关于MeshCentral

MeshCentral的Github主页
MeshCentral是个远程控制的解决方案，需要自己部署服务端并且在被控制的机器上安装客户端。远程控制通过网页操作。
Documentation是pdf的形式，看的时候总觉得怪怪的。

Docker-compose部署

MeshCentral没有官方的docker镜像，虽然有人制作了镜像，不过他也提供了Dockerfile，还是自己build好了。

准备好Dockerfile, config.json.template和startup.sh，然后根据需要创建docker-compose.yml：

version: '3'
services:
    meshcentral:
        restart: always
        container_name: meshcentral
        build: .
#        image: typhonragewind/meshcentral
        ports:
            - 8085:443
            - 8086:80  #MeshCentral will moan and try everything not to use port 80, but you can also use it if you so desire, just change the config.json according to your needs
        environment:
            - HOSTNAME=meshcentral.stsecurity.moe     #your hostname
            - REVERSE_PROXY=127.0.0.1   #set to your reverse proxy IP if you want to put meshcentral behind a reverse proxy/ or 'false'
            - REVERSE_PROXY_TLS_PORT=443
            - IFRAME=true    #set to true if you wish to enable iframe support
            - ALLOW_NEW_ACCOUNTS=false    #set to false if you want disable self-service creation of new accounts besides the first (admin)
            - WEBRTC=true  #set to true to enable WebRTC - per documentation it is not officially released with meshcentral, but is solid enough to work with. Use with caution
        volumes:
            - ./meshcentral/data:/opt/meshcentral/meshcentral-data    #config.json and other important files live here. A must for data persistence
            - ./meshcentral/user_files:/opt/meshcentral/meshcentral-files    #where file uploads for users live

配置Nginx反代

反代配置之前需要修改./meshcentral/data/config.json：

{
  "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json",
  "settings": {
    "cert": "meshcentral.stsecurity.moe",
    "_WANonly": true,
    "_LANonly": true,
    "_sessionKey": "supersecretstring",
    "port": 443,
    "_aliasPort": 443,
    "redirPort": 80,
    "AgentPong": 300,
    "TLSOffload": "127.0.0.1",
    "SelfUpdate": false,
    "AllowFraming": "true",
    "WebRTC": "true"
  },
  "domains": {
    "": {
    "_title": "MeshCentral",
    "_title2": "stsecurity",
    "_minify": true,
    "NewAccounts": "false",
    "_userNameIsEmail": true,
    "_certUrl": "https://meshcentral.stsecurity.moe/"
    }
  },
  "_letsencrypt": {
    "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before>",
    "_email": "st@stsecurity.moe",
    "_names": "st",
    "production": false
  }
}

主要配置都来自于官方文档，主要是port和redirPort项要保证和docker容器暴露的端口对应。

然后参考官方文档配置Nginx：

 # HTTP server. In this example, we use a wildcard as server name.
 server {
 listen 80;
 server_name meshcentral.stsecurity.moe;
 location / {
 proxy_pass http://127.0.0.1:8086/;
 proxy_http_version 1.1;

 # Inform MeshCentral about the real host, port and protocol
 proxy_set_header X-Forwarded-Host $host:$server_port;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;
 }
 location /.well-known/acme-challenge/ {
  alias /var/www/html/.well-known/acme-challenge/;
}
}
 # HTTPS server. In this example, we use a wildcard as server name.
 server {
 listen 443 ssl;
 server_name meshcentral.stsecurity.moe;
 # MeshCentral uses long standing web socket connections, set longer timeouts.
 proxy_send_timeout 330s;
 proxy_read_timeout 330s;
 # We can use the MeshCentral generated certificate & key
 ssl_certificate /etc/ssl/meshcentralfullchain.cer;
 ssl_certificate_key /etc/ssl/meshcentralkey.key;
 ssl_session_cache shared:WEBSSL:10m;
 ssl_ciphers HIGH:!aNULL:!MD5;
 ssl_prefer_server_ciphers on;
 location / {
 proxy_pass http://127.0.0.1:8085/;
 proxy_http_version 1.1;

 # Allows websockets over HTTPS.
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection "upgrade";
 # Inform MeshCentral about the real host, port and protocol
 proxy_set_header X-Forwarded-Host $host:$server_port;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header Host $host;
 }
 }

这里有一个非常tricky的问题，Nginx使用的证书也会被用于Meshcentral客户端的认证，如果不能把这里的证书和./meshcentral/data/中的证书保持一致，会导致客户端无法连接。

为了解决这个问题，当然可以设置Nginx从Meshcentral文件夹直接读证书，但是这个办法也太丑陋了。我这里选择在通过acme.sh签发证书的过程中，同步更新Meshcentral文件夹里的证书。

签发证书的步骤和平时一样，在安装证书时，使用如下命令：

acme.sh --install-cert -d meshcentral.stsecurity.moe --cert-file /etc/ssl/meshcentralcert.cer --key-file /etc/ssl/meshcentralkey.key --fullchain-file /etc/ssl/meshcentralfullchain.cer --ca-file /etc/ssl/meshcentralca.cer --reloadcmd "service nginx force-reload && cp /etc/ssl/meshcentralfullchain.cer /meshcentral/meshcentral/data/webserver-cert-public.crt && cp /etc/ssl/meshcentralkey.key /meshcentral/meshcentral/data/webserver-cert-private.key && docker restart meshcentral"

这段命令中，除了将证书安装到我常用的文件夹外，在重启Nginx的同时，将新的证书复制到Meshcentral对应的位置，完成两者证书的同步。证书同步后自动重启容器来让新证书生效。