MeshCentral behind NPM. Everything works except the agents

[frogweh]

I'm so incredibly frustrated. I have never felt more stupid than I do right now. I have been working on this for about 4 days straight and I CANNOT get it to work no matter what I do. I have a custom docker network setup coming from a VLAN on my network. NPM works for everything else other than mesh central. I can access the site perfectly fine, but the agents can't for whatever reason. I have found forum posts, I have found tutorial videos, I have found EVERYTHING to assist me and I just cannot get it to work at all. I even tried to trace everything I could on the mesh server, and it doesn't even seem like the agent hits the server AT ALL.

 

Everything I've researched that looks promising says to "Follow IbraCorp's tutorial" well did. Guess what, it still doesn't work. Please someone smarter than me explain this to me as to why the hell this isn't working.

 

My network equipment is a Dream Machine Pro SE, I have all my docker containers on VLAN7 and pass that through unraid to the docker containers using custom network br0.7. I don't think it's a networking issue because it works for everything else. The only firewall rules that I have to block networks from each for right now just blocks my DMZ and my IoT networks from all my other networks. That's it.

 

here is my mesh central config file:

{
  "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json",
  "settings": {
    "cert": "sub.domain.com",
    "_WANonly": true,
    "_LANonly": true,
    "sessionKey": "IDontEvenCareIfYouTryToStealThisIllJustMakeANewOneHaHaHa",
    "port": 443,
    "_aliasPort": 443,
    "redirPort": 80,
    "_redirAliasPort": 80,
    "AgentPong": 300,
// I've also tried with TLSOffload on and pointing to NPM docker IP, NPM docker host name, sub.domain.com, and domain.com
    "TLSOffload": false,
    "SelfUpdate": false,
    "AllowFraming": "false",
    "WebRTC": "true",
    "AutoBackup": {
      "backupPath": "/opt/meshcentral/meshcentral-backups",
      "backupInvervalHours": "",
      "keepLastDaysBackup": "",
      "zippassword": ""
    }
  },
  "domains": {
        "": {
        "_title": "MyServer",
    "_title2": "Servername",
    "_minify": true,
    "NewAccounts": "false",
        "_userNameIsEmail": true,
//I do not have all of these certUrls in my config these are just examples that I've tried
    "certUrl": "https://sub.domain.com:443"
	"certUrl": "https://domain.com:443"
	"certUrl": "https://Nginx-Proxy-Manager-Official:443"
	"certUrl": "https://NPM_Docker_Container_IP:443"
        }
  },
  "_letsencrypt": {
    "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before>",
    "_email": "[email protected]",
    "_names": "myserver.mydomain.com",
        "production": false
  }
}

 

P.S. I am at my breaking point. I NEVER go to forums for help, I pride myself on being able to figure it out myself but I'm just frustrated. I bet it's something really simply that will take someone else two seconds to figure out. Please be that person, and please tell me what I've done wrong. I don't care about my pride anymore I just want this thing to work so I can work on all my other containers/services. Thank you to anyone who helps out I greatly appreciate it.

[JonathanM]

Does it work if you break it out from behind NPM and expose it directly?

[frogweh]

Yes, which is how I had it before. I could go back to that way but I would really prefer only having the 2 ports for NPM punching holes in my network. If that's the only solution I guess I can make that work with a fail2ban or something.

[JonathanM]

Maybe NPM is too restrictive in the options offered, perhaps you need to explore a full featured nginx reverse proxy solution like SWAG. That way you can utilize the nginx reverse proxy examples in the meshcentral docs.

[frogweh]

That's a fair and valid suggestion. I would really like to get it working with NPM because I already have it setup for all my other containers (or at least a fair majority of them), and I don't really want to do all that work over again.

 

I am disinclined to believe that it's due to restrictions on NPM as it's basically just running Nginx with a UI. I have an advanced tab I can access to put in additional headers and the like in NPM, I am just not super well versed with Nginx (hence why I'm using the UI like a plebe) and so I wouldn't know what extra header information might be needed. I would like to clarify that I am definitely not saying you're wrong, I'm just saying that it seems unlikely.

 

Thank you for your suggestion though, I really appreciate you taking the time to reply and assist!

[frogweh]

I have figured out my problem. For anyone in the future who may find this, I migrated my domain back from google domains to cloudflare, and used their universal edge certificate. I added my domain as the "reverse proxy" variable in the mesh central docker container so the config.json file pointed it to "https://domain.com:443". I added an agent and it was able to communicate successfully. Also I didn't switch from NPM to SWAG, so this WILL work with NPM after some finagling around with it. I hope anyone else in the future has better luck than I did getting this working.