol://domain.name:nginxport" target="_blank">protocol://domain.name:nginxport</a>" and type in the code "{2}", spelled "{3}".
ScreenConnect Reporting - Collects live & historical information including session times.
http://goo.gl/nrF3e9
Back to top
thanks 1 user thanked Paul Moore for this useful post.
weehooey on 1/13/2014(UTC)
NetNightmare  
#5 Posted : Tuesday, January 21, 2014 2:55:17 PM(UTC)
NetNightmare


Rank: Newbie

Joined: 1/21/2014(UTC)
Posts: 2
Italy
Location: Rome
Hi,

I am testing your ngnix setup , though I am hitting a major problem , this setup seems to work for the msi\exe client ( don't know the .net one ) , once the screenconnect webservice is set to listen on port 10050 also the java app will be listening on port 10050, though it require a direct connection on that port ( doesn't get proxied ) .

Since I am doing this to achieve SSL protection , obviously the port 10050 is closed to avoid unencrypted access to the web interface , did you circumvent this problem or are you actually not interested on the java functionality ?.

I personally use a linux box and with this setup the support client wont start, it is me doing something wrong here ?

Best Regards

Edited by user Tuesday, January 21, 2014 2:56:54 PM(UTC)  | Reason: Not specified
Back to top
WWW
weehooey  
#6 Posted : Tuesday, January 21, 2014 3:14:22 PM(UTC)
weehooey


Rank: Newbie

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 1/11/2014(UTC)
Posts: 3
Canada
Location: Kingston

Thanks: 3 times
Was thanked: 2 time(s) in 2 post(s)
NetNightmare, if I understand correctly, you need to add this:

Quote:
<add key="WebServerAddressableUri" value="https://domainname.com/"></add>


To your web.config file. The Java app will know to not use the internal Uri and port but the public Uri and port (ie. port your domain/IP and ports 80/443).
Back to top
thanks 1 user thanked weehooey for this useful post.
Paul Moore on 1/21/2014(UTC)
NetNightmare  
#7 Posted : Tuesday, January 21, 2014 3:21:06 PM(UTC)
NetNightmare


Rank: Newbie

Joined: 1/21/2014(UTC)
Posts: 2
Italy
Location: Rome
Hi Weehooey,

Thats exactly what I was missing , it is working flawlessy now

Best Regards
Back to top
WWW
pcheroes  
#8 Posted : Wednesday, April 16, 2014 9:46:19 PM(UTC)
pcheroes


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 4/15/2014(UTC)
Posts: 18
New Zealand
Location: Hamilton

Was thanked: 1 time(s) in 1 post(s)
Wow I have been looking for something like this for a while!!! Cant wait to give it a try soon!
Back to top
Paul Moore  
#9 Posted : Wednesday, April 16, 2014 10:11:50 PM(UTC)
Paul Moore


Rank: Advanced Member

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 9/16/2011(UTC)
Posts: 334

Thanks: 5 times
Was thanked: 70 time(s) in 44 post(s)
Buzz if you need any help.

If you haven't already done so, make sure to patch OpenSSL to mitigate the "heartbleed" bug. It's the build date of April 7th 2014 or after you're looking for, not the version particularly. Also worth noting the Qualys test has changed considerably since this was released.

It will still function, but may not rank as high or be compliant with modern specs.
ScreenConnect Reporting - Collects live & historical information including session times.
http://goo.gl/nrF3e9
Back to top
Slacker  
#10 Posted : Saturday, April 26, 2014 4:19:41 PM(UTC)
Slacker


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 4/26/2014(UTC)
Posts: 30
Brazil
Location: RN

Thanks: 3 times
Was thanked: 1 time(s) in 1 post(s)
Thanks for the guide, it worked well, save for a missed step for those with intermediate certs:
cat your_domain_name.crt intermediate.crt >> bundle.crt
Edit the resulting file and separate the certs.

If, like me, you had ssl setup in mono, you can use the httpcfg command to remove it. I also deleted the certs from the /opt/screenconnect/App_Runtime/etc/.mono/httplistener/

Also, the instructions fail to mention copying the key along with the certs, but frankly, if people can't figure that out, they have no business setting this up. hehehe
Back to top
jvanschaack  
#11 Posted : Wednesday, May 7, 2014 3:26:20 PM(UTC)
jvanschaack


Rank: Newbie

Joined: 4/29/2014(UTC)
Posts: 1
Location: New York
Does anyone know what SSL certs are supported for Mono? Which ones don't use intermediate certs?
Back to top
WWW
watchmanmonitoring  
#12 Posted : Monday, July 21, 2014 9:35:59 PM(UTC)
watchmanmonitoring


Rank: Newbie

Joined: 1/1/2014(UTC)
Posts: 3
Man
United States
Location: Baton Rouge, LA

Thanks: 2 times
By following this setup, we are left with a functioning instance of ScreenConnect. Nice!

The admin check page has a failure, which I want to confirm is "ok"

ScreenConnect Web Server

Code:
Web Server Test URL:https://screenconnect.watchmanmonitoring.com/
Web Server Error: Unrecognized server. Not ScreenConnect Web Server.
Relay Test URL: relay://screenconnect.watchmanmonitoring.com:8041/
Relay Error:


I'm thinking this is OK/expected, because the webserver is, indeed, not a ScreenConnect web server, and that the Relay Error being empty is OK too.

Anyone care to confirm deny?
Back to top
WWW BLOG
Slacker  
#13 Posted : Monday, July 21, 2014 9:43:25 PM(UTC)
Slacker


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 4/26/2014(UTC)
Posts: 30
Brazil
Location: RN

Thanks: 3 times
Was thanked: 1 time(s) in 1 post(s)
Originally Posted by: watchmanmonitoring Go to Quoted Post
By following this setup, we are left with a functioning instance of ScreenConnect. Nice!

<snip>
I'm thinking this is OK/expected, because the webserver is, indeed, not a ScreenConnect web server, and that the Relay Error being empty is OK too.

Anyone care to confirm deny?



From what I remember, there was always a failure there.
FYI, this is no longer necessary if you're running the 4.4 beta.
Back to top
watchmanmonitoring  
#14 Posted : Monday, July 21, 2014 9:52:56 PM(UTC)
watchmanmonitoring


Rank: Newbie

Joined: 1/1/2014(UTC)
Posts: 3
Man
United States
Location: Baton Rouge, LA

Thanks: 2 times
Cool... by "this" which part isn't needed in 4.4.. the whole nginx front-end?
Back to top
WWW BLOG
Slacker  
#15 Posted : Monday, July 21, 2014 10:00:32 PM(UTC)
Slacker


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 4/26/2014(UTC)
Posts: 30
Brazil
Location: RN

Thanks: 3 times
Was thanked: 1 time(s) in 1 post(s)
Originally Posted by: watchmanmonitoring Go to Quoted Post
Cool... by "this" which part isn't needed in 4.4.. the whole nginx front-end?


Yeah, this procedure is no longer needed in the current 4.4 beta and on to release. I've already changed over with no problems.
Back to top
thanks 1 user thanked Slacker for this useful post.
watchmanmonitoring on 7/21/2014(UTC)
Paul Moore  
#16 Posted : Tuesday, July 22, 2014 11:47:32 AM(UTC)
Paul Moore


Rank: Advanced Member

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 9/16/2011(UTC)
Posts: 334

Thanks: 5 times
Was thanked: 70 time(s) in 44 post(s)
Just to clarify Slacker's point, you'll still need the NGINX proxy... it's the relay & UI check which have been removed from 4.4.
ScreenConnect Reporting - Collects live & historical information including session times.
http://goo.gl/nrF3e9
Back to top
Slacker  
#17 Posted : Tuesday, July 22, 2014 12:48:52 PM(UTC)
Slacker


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 4/26/2014(UTC)
Posts: 30
Brazil
Location: RN

Thanks: 3 times
Was thanked: 1 time(s) in 1 post(s)
Originally Posted by: Cresona Go to Quoted Post
Just to clarify Slacker's point, you'll still need the NGINX proxy... it's the relay & UI check which have been removed from 4.4.


SC has fixed the intermediate cert issue, so NGIX is no longer needed if you're on the latest beta, which is nice.
They've also updated the cert tool. See output stream log for Beta 4.4.6812.

Edited by user Tuesday, July 22, 2014 12:50:32 PM(UTC)  | Reason: Included link
Back to top
Paul Moore  
#18 Posted : Saturday, October 18, 2014 5:22:21 PM(UTC)
Paul Moore


Rank: Advanced Member

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 9/16/2011(UTC)
Posts: 334

Thanks: 5 times
Was thanked: 70 time(s) in 44 post(s)
Updated to remove references to SSL. Only use protocols >= TLSv1 from now on.

The "poodle" flaw in SSLv3 renders SSL (in its entirety) defunct, insecure and should be avoided.
ScreenConnect Reporting - Collects live & historical information including session times.
http://goo.gl/nrF3e9
Back to top
PB_PCN  
#19 Posted : Wednesday, November 19, 2014 9:37:34 PM(UTC)
PB_PCN


Rank: Newbie

Joined: 11/19/2014(UTC)
Posts: 4
United States
Location: Alaska
Running 4.4.7175.5302 or 5.0.7909.5428, unencrypted (TCP 8040) - I'm assuming this is insecure?

Why would this be needed, why would I want to run encrypted? Basic questions, but I'm interested in the answers. Thanks.
Back to top
WWW
Paul Moore  
#20 Posted : Wednesday, November 19, 2014 10:22:26 PM(UTC)
Paul Moore


Rank: Advanced Member

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 9/16/2011(UTC)
Posts: 334

Thanks: 5 times
Was thanked: 70 time(s) in 44 post(s)
Hey PB_PCN

By default, the Screenconnect UI (shown to your customers) will run on port 8040 over an insecure protocol. The relay runs on port 8041 by default, also over an insecure protocol.

Data for the Screenconnect relay is encrypted "at rest", before it's transferred from one endpoint to another. Adding "in transit" encryption here, like TLS, arguably adds very little in terms of actual security... other than perhaps some integrity & authentication steps.

The ScreenConnect UI however, needs to run over a secure protocol (HTTPS using TLS) to ensure your login credentials aren't leaked whilst in the transport layer. Obviously, anyone with your username/password can access any machines connected to Screenconnect, so this is a vital step. It's not limited to just authentication either. Your browser will pass cookies (used to persist your session state) which also allow anyone in possession to access ScreenConnect's admin UI.

There are other benefits too.

Some firewalls/proxies refuse connections to ports 8040/8041 (not specifically, but in a wider range), so Screenconnect often won't work under those circumstances without modifying the firewall rules. Ports 80 (the relay) & 443 (the UI) are the default ports for HTTP & HTTPS, and are unlikely to be filtered by most firewalls... meaning you'll have fewer deployment issues long term.

It's also much more mature & updated more frequently than MONO (used with the linux version of SC), meaning issues like Heartbleed, Shellshock & the death of SSLv3 are much easier to mitigate.

Purely from an encryption/security standpoint, that's about it.

Out of the box, Screenconnect scales up quite easily (by increasing resources on a single server). NGINX (as a reverse proxy) can also serve as a load balancer, shifting incoming connections between upstream servers (all running SC using the same encryption key, obviously) so during times of excessive load, you can scale out, rather than up. It's more efficient to run 1 $5 VPS and spool up a second when necessary, than 1 $10 VPS which idles and wastes money 99% of the time. Having said that, Screenconnect is VERY efficient already, so this is only really applicable for very large installations of several thousand concurrent connections.

Hope that helps :)
ScreenConnect Reporting - Collects live & historical information including session times.
http://goo.gl/nrF3e9
Back to top
PB_PCN  
#21 Posted : Wednesday, November 19, 2014 10:47:56 PM(UTC)
PB_PCN


Rank: Newbie

Joined: 11/19/2014(UTC)
Posts: 4
United States
Location: Alaska
Yes and thank you for that. I appreciate the detail.

It may be worth pursuing this eventually, but I'm wondering if, by changing the install from Mono to NGnix how much it would break upgrades. I assume it would; the install script hosted on SC's side doesn't pull down Mono, but does integrate into it. Am I correct on that? If I were managing thousands of worksations, using NGnix (like Netscaler in the way you describe it, assumedly), it would be worth pursuing.

I think probably what I should do soon is to secure the admin side, going over posts on the forums to help me with that transition. Sounds to me like a public facing web site like SC needs more care and attention than a basic backup and upgrade from time to time. My fault for running it on Ubuntu I expect.
Back to top
WWW
Paul Moore  
#22 Posted : Wednesday, November 19, 2014 11:22:02 PM(UTC)
Paul Moore


Rank: Advanced Member

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 9/16/2011(UTC)
Posts: 334

Thanks: 5 times
Was thanked: 70 time(s) in 44 post(s)
SC will still download and use Mono... NGINX is just a reverse proxy to it. Unless you configure the ports incorrectly (two services can't share TCP 80, for example), it won't break anything.

Because NGINX listens on 443 and redirects internally to 8040, SC upgrades are virtually seamless; often not requiring any configuration changes to either NGINX or SC.

I run all our SC trials on Ubuntu and from a stability/security standpoint, I can't fault it. It's not quite as lightweight as other distros, but its ease of deployment more than makes up for that.
ScreenConnect Reporting - Collects live & historical information including session times.
http://goo.gl/nrF3e9
Back to top
JD7  
#23 Posted : Monday, November 24, 2014 3:35:25 PM(UTC)
JD7


Rank: Newbie

Joined: 11/19/2014(UTC)
Posts: 4
United States

Thanks: 1 times
Thanks for the write up Paul. Everything seems to work great until I try to redirect http to https. Not sure if you have to deal with this but if so how are you handling it? I just want to make sure that regardless of the URL the clients types that it ends up how it needs to be. Example: support.domain.com or http://support.domain.com redirected to https://support.domain.com. I have set in a redirect as such:
Quote:
rewrite ^ https://$server_name$request_uri? permanent;

This handles the redirect, and the .exe downloads, but the final connection is never made. I am guessing it is the relay, but not sure how to handle it.

Thanks again!
Back to top
Paul Moore  
#24 Posted : Tuesday, November 25, 2014 12:09:59 AM(UTC)
Paul Moore


Rank: Advanced Member

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 9/16/2011(UTC)
Posts: 334

Thanks: 5 times
Was thanked: 70 time(s) in 44 post(s)
Hi JD7

Sorry for the late reply.

If you rewrite, you're likely to run into an endless loop. Instead, create a new server block like this.

server {
listen 80;
server_name domain.tld;

location / {
return 301 https://domain.tld$request_uri;
}
}

server {
// original TLS server block, as in step 6 from first post.
}

That way, it'll listen on 80 and it'll 301 redirect to HTTPS.

If your TLS block has an HSTS parameter (and the browser supports it), the user's browser will no longer attempt to contact your domain over 80 until the TTL expires, saving time on redirects. Don't remove the directive though!

None of the above affects the relay however. If the app is downloading but it won't talk to the relay, that suggests either it can't reach the URL or it's incorrect. If it's still giving you grief, buzz me.
ScreenConnect Reporting - Collects live & historical information including session times.
http://goo.gl/nrF3e9
Back to top
thanks 1 user thanked Paul Moore for this useful post.
JD7 on 11/25/2014(UTC)
JD7  
#25 Posted : Tuesday, November 25, 2014 3:28:14 AM(UTC)
JD7


Rank: Newbie

Joined: 11/19/2014(UTC)
Posts: 4
United States

Thanks: 1 times
Thanks Paul! No need to be sorry, just grateful you responded. That worked great and took care of both issues. Thanks again for taking time to post the original in the first place.
-JD
Back to top
JD7  
#26 Posted : Tuesday, November 25, 2014 3:54:07 PM(UTC)
JD7


Rank: Newbie

Joined: 11/19/2014(UTC)
Posts: 4
United States

Thanks: 1 times
Thanks Paul! No need to be sorry, just grateful you responded. That worked great and took care of both issues. Thanks again for taking time to post the original in the first place.
-JD
Back to top
meuby  
#27 Posted : Monday, February 23, 2015 10:05:38 PM(UTC)
meuby


Rank: Newbie

Joined: 2/15/2015(UTC)
Posts: 6
United States
Thank you for the excellent write-up. I've walked through it and everything seemed to go the way it was supposed to, but my connection is still being refused. Is there a log being written to help me isolate where the trouble might be?

Output is below (replaced my domain with my_domain_name in the post...can include if it's needed to troubleshoot


openssl s_client -connect my_domain_name:443 </dev/null
connect: Connection refused
connect:errno=111



I have port 443 open on the firewall for my VM, but I'm wondering if maybe it's not open in Ubuntu server? When I run netstat -tuplen the only tcp ports that show LISTEN are 22, 8041, 8042, and 22.

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program
name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 14090 -

tcp 0 0 0.0.0.0:8041 0.0.0.0:* LISTEN 0 15850 -

tcp 0 0 127.0.0.1:8042 0.0.0.0:* LISTEN 0 15848 -

tcp6 0 0 :::22 :::* LISTEN 0 14092 -



Thanks again.
Back to top
Paul Moore  
#28 Posted : Monday, February 23, 2015 10:32:46 PM(UTC)
Paul Moore


Rank: Advanced Member

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 9/16/2011(UTC)
Posts: 334

Thanks: 5 times
Was thanked: 70 time(s) in 44 post(s)
Hi meuby

It doesn't look like NGINX is running.

What happens if you run:
service nginx restart

If the process is dead and won't stop/start, run:
ps aux | grep "nginx"

... and kill the PID.

You may have an NGINX log at:
/var/log/nginx/*

Failing that, drop me a PM and I'll get back to you.
ScreenConnect Reporting - Collects live & historical information including session times.
http://goo.gl/nrF3e9
Back to top
coryasilva  
#29 Posted : Tuesday, March 1, 2016 10:30:45 PM(UTC)
coryasilva


Rank: Newbie

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 3/1/2016(UTC)
Posts: 1
United States
Location: California

Was thanked: 1 time(s) in 1 post(s)
On CentOS 7 I ran into a 502 Bad Gateway error. Enabling this boolean in SELinux resolved the issue

(-P = Persistent)

setsebool httpd_can_network_connect on -P

Thank you so much for the walk through and the force learning of nginx; I really like it.
Back to top
WWW
thanks 1 user thanked coryasilva for this useful post.
Mike on 3/2/2016(UTC)
881314  
#30 Posted : Friday, June 16, 2017 3:16:14 PM(UTC)
881314


Rank: Member

Joined: 1/22/2013(UTC)
Posts: 12

Thanks: 2 times
Hi All,

My SC Server is behind a nginx reverse proxy, ClickOnce has not been working since the setup 3 years ago. All other functionalities are working fine. Can any help with this? Below is my system specs and configs. SSL is installed on Nginx not in SC.

Nginx 1.12.0 on CentOS 7 x64
ScreenConnect_6.2.12963.6312 on CentOS 7 x64

nginx.conf
Code:

http {
    include       mime.types;
}

 server {
        listen 443 ssl;

        if ($host != "s.domain.net") {
        return 403;
        }


        server_name x.domain.net;


        ssl_certificate /opt/ssl/x_domain_bundle.crt;
        ssl_certificate_key /opt/ssl/ScreenConnectPrivateKey.key;

        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 5m;
        keepalive_timeout 60;

        ssl_protocols TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;

        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

        ssl_ecdh_curve secp521r1;
        ssl_session_tickets off;
        ssl_stapling on; 
        ssl_stapling_verify on;
        resolver 192.168.20.1 8.8.8.8 valid=300s;
        resolver_timeout 5s;
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        add_header X-Content-Type-Options nosniff;

        ssl_dhparam /opt/ssl/dhparam.pem;

        location / {
            proxy_pass http://192.168.20.9:443;
            proxy_redirect off;
            proxy_buffering off;
            proxy_intercept_errors  on;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

         }


mime.type
Code:

types{
    application/atom+xml                  atom;
    application/json                      json map topojson;
    application/ld+json                   jsonld;
    application/rss+xml                   rss;
    application/vnd.geo+json              geojson;
    application/xml                       rdf xml;
    application/x-ms-application          application;
    application/x-ms-application          manifest;

  # JavaScript
    application/javascript                js;


  # Manifest files
    application/manifest+json             webmanifest;
    application/x-web-app-manifest+json   webapp;
    text/cache-manifest                   appcache;


    image/x-icon                          cur ico;

    application/msword                                                         doc;
    application/vnd.ms-excel                                                   xls;
    application/vnd.ms-powerpoint                                              ppt;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;


    application/font-woff                 woff;
    application/font-woff2                woff2;
    application/vnd.ms-fontobject         eot;

    application/x-ms-vsto                 .vsto


    application/x-font-ttf                ttc ttf;
    font/opentype                         otf;

    application/java-archive              ear jar war;
    application/mac-binhex40              hqx;
    application/microsoftpatch            msp;
    application/microsoftupdate           msu;

    application/octet-stream              bin deb dll dmg exe img iso msi msm safariextz deploy;
    application/pdf                       pdf;
    application/postscript                ai eps ps;
    application/rtf                       rtf;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/vnd.wap.wmlc              wmlc;
    application/x-7z-compressed           7z;
    application/x-bb-appworld             bbaw;
    application/x-bittorrent              torrent;
    application/x-chrome-extension        crx;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-opera-extension         oex;
    application/x-perl                    pl pm;
    application/x-pilot                   pdb prc;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            crt der pem;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xslt+xml                  xsl;
    application/zip                       zip;
    text/css                              css;
    text/csv                              csv;
    text/html                             htm html shtml;
    text/markdown                         md;
    text/mathml                           mml;
    text/plain                            txt;
    text/vcard                            vcard vcf;
    text/vnd.rim.location.xloc            xloc;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/vtt                              vtt;
    text/x-component                      htc;

}


web.config
Code:

    <add key="WebServerListenUri" value="http://+:443/">
    </add>
    <add key="WebServerAddressableUri" value="https://x.domain.net/">
    </add>
    <add key="RelayListenUri" value="relay://+:80/">
    </add>
    <add key="RelayAddressableUri" value="relay://y.domain.net:80/">





ClickOnce error message
Code:

PLATFORM VERSION INFO
	Windows 			: 10.0.14393.0 (Win32NT)
	Common Language Runtime 	: 4.0.30319.42000
	System.Deployment.dll 		: 4.6.1586.0 built by: NETFXREL2
	clr.dll 			: 4.6.1648.0 built by: NETFXREL3STAGE
	dfdll.dll 			: 4.6.1586.0 built by: NETFXREL2
	dfshim.dll 			: 10.0.14393.0 (rs1_release.160715-1616)

SOURCES
	Deployment url			:  https://x.domain.net/Bin/ScreenConnect.Client.application?x=y.domain.net&p=80&k=BgIAAACkAABSU0ExAAgAABEAAAA1GjlBvdzEL4Vo4%2Bb6s1oX0lQR0OsgWRZd2xuzDlU6e%2Fz9tKHI9zKp7u%2F02fau1f8ERgO0mmdQ8ZWVrC%2FiF2%2B4ga4HmkfK2T2LN1bKQ05YZ0uUi1Hor0uiPN3DVOR%2Fmk7%2ByBB8nD8551OryUf2bSG8NYAhuSQm4H9PLYeMx0s07oV%2BkUfZuBtM%2FKNWr1B%2FzefIlVG%2FC6zkArrnEXWUpLrCgsL58fiJ%2Bt6dEAg%2BPlDDeNkzjxtH0RiT%2FtALy0MuERHgssAyTxkx2N2xH43T6eVOoEQ6gyh8fkWImGOqRJt7JEpoTtkexBz6SZcsJrNc1Cblo6nTVdNqpAmJOSHPTanY&s=4f6b65c5-bb8a-4eb6-9b2d-7153799da32a&i=Test&e=Support&y=Guest&r=
						Server		: nginx

IDENTITIES
	Deployment Identity		: ScreenConnect.WindowsClient.application, Version=6.2.12963.6312, Culture=neutral, PublicKeyToken=2c2536e5112611c9, processorArchitecture=msil

APPLICATION SUMMARY
	* Online only application.
	* Trust url parameter is set.
ERROR SUMMARY
	Below is a summary of the errors, details of these errors are listed later in the log.
	* Activation of  https://x.domain.net/Bin/ScreenConnect.Client.application?x=y.domain.net&p=80&k=BgIAAACkAABSU0ExAAgAABEAAAA1GjlBvdzEL4Vo4%2Bb6s1oX0lQR0OsgWRZd2xuzDlU6e%2Fz9tKHI9zKp7u%2F02fau1f8ERgO0mmdQ8ZWVrC%2FiF2%2B4ga4HmkfK2T2LN1bKQ05YZ0uUi1Hor0uiPN3DVOR%2Fmk7%2ByBB8nD8551OryUf2bSG8NYAhuSQm4H9PLYeMx0s07oV%2BkUfZuBtM%2FKNWr1B%2FzefIlVG%2FC6zkArrnEXWUpLrCgsL58fiJ%2Bt6dEAg%2BPlDDeNkzjxtH0RiT%2FtALy0MuERHgssAyTxkx2N2xH43T6eVOoEQ6gyh8fkWImGOqRJt7JEpoTtkexBz6SZcsJrNc1Cblo6nTVdNqpAmJOSHPTanY&s=4f6b65c5-bb8a-4eb6-9b2d-7153799da32a&i=Test&e=Support&y=Guest&r= resulted in exception. Following failure messages were detected:
		+ Exception reading manifest from  https://x.domain.net/Bin/ScreenConnect.Client.manifest: the manifest may not be valid or the file could not be opened.
		+ Manifest XML signature is not valid.
		+ The digital signature of the object did not verify.


COMPONENT STORE TRANSACTION FAILURE SUMMARY
	No transaction error was detected.

WARNINGS
	There were no warnings during this operation.

OPERATION PROGRESS STATUS
	* [17/06/2017 12:40:02 AM] : Activation of https://x.domain.net/Bin/ScreenConnect.Client.application?x=y.domain.net&p=80&k=BgIAAACkAABSU0ExAAgAABEAAAA1GjlBvdzEL4Vo4%2Bb6s1oX0lQR0OsgWRZd2xuzDlU6e%2Fz9tKHI9zKp7u%2F02fau1f8ERgO0mmdQ8ZWVrC%2FiF2%2B4ga4HmkfK2T2LN1bKQ05YZ0uUi1Hor0uiPN3DVOR%2Fmk7%2ByBB8nD8551OryUf2bSG8NYAhuSQm4H9PLYeMx0s07oV%2BkUfZuBtM%2FKNWr1B%2FzefIlVG%2FC6zkArrnEXWUpLrCgsL58fiJ%2Bt6dEAg%2BPlDDeNkzjxtH0RiT%2FtALy0MuERHgssAyTxkx2N2xH43T6eVOoEQ6gyh8fkWImGOqRJt7JEpoTtkexBz6SZcsJrNc1Cblo6nTVdNqpAmJOSHPTanY&s=4f6b65c5-bb8a-4eb6-9b2d-7153799da32a&i=Test&e=Support&y=Guest&r= has started.
	* [17/06/2017 12:40:02 AM] : Processing of deployment manifest has successfully completed.
	* [17/06/2017 12:40:02 AM] : Installation of the application has started.

ERROR DETAILS
	Following errors were detected during this operation.
	* [17/06/2017 12:40:02 AM] System.Deployment.Application.InvalidDeploymentException (ManifestParse)
		- Exception reading manifest from https://x.domain.net/Bin/ScreenConnect.Client.manifest: the manifest may not be valid or the file could not be opened.
		- Source: System.Deployment
		- Stack trace:
			at System.Deployment.Application.ManifestReader.FromDocument(String localPath, ManifestType manifestType, Uri sourceUri)
			at System.Deployment.Application.DownloadManager.DownloadApplicationManifest(AssemblyManifest deploymentManifest, String targetDir, Uri deploymentUri, IDownloadNotification notification, DownloadOptions options, Uri& appSourceUri, String& appManifestPath)
			at System.Deployment.Application.ApplicationActivator.DownloadApplication(SubscriptionState subState, ActivationDescription actDesc, Int64 transactionId, TempDirectory& downloadTemp)
			at System.Deployment.Application.ApplicationActivator.InstallApplication(SubscriptionState& subState, ActivationDescription actDesc)
			at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivation(Uri activationUri, Boolean isShortcut, String textualSubId, String deploymentProviderUrlFromExtension, BrowserSettings browserSettings, String& errorPageUrl)
			at System.Deployment.Application.ApplicationActivator.ActivateDeploymentWorker(Object state)
		--- Inner Exception ---
		System.Deployment.Application.InvalidDeploymentException (SignatureValidation)
		- Manifest XML signature is not valid.
		- Source: System.Deployment
		- Stack trace:
			at System.Deployment.Application.Manifest.AssemblyManifest.ValidateSignature(Stream s)
			at System.Deployment.Application.ManifestReader.FromDocument(String localPath, ManifestType manifestType, Uri sourceUri)
		--- Inner Exception ---
		System.Security.Cryptography.CryptographicException
		- The digital signature of the object did not verify.

		- Source: System.Deployment
		- Stack trace:
			at System.Deployment.Internal.CodeSigning.SignedCmiManifest.Verify(CmiManifestVerifyFlags verifyFlags)
			at System.Deployment.Application.Manifest.AssemblyManifest.ValidateSignature(Stream s)

COMPONENT STORE TRANSACTION DETAILS
	No transaction information is available.







Back to top
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Powered by YAF.NET | YAF.NET © 2003-2019, Yet Another Forum.NET