• Recent
    • Tags
    • Popular
    • Register
    • Login

    Please Note This forum exists for community support for the Mango product family and the Radix IoT Platform. Although Radix IoT employees participate in this forum from time to time, there is no guarantee of a response to anything posted here, nor can Radix IoT, LLC guarantee the accuracy of any information expressed or conveyed. Specific project questions from customers with active support contracts are asked to send requests to support@radixiot.com.

    Radix IoT Website Mango 3 Documentation Website Mango 4 Documentation Website Mango 5 Documentation Website

    Cloud Connect Help

    User help
    3
    17
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cmason
      last edited by

      I've followed through the few threads on here trying to setup cloud connect. Mainly this one https://forum.infiniteautomation.com/topic/3812/cloud-connect-401-403-errors

      I've managed to get my cloud connect client to connect to my cloud connect server, though that's about it.
      For background, the server is sitting behind a firewall and I have registered a subdomain.domain name for it. For browser traffic, 80,443 etc, the firewall routes this to a reverse proxy on another machine behind the firewall, and that takes care of users accessing the UI over the web. For the cloud connect I've just set the firewall to bypass the reverse proxy and route all 9005 traffic (the port the cloud connect server is listening on) to the mango server. This seems to be working fine.

      My issue is trying to open a web browser to the client. Whenever I go to the connected clients page, and click the 'open client' button, it just takes me straight to another window with a nonsense url and says it can't find the IP. The URL in the opened window is 'GUID.hostname'. (GUID being the GUID of the client and hostname being the host name of the server). I've followed the settings in the linked thread. I've also tried a all sorts of other combinations but every time it just opens the window with the same url. My understanding is that it should be opening the window with something like 'GUID.mysubomain.mydomain'.

      Also I'm not sure exactly what settings need to be in the proxy, I've attached what I've got so far as at this stage trying to connect in general seems to be the first hurdle. Any help much appreciated.
      2_1598400684031_Proxy Settings.png 1_1598400684031_Cloud Connect Window.png 0_1598400684030_Cloud Connect Client.png

      1 Reply Last reply Reply Quote 0
      • MattFoxM
        MattFox
        last edited by

        Have you done a DNS lookup to see if an IP even matches that URL?

        Do not follow where the path may lead; go instead where there is no path.
        And leave a trail - Muriel Strode

        C 1 Reply Last reply Reply Quote 0
        • C
          cmason @MattFox
          last edited by

          @mattfox said in Cloud Connect Help:

          Have you done a DNS lookup to see if an IP even matches that URL?

          Yeah it doesn't, that's kind of the problem. my subdomain.domain is valid. But my the host name 'mangoHTSXXXXX' is just a hostname.
          According to the other thread I should be getting 'GUID.subdomain.domain'.

          1 Reply Last reply Reply Quote 0
          • MattFoxM
            MattFox
            last edited by

            Show your env.properties settings. let's compare to see if you missed anything or need to amend anything...
            feel free to change the domain name as long as it matches your pattern
            Fox

            Do not follow where the path may lead; go instead where there is no path.
            And leave a trail - Muriel Strode

            C 1 Reply Last reply Reply Quote 0
            • C
              cmason @MattFox
              last edited by

              @mattfox thanks man

              Here's the overrides env.properties files

              #    Copyright (C) 2014 Infinite Automation Systems Inc. All rights reserved.
#    @author Matthew Lohbihler

###############################################################################
# TO OVERRIDE VALUES IN THIS FILE...
#
# Do not change the values in this file, because when you upgrade your core 
# your changes will be overwritten. Instead, create a new file called 
# <MA_HOME>/overrides/properties/env.properties and override properties 
# there. The overrides directory will never be overwritten by an upgrade, so 
# your customizations will be safe.
# 
###############################################################################

# The port at which Mango Automation will listen for browser connections
web.port=80
# The host interface to which Mango Automation will bind and listen for new connections
#  0.0.0.0 is the special interface that will force a bind to all available interfaces
web.host=0.0.0.0

# Should Mango Automation open (if possible) a browser window when it starts up?
web.openBrowserOnStartup=true

# Set this to true if you are running Mango behind a reverse proxy that sends "Forwarded" or "X-Forwarded-*" headers.
# This includes accessing Mango via Cloud Connect module. By default only requests from localhost are trusted.
web.forwardedHeaders.enabled=true
# Set a comma separated list of IP ranges from which to trust Forwarded headers
web.forwardedHeaders.trustedIpRanges=127.0.0.0/8,::1,10.1.1.0/24

# HTTP session (authentication) cookie name and domain name settings.
#
# Use the Mango GUID as the session cookie name
sessionCookie.useGuid=true
# Set the domain name that the cookie is valid for, can be used to make the session login valid for subdomains too.
# If left blank the session cookie can only be used for the domain that you login at.
sessionCookie.domain=.mango.abc.wyxz.nz

# Default database settings, NOTE that on windows this must be an absolute path
db.type=h2
db.url=jdbc:h2:${ma.home}/databases/mah2
db.location=${ma.home}/databases/mah2
db.username=
db.password=
#For web console
db.web.start=false
db.web.port=8091

#General Database Settings
db.pool.maxActive=100
db.pool.maxIdle=10
db.update.log.dir=${ma.home}/logs/
# setting to show query times in the logs as INFO
db.useMetrics=false

#--The following database properties are for RQL REST queries and can be changed during runtime and will be picked up at most in 5s--
#Force the use of indexes (Experimental and only on MySQL so far)
db.forceUseIndex=true
#Tell the jdbc driver to fetch this many rows at a time, useful over network connected dbs (Not MySQL)
# negative values will force use jdbc driver default
db.fetchSize=-1
#Tell the database to not return the entire result set (or fetch blocks) but to return row by row
# can slow down performance on network systems but reduce memory footprint for large queries
db.stream=false
#-- End auto-reloading Database Properties --

# MySQL database settings. Your MySQL instance must already be running and configured before this can be used.
#db.type=mysql
#db.url=jdbc:mysql://localhost/<your mysql schema name>
#db.username=<your mysql username>
#db.password=<your mysql password>
#db.mysqldump=<location/command for mysqldump executable for backups>
#db.mysql=<location/command for mysql executable for restore>

# Database settings for conversion. If the db.* settings point to a new database instance, and the convert type setting
# is set, Mango Automation will attempt to convert from the convert.db.* settings to the db.* settings
# Note that database conversions should not be performed in the same step as an upgrade. First upgrade, then convert.
convert.db.type=
convert.db.url=${convert.db.url}
convert.db.username=${convert.db.username}
convert.db.password=${convert.db.password}

#Set the base path for where the NoSQL data will be stored
db.nosql.location=${ma.home}/databases/
#Set the folder name of the point value store
db.nosql.pointValueStoreName=mangoTSDB
#Set the number of files the database can have open at one time
db.nosql.maxOpenFiles=500
#Time after which a shard will be closed
db.nosql.shardStalePeriod=36000000
#Period to check for stale shards
db.nosql.flushInterval=300000
#Query Performance Tuning, File Access Type: Available[INPUT_STREAM,FILE_CHANNEL,RANDOM_ACCESS_FILE,MAPPED_BYTE_BUFFER]
db.nosql.shardStreamType=INPUT_STREAM
#Setting to speed up NoSQL queries at the expense of a small increase in disk usage
db.nosql.reversible=false
#Setting this will convert your existing point value store [NONE, REVERSIBLE, UNREVERSIBLE]
db.nosql.convert=NONE
#Number of concurrent threads to use to convert the database
db.nosql.convertThreads=4
#Run the corruption scan if the db is marked dirty
db.nosql.runCorruptionOnStartupIfDirty=false

#Password encryption scheme [BCRYPT, SHA-1, NONE]
#Legacy is SHA-1, 2.8+ BCRYPT
#security.hashAlgorithm=BCRYPT

# The location of the Mango Automation store from which to get license files.
store.url=https://store.infiniteautomation.com

# SSL control
ssl.on=false
ssl.port=8443
ssl.keystore.location=/location/to/keystore/file.jks
ssl.keystore.password=freetextpassword

# System time zone. Leave blank to use default VM time zone.
timezone=

#Rest API Configuration
rest.enabled=true
#For using other than timestamp
rest.customDateOutputFormat=YYYY-MM-dd HH:mm:ss.SSS Z
rest.customDateInputFormat=YYYY-MM-dd HH:mm:ss.SSS Z
#Enable to make JSON More readable
rest.indentJSON=false
#Cross Origin Request Handling
rest.cors.enabled=false
rest.cors.allowedOrigins=*,localhost
rest.cors.allowedMethods=PUT,POST,GET,OPTIONS,DELETE
rest.cors.allowedHeaders=LOGOUT,PASSWORD
rest.cors.exposedHeaders=
rest.cors.allowCredentials=true
rest.cors.maxAge=3600

#For rest API Documentation at /swagger/index.html
swagger.enabled=true
#Regex Patter to scan for REST API endpoints for Swagger to document/display
swagger.mangoApiVersion=v[12]


#Distributor Settings
distributor=IA

#Jetty Thread Pool Tuning
# Time a thread must be idle before killing to keep pool size at minimum
web.threads.msIdleTimeout=10000
# Number of threads to keep around to handle incoming connections
web.threads.minimum=10
# Number of threads allowed to be created to handle incoming requests as needed
web.threads.maximum=200
# Number of Requests To Queue if all threads are busy
web.requests.queueSize=200
# Ping timeout for response from browser
web.websocket.pingTimeoutMs=10000

#Jetty JSP Configuration
# See here for options: http://www.eclipse.org/jetty/documentation/9.2.10.v20150310/configuring-jsp.html
web.jsp.development=true
web.jsp.genStringsAsCharArray=true
web.jsp.trimSpaces=false
web.jsp.classdebuginfo=false
web.jsp.supressSmap=true
web.jsp.compilerClassName=org.apache.jasper.compiler.JDTCompiler
web.jsp.compiler=modern
web.jsp.fork=false
web.jsp.keepgenerated=true

#iFrame Header Control iFrame Header Control 'X-Frame-Options' (case sensitive options)
# SAMEORIGIN - Only allow Mango to embed i-frames when the requesting page was loaded from the Mango domain
# DENY - Do not allow at all
# ANY - Do not even use the header at all 
# One specific domain name can be supplied so that the header becomes: ALLOW-FROM http://foo.bar.com 
web.security.iFrameAccess=SAMEORIGIN

#Regex used to match serial ports so they show up in the menu
serial.port.linux.regex=((cu|ttyS|ttyUSB|ttyACM|ttyAMA|rfcomm|ttyO|COM)[0-9]{1,3}|rs(232|485)-[0-9])
serial.port.linux.path=/dev/
serial.port.windows.regex=
serial.port.windows.path=
serial.port.osx.path=/dev/
serial.port.osx.regex=(cu|tty)..*

#Start data sources in parallel threads
runtime.datasource.startupThreads=4
#Log startup times for runtime manager
runtime.datasource.logStartupMetrics=true
#Log number of aborted polls for a polling data source this often at a minimum (only logged after next aborted poll past this time)
runtime.datasource.pollAbortedLogFrequency=3600000

#Report Javascript Execution Times at INFO Level logging
# add this to log4j.xml   <category name="org.perf4j.TimingLogger"><level value="info"/></category>
runtime.javascript.metrics=false

#Default task queue size for the Real Time Timer, should multiple tasks of the same type be queued up?
# Tasks are rejected from a full queue, a size of 0 means reject multiple instances of the same task
runtime.realTimeTimer.defaultTaskQueueSize=0
#When a task queue is full should the waiting tasks be discarded and replaced with the most recent
runtime.realTimeTimer.flushTaskQueueOnReject=false

#Maximum counts to wait to terminate the thread pool's tasks that are running or queued to run
# each count is 1 second.  So the default of 60 = 1 minute.  Note that the medium and low
# timeout happens first and then the remaining time is spent waiting of the high priority tasks.
# So by setting both to the same value will result in waiting only as long as that value.
runtime.shutdown.medLowTimeout=60
runtime.shutdown.highTimeout=60

              And here's the core env.properties file

              #    Copyright (C) 2014 Infinite Automation Systems Inc. All rights reserved.
#    @author Matthew Lohbihler

###############################################################################
# TO OVERRIDE VALUES IN THIS FILE...
#
# Do not change the values in this file, because when you upgrade your core 
# your changes will be overwritten. Instead, create a new file called 
# <MA_HOME>/overrides/properties/env.properties and override properties 
# there. The overrides directory will never be overwritten by an upgrade, so 
# your customizations will be safe.
# 
###############################################################################

# The port at which Mango Automation will listen for browser connections
web.port=8080
# The host interface to which Mango Automation will bind and listen for new connections
#  0.0.0.0 is the special interface that will force a bind to all available interfaces
web.host=0.0.0.0

# Should Mango Automation open (if possible) a browser window when it starts up?
web.openBrowserOnStartup=true

# Web caching settings

# disable caching
web.cache.noStore=false
web.cache.noStore.rest=true
web.cache.noStore.resources=false

# set max age of cached files in seconds, only if noStore=false
# versioned resources are those with ?v=xxx on the query string
web.cache.maxAge=0
web.cache.maxAge.rest=0
web.cache.maxAge.resources=86400
web.cache.maxAge.versionedResources=31536000

#Upload file size limit (bytes) -1 means no limit
web.fileUpload.maxSize=250000000

# Set this to true if you are running Mango behind a reverse proxy that sends "Forwarded" or "X-Forwarded-*" headers.
# This includes accessing Mango via Cloud Connect module. By default only requests from localhost are trusted.
web.forwardedHeaders.enabled=true
# Set a comma separated list of IP ranges from which to trust Forwarded headers
web.forwardedHeaders.trustedIpRanges=127.0.0.0/8,::1

# Default database settings, NOTE that on windows this must be an absolute path
db.type=h2
db.url=jdbc:h2:${ma.home}/databases/mah2
db.username=
db.password=
#For web console
db.web.start=false
db.web.port=8091
#to compact the database size at shutdown (may take longer but will free up disk space)
db.h2.shutdownCompact=false

#General Database Settings
db.pool.maxActive=100
db.pool.maxIdle=10
db.update.log.dir=${ma.home}/logs/

# setting to show query times in the logs as INFO
db.useMetrics=false
# if set, will only log slow queries, above this threshold in ms. Will be logged at WARN level instead of INFO
db.metricsThreshold=100

#--The following database properties are for RQL REST queries and can be changed during runtime and will be picked up at most in 5s--
#Force the use of indexes (Experimental and only on MySQL so far)
db.forceUseIndex=true
#Tell the jdbc driver to fetch this many rows at a time, useful over network connected dbs (Not MySQL)
# negative values will force use jdbc driver default
db.fetchSize=-1
#Tell the database to not return the entire result set (or fetch blocks) but to return row by row
# can slow down performance on network systems but reduce memory footprint for large queries
db.stream=false
#-- End auto-reloading Database Properties --

# MySQL database settings. Your MySQL instance must already be running and configured before this can be used.
#db.type=mysql
#db.url=jdbc:mysql://localhost/<your mysql schema name>
#db.username=<your mysql username>
#db.password=<your mysql password>
#db.mysqldump=<location/command for mysqldump executable for backups>
#db.mysql=<location/command for mysql executable for restore>

# Database settings for conversion. If the db.* settings point to a new database instance, and the convert type setting
# is set, Mango Automation will attempt to convert from the convert.db.* settings to the db.* settings
# Note that database conversions should not be performed in the same step as an upgrade. First upgrade, then convert.
convert.db.type=
convert.db.url=${convert.db.url}
convert.db.username=${convert.db.username}
convert.db.password=${convert.db.password}

#Set the base path for where the NoSQL data will be stored
db.nosql.location=${ma.home}/databases/
#Set the folder name of the point value store
db.nosql.pointValueStoreName=mangoTSDB
#Set the number of files the database can have open at one time
db.nosql.maxOpenFiles=500
#Time after which a shard will be closed
db.nosql.shardStalePeriod=36000000
#Period to check for stale shards
db.nosql.flushInterval=300000
#Query Performance Tuning, File Access Type: Available[INPUT_STREAM,FILE_CHANNEL,RANDOM_ACCESS_FILE,MAPPED_BYTE_BUFFER]
db.nosql.shardStreamType=MAPPED_BYTE_BUFFER
#Setting to speed up NoSQL queries at the expense of a small increase in disk usage
db.nosql.reversible=true
#Setting this will convert your existing point value store [NONE, REVERSIBLE, UNREVERSIBLE]
db.nosql.convert=NONE
#Number of concurrent threads to use to convert the database
db.nosql.convertThreads=4
#Run the corruption scan if the db is marked dirty
db.nosql.runCorruptionOnStartupIfDirty=false

#Password encryption scheme [BCRYPT, SHA-1, NONE]
#Legacy is SHA-1, 2.8+ BCRYPT
#security.hashAlgorithm=BCRYPT

# The location of the Mango Automation store from which to get license files.
store.url=https://store.infiniteautomation.com

# SSL control

# *** NOTE ***
# You can generate a self-signed certificate for testing using the following command
# keytool -genkey -keyalg RSA -alias mango -keystore /location/to/keystore/file.jks -validity 365 -keysize 2048

# Enter keystore password: {type your keystore password <ENTER>}
# Re-enter new password: {type your keystore password <ENTER>}
# What is your first and last name?
#   [Unknown]: {the hostname mango is running on e.g. mymangotest.com OR localhost <ENTER>}
# What is the name of your organizational unit?
#   [Unknown]: {e.g. Mango testing <ENTER>}
# What is the name of your organization?
#   [Unknown]: {e.g. Infinite Automation Systems Inc. <ENTER>}
# What is the name of your City or Locality?
#   [Unknown]: {e.g. Erie <ENTER>}
# What is the name of your State or Province?
#   [Unknown]: {e.g. Colorado <ENTER>}
# What is the two-letter country code for this unit?
#   [Unknown]: {e.g. US <ENTER>}
# Is CN=localhost, OU=Development, O=Infinite Automation Systems Inc., L=Erie, ST=Colorado, C=US correct?
#   [no]:  {type yes <ENTER>}
# 
# Enter key password for <mango>
#         (RETURN if same as keystore password): {type your key password or just press <ENTER>}

# Note: Enabling SSL also turns on HSTS which may not be desirable, see below
ssl.on=false
ssl.port=8443
ssl.keystore.watchFile=true
ssl.keystore.location=overrides/keystore.p12
ssl.keystore.password=freetextpassword
# If they key password is commented out, it is assumed to be the same as the keystore password
#ssl.key.password=
#Time socket can be idle before being closed (ms)
ssl.socketIdleTimeout=70000

#Enable ALPN (Application-Layer Protocol Negotiation) for HTTP/2
# on current browsers HTTP/2 is only available for TLS/SSL connections.
# Note that with this setting you must also have the ALPN script extension enabled for Mango to start on pre Java 10.
# (Adds -javaagent:${MA_HOME}/boot/jetty-alpn-agent.jar to the java options)
# If you are running on Java 10+ this library is not required and will actually cause problems, so make sure you don't use that extension.
ssl.alpn.on=true
#Show debug output for alpn connections in log
ssl.alpn.debug=false

# Configure HSTS (HTTP Strict Transport Security)
# Enabled by default when ssl.on=true
# Sets the Strict-Transport-Security header, web browsers will always connect using HTTPS when they
# see this header and they will cache the result for max-age seconds
ssl.hsts.enabled=true
ssl.hsts.maxAge=31536000
ssl.hsts.includeSubDomains=false

# System time zone. Leave blank to use default VM time zone.
timezone=

#Rest API Configuration
rest.enabled=true

#Enable to make JSON More readable
rest.indentJSON=false
#Cross Origin Request Handling
rest.cors.enabled=false
rest.cors.allowedOrigins=
rest.cors.allowedMethods=PUT,POST,GET,OPTIONS,DELETE,HEAD
rest.cors.allowedHeaders=content-type,x-requested-with,authorization
rest.cors.exposedHeaders=
rest.cors.allowCredentials=false
rest.cors.maxAge=3600
# disable browser redirects
rest.disableErrorRedirects=false
# enable test endpoints
rest.testMode=false

# Limits the rate at which an unauthenticated IP address can access the REST API
# Defaults to an initial 10 request burst then 2 requests per 1 second thereafter
rateLimit.rest.anonymous.enabled=true
rateLimit.rest.anonymous.burstQuantity=40
rateLimit.rest.anonymous.quanitity=5
rateLimit.rest.anonymous.period=1
rateLimit.rest.anonymous.periodUnit=SECONDS

# Limits the rate at which an authenticated user can access the REST API
# Disabled by default
rateLimit.rest.user.enabled=false
rateLimit.rest.user.burstQuantity=20
rateLimit.rest.user.quanitity=10
rateLimit.rest.user.period=1
rateLimit.rest.user.periodUnit=SECONDS

# Limits the rate at which authentication attempts can occur by an IP address
# Defaults to an initial 5 attempt burst then 1 attempt per 1 minute thereafter
rateLimit.authentication.ip.enabled=true
rateLimit.authentication.ip.burstQuantity=5
rateLimit.authentication.ip.quanitity=1
rateLimit.authentication.ip.period=1
rateLimit.authentication.ip.periodUnit=MINUTES

# Limits the rate at which authentication attempts can occur against a username
# Defaults to an initial 5 attempt burst then 1 attempt per 1 minute thereafter
rateLimit.authentication.user.enabled=true
rateLimit.authentication.user.burstQuantity=5
rateLimit.authentication.user.quanitity=1
rateLimit.authentication.user.period=1
rateLimit.authentication.user.periodUnit=MINUTES

#For rest API Documentation at /swagger-ui.html
swagger.enabled=false
#path to api-docs for swagger tools, will be appended to base REST api version URL i.e. /rest/v1/
springfox.documentation.swagger.v2.path=/swagger/v2/api-docs
# Require authentication to access Swagger API documentation.
# If you set this to false then you can use an authentication token (generated on the Mango Users page) from the swagger UI instead.
# To use, enter: Bearer <space> <token value> into the Authorize value input in the swagger ui
swagger.apidocs.protected=true

#Distributor Settings
distributor=IA

#Jetty Thread Pool Tuning
# Time a thread must be idle before killing to keep pool size at minimum
web.threads.msIdleTimeout=30000
# Number of threads allowed to be created to handle incoming requests as needed (defaults to 10x number of processors, or 200, whichever is greater)
web.threads.maximum=
# Number of threads to keep around to handle incoming connections (defaults to max threads, or 8, whichever is lesser)
web.threads.minimum=
# Number of Requests To queue if all threads are busy (defaults 1280)
web.requests.queueSize=
# Ping timeout for response from browser
web.websocket.pingTimeoutMs=10000
#Time socket can be idle before being closed (ms)
web.socketIdleTimeout=70000

#Jetty QoS filter settings 
# https://www.eclipse.org/jetty/documentation/current/qos-filter.html
# Filter enabled setting
web.qos.enabled=false
#The maximum number of requests to be serviced at a time. The default is 10.
web.qos.maxRequests=10
#The length of time, in milliseconds, to wait while trying to accept a new request. Used when the maxRequests limit is reached. Default is 50 ms
web.qos.waitMs=50
#Length of time, in milliseconds, that the request will be suspended if it is not accepted immediately. If set to -1, the container default timeout applies. Default is 30000 ms.
web.qos.suspendMs=30000

#Jetty DoS filter settings 
# https://www.eclipse.org/jetty/documentation/current/dos-filter.html
# Filter enabled setting
web.dos.enabled=false
#Maximum number of requests from a connection per second. Requests in excess of this are first delayed, then throttled. Default is 25.
web.dos.maxRequestsPerSec=75
#Delay imposed on all requests over the rate limit, before they are considered at all
#  100ms default, -1 = Reject request, 0 = no delay, any other value is delay in ms
web.dos.delayMs=100
#Length of time, in ms, to blocking wait for the throttle semaphore. Default is 50 ms.
web.dos.maxWaitMs=50
#Number of requests over the rate limit able to be considered at once. Default is 5.
web.dos.throttledRequests=5
#Length of time, in ms, to async wait for semaphore. Default is 30000.
web.dos.throttleMs=30000
#Length of time to let the request run, default is 30000 (Keep above 60s for DWR Long Poll to work in legacy UI) 
web.dos.maxRequestMs=120000
#Length of time, in ms, to keep track of request rates for a connection, before deciding that the user has gone away, and discarding it. Default is 30000.
web.dos.maxIdleTrackerMs=30000
#If true, insert the DoSFilter headers into the response. Defaults to true.
web.dos.insertHeaders=true
#If true, usage rate is tracked by session if a session exists. Defaults to true.
web.dos.trackSessions=true
#If true and session tracking is not used, then rate is tracked by IP and port (effectively connection). Defaults to false.
web.dos.remotePort=false
#A comma-separated list of IP addresses that will not be rate limited.
# Note: These are actual client IPs when behind a proxy server if you configure web.forwardedHeaders.trustedIpRanges to trust your proxy's IP
web.dos.ipWhitelist=

#Jetty Low Resource Management (Used to attempt to free resources when under heavy load)
# https://www.eclipse.org/jetty/documentation/current/limit-load.html
web.lowResource.enabled=false
# Period in ms to check for a low resource condition, default 10000
web.lowResource.checkPeriod=10000
# In low resource condition all existing connection idle timeouts are set to this value, default 1000
web.lowResource.lowResourcesIdleTimeout=1000
# check connectors executors to see if their ThreadPool instances that are low on threads, default true
web.lowResource.monitorThreads=true
# The maximum memory in bytes that Java is allowed to use before the low resource condition is triggered.
# If left empty, the default is 90% of the maximum memory the JVM is configured to use.
# Set to 0 to disable the memory usage checks.
web.lowResource.maxMemory=
# The time in milliseconds that a low resource state can persist before the low resource idle timeout is reapplied to all connections, default 5000
web.lowResource.maxLowResourceTime=5000
# If false, new connections are not accepted while in low resources
web.lowResource.acceptingInLowResources=true

# Maximum number of allowed connections, defaults to 0 (disabled)
web.connectionLimit=0

# Jetty JSP servlet configuration (init parameters)
# See for descriptions
# https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-webapp/src/main/config/etc/webdefault.xml
web.jsp.development=true
web.jsp.genStringsAsCharArray=true
web.jsp.trimSpaces=false
web.jsp.classdebuginfo=false
web.jsp.supressSmap=true
web.jsp.compilerClassName=org.apache.jasper.compiler.JDTCompiler
web.jsp.compiler=modern
web.jsp.fork=false
web.jsp.keepgenerated=true
web.jsp.modificationTestInterval=4

# Jetty default servlet configuration (init parameters)
# See for descriptions
# https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-webapp/src/main/config/etc/webdefault.xml
web.defaultServlet.dirAllowed=false
web.defaultServlet.maxCacheSize=256000000
web.defaultServlet.maxCachedFileSize=200000000
web.defaultServlet.maxCachedFiles=2048
web.defaultServlet.etags=false
# defaults to false for Windows, defaults to true for all other OS
# see https://www.eclipse.org/jetty/documentation/current/troubleshooting-locked-files-on-windows.html
#web.defaultServlet.useFileMappedBuffer=true

#iFrame Header Control iFrame Header Control 'X-Frame-Options' (case sensitive options)
# SAMEORIGIN - Only allow Mango to embed i-frames when the requesting page was loaded from the Mango domain
# DENY - Do not allow at all
# ANY - Do not even use the header at all 
# One specific domain name can be supplied so that the header becomes: ALLOW-FROM http://foo.bar.com 
web.security.iFrameAccess=SAMEORIGIN

#Follow symbolic links when serving files from Jetty
web.security.followSymlinks=true

# Content Security Policy settings, please see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# The reasons for the default policy are outlined below
# style-src 'unsafe-inline' - inline styles are used by AngularJS Material for the dynamic theming
# script-src 'unsafe-eval' - needed by Fabric.js used in amCharts for drawing on charts, also gives AngularJS a 30% performance boost
# connect-src ws: wss: - necessary as 'self' does not permit connections to websockets on the same origin, this should be configured to restrict it to your server's actual hostname
# img-src data: - allows for small base64 encoded images to be embedded inline into the html
# img-src/script-src https://www.google-analytics.com - allows for enabling Google analytics (not enabled by default, must be manually enabled by admin via UI Settings page)
# img-src/script-src https://maps.google.com https://maps.googleapis.com https://maps.gstatic.com - allows for using the Google maps component
# style-src/font-src https://fonts.googleapis.com https://fonts.gstatic.com - allows for using Google fonts in dashboards
web.security.contentSecurityPolicy.enabled=false
web.security.contentSecurityPolicy.reportOnly=false
web.security.contentSecurityPolicy.defaultSrc='self'
web.security.contentSecurityPolicy.scriptSrc='self' 'unsafe-eval' https://maps.google.com https://maps.googleapis.com https://www.google-analytics.com
web.security.contentSecurityPolicy.styleSrc='self' 'unsafe-inline' https://fonts.googleapis.com
web.security.contentSecurityPolicy.connectSrc='self' ws: wss:
web.security.contentSecurityPolicy.imgSrc='self' data: https://maps.google.com https://maps.gstatic.com https://www.google-analytics.com
web.security.contentSecurityPolicy.fontSrc='self' https://fonts.gstatic.com
web.security.contentSecurityPolicy.mediaSrc=
web.security.contentSecurityPolicy.objectSrc=
web.security.contentSecurityPolicy.frameSrc=
web.security.contentSecurityPolicy.workerSrc=
web.security.contentSecurityPolicy.manifestSrc=
web.security.contentSecurityPolicy.other=

# script-src 'unsafe-inline' - inline scripts are used extensively throughout the Mango legacy UI
# script-src 'unsafe-eval' - The Dojo JS library uses eval()
# style-src 'unsafe-inline' - inline styles are used throughout the Mango legacy UI
# connect-src ws: wss: - necessary as 'self' does not permit connections to websockets on the same origin, this should be configured to restrict it to your server's actual hostname
# img-src data: - allows for small base64 encoded images to be embedded inline into the html
# img-src/script-src https://www.google-analytics.com - allows for enabling Google analytics
web.security.contentSecurityPolicy.legacyUi.enabled=false
web.security.contentSecurityPolicy.legacyUi.reportOnly=false
web.security.contentSecurityPolicy.legacyUi.defaultSrc='self'
web.security.contentSecurityPolicy.legacyUi.scriptSrc='self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com
web.security.contentSecurityPolicy.legacyUi.styleSrc='self' 'unsafe-inline'
web.security.contentSecurityPolicy.legacyUi.connectSrc='self' ws: wss:
web.security.contentSecurityPolicy.legacyUi.imgSrc='self' data: https://www.google-analytics.com
web.security.contentSecurityPolicy.legacyUi.fontSrc=
web.security.contentSecurityPolicy.legacyUi.mediaSrc=
web.security.contentSecurityPolicy.legacyUi.objectSrc=
web.security.contentSecurityPolicy.legacyUi.frameSrc=
web.security.contentSecurityPolicy.legacyUi.workerSrc=
web.security.contentSecurityPolicy.legacyUi.manifestSrc=
web.security.contentSecurityPolicy.legacyUi.other=

#Regex used to match serial ports so they show up in the menu
serial.port.linux.regex=((cu|ttyS|ttyUSB|ttyACM|ttyAMA|rfcomm|ttyO|COM)[0-9]{1,3}|rs(232|485)-[0-9])
serial.port.linux.path=/dev/
serial.port.windows.regex=
serial.port.windows.path=
serial.port.osx.path=/dev/
serial.port.osx.regex=(cu|tty)..*
#Number of bytes read events to queue up before discarding
serial.port.eventQueueSize=10000
#Rate at which to poll the serial port for new data in Linux (Windows uses interrupts)
serial.port.linux.readPeriods=100
serial.port.linux.readPeriodType=NANOSECONDS

#Start data sources in parallel threads
runtime.datasource.startupThreads=8
#Log startup times for runtime manager
runtime.datasource.logStartupMetrics=true
#Log number of aborted polls for a polling data source this often at a minimum (only logged after next aborted poll past this time)
runtime.datasource.pollAbortedLogFrequency=3600000

#Report Javascript Execution Times at INFO Level logging
# add this to log4j.xml   <category name="org.perf4j.TimingLogger"><level value="info"/></category>
runtime.javascript.metrics=false

#Default task queue size for the Real Time Timer, should multiple tasks of the same type be queued up?
# Tasks are rejected from a full queue, a size of 0 means reject multiple instances of the same task
runtime.realTimeTimer.defaultTaskQueueSize=0
#When a task queue is full should the waiting tasks be discarded and replaced with the most recent
runtime.realTimeTimer.flushTaskQueueOnReject=false
#Delay (in ms) to wait to rate limit task rejection log messages so they don't fill up logs and use too much cpu doing it
runtime.taskRejectionLogPeriod=10000
#Maximum counts to wait to terminate the thread pool's tasks that are running or queued to run
# each count is 1 second.  So the default of 60 = 1 minute.  Note that the medium and low
# timeout happens first and then the remaining time is spent waiting of the high priority tasks.
# So by setting both to the same value will result in waiting only as long as that value.
runtime.shutdown.medLowTimeout=60
runtime.shutdown.highTimeout=60

# Set the location of the file stores, (relative to $MA_HOME if not absolute)
# If not set, the location is $MA_HOME/filestore
filestore.location=filestore

# Set the location of the modules data directory, (relative to $MA_HOME if not absolute)
# If not set, the location is $MA_HOME/data
moduleData.location=data

# HTTP session (authentication) cookie name and domain name settings.
#
# Use the Mango GUID as the session cookie name
sessionCookie.useGuid=true
# name takes precedence over useGuid if set
sessionCookie.name=
# Set the domain name that the cookie is valid for, can be used to make the session login valid for subdomains too.
# If left blank the session cookie can only be used for the domain that you login at.
sessionCookie.domain=

# Controls the poll period for collecting internal metrics
internal.monitor.pollPeriod=10000
# Controls the poll period for collecting disk usage
internal.monitor.diskUsage.pollPeriod=1200000
# Should MA_HOME and each file store directory be monitored individually in addition to the partitions?
internal.monitor.diskUsage.monitorDirectories=false
              1 Reply Last reply Reply Quote 0
              • MattFoxM
                MattFox
                last edited by MattFox

                Is your client running on port 80?
                Looking at that, the server will connect on the same port it's set up on. Also note your ssh settings as well. since ES units run on port 2222, you'd have to configure port forwarding if you're coming in from port 22.

                Do not follow where the path may lead; go instead where there is no path.
                And leave a trail - Muriel Strode

                C 1 Reply Last reply Reply Quote 0
                • CraigWebC
                  CraigWeb
                  last edited by

                  Hi @cmason

                  Have you set up a wildcard DNS record for *.subdomain.hostname?
                  Is your Certificate a wildcard certificate?

                  The proxy basically routes guid.subdomain.domain -> localhost:"client web port" . I have never seen this before where you get a guid.mangoHTS### URL. Probably cause it's not common to set up an HTS as the CC server.
                  Please go to administration --> system settings -> ES configuration and change the hostname to your public hostname. I believe that will fix the URL issue.

                  C 1 Reply Last reply Reply Quote 0
                  • C
                    cmason @MattFox
                    last edited by

                    This post is deleted!
                    1 Reply Last reply Reply Quote 0
                    • CraigWebC
                      CraigWeb
                      last edited by

                      @mattfox said in Cloud Connect Help:

                      settings as well. since ES units run on port 2222, you'd have to configure port forwarding if yo

                      The reverse proxy will setup port forwarding for both web and ssh ports so that you will be able to access both from your CC server. You will not need to setup port forwarding on the mangoHTS side.

                      If you want to ssh into your mangoHTS you will ssh into the CC server and then run the following cmd:
                      ssh -p 37001 mango@localhost the CC server will route that to the mangoHTS on the reverse proxy connection.

                      1 Reply Last reply Reply Quote 0
                      • MattFoxM
                        MattFox
                        last edited by

                        0_1598424208231_1f8d31a7-83ce-43cb-ab87-aaf6993e9c17-image.png
                        Was what i was referring to

                        Do not follow where the path may lead; go instead where there is no path.
                        And leave a trail - Muriel Strode

                        1 Reply Last reply Reply Quote 0
                        • C
                          cmason @CraigWeb
                          last edited by

                          The proxy basically routes guid.subdomain.domain -> localhost:"client web port" . I have never seen this before where you get a guid.mangoHTS### URL. Probably cause it's not common to set up an HTS as the CC server.
                          Please go to administration --> system settings -> ES configuration and change the hostname to your public hostname. I believe that will fix the URL issue.

                          Yes this did fix the issue of the url that was given to the new window.

                          The new windows now opens up with 'GUID.subdomain.domain'

                          However I've got a new problem. The window just opens and directs straight into the servers UI from where I just came from. Basically just loops it around on itself.

                          Have you set up a wildcard DNS record for *.subdomain.hostname?

                          Not technically but the subdomain.domain is resolving to the domain. the subdomain part is really so the reverse proxy can identify it.

                          Is your Certificate a wildcard certificate?

                          Yes

                          1 Reply Last reply Reply Quote 0
                          • CraigWebC
                            CraigWeb
                            last edited by

                            I suggest trying to get it working without the complexity of your reverse proxy first.

                            You will need a wildcard DNS record that resolves to your MangoHTS server.

                            Basically, when you open the link the traffic will go as below
                            GUID.subdomain.domain --> "CC server"-->.localhost:37000-->MangoHTS:8080

                            C 1 Reply Last reply Reply Quote 0
                            • C
                              cmason @CraigWeb
                              last edited by

                              @craigweb said in Cloud Connect Help:

                              I suggest trying to get it working without the complexity of your reverse proxy first.

                              Ok I'll try that out. What's the recommended way to secure the connections then between the mango and the internet? The main reason I was using the reverse proxy was for security.

                              @MattFox Are you using cloud connect with the reverse proxy? If so is that using apache on the same machine as your mango like I've seen you describe in some of the other threads?

                              CraigWebC 1 Reply Last reply Reply Quote 0
                              • MattFoxM
                                MattFox
                                last edited by

                                Ive just dropped apache in favour of Nginx because it has better support for proxy headers.
                                Happy to help you with that.
                                In the meantime we can focus on plain http with the mango running on port 8080 then using the proxy engine to handle all requests and merely serve them to mango.
                                Im going to bed now so Ill assist with that tomorrow. In fact I think Ill write a tutorial...

                                Fox

                                Do not follow where the path may lead; go instead where there is no path.
                                And leave a trail - Muriel Strode

                                C 1 Reply Last reply Reply Quote 0
                                • CraigWebC
                                  CraigWeb @cmason
                                  last edited by

                                  @cmason
                                  Mount your certificate on the mango web server so all HTTP traffic is encrypted.
                                  Mango webserver has a rate limiter on unauthorized API requests.
                                  CC server uses ssh so those sockets are all encrypted.
                                  The persistent data source/publisher uses encryption as well. you can choose the size of the shared key.
                                  Use a firewall to block all unused ports.

                                  I may be wrong but how I don't see how the reverse proxy will make it more secure.

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    cmason @MattFox
                                    last edited by

                                    @MattFox @CraigWeb

                                    Thanks Guys. I followed what you guys said and stripped it all back to the basics and got it working without the proxy. Funnily enough though It worked with HTTPS 'ssl.on=true' (self signed on the mango) but HTTP was having issues.
                                    Anyway I enabled set 'ssl.on=true' on the server and got it all working.

                                    Then I moved it all back behind the reverse proxy, and so far it all seems to be working fine.
                                    The only difference this time is the ssl.on = true.

                                    I may be wrong but how I don't see how the reverse proxy will make it more secure

                                    Yeah I mainly did this because I'm using a Synology NAS as the reverse proxy, it has nginx built in. Having this take care of the certificates and the auto renewals etc seemed a lot more straight forward then getting it to work on the mango with the java keystore etc. Perhaps a feature to add for Mango 4? haha.

                                    I'll see how this goes and keep you posted.

                                    Bearing in mind that the ports 9005 for cloud connect and the ports I've opened for the PTCP publishers get forwarded straight to the mango itself. I haven't got them going through the reverse proxy. Are the HTTP/S payloads?

                                    1 Reply Last reply Reply Quote 0
                                    • CraigWebC
                                      CraigWeb
                                      last edited by

                                      Awesome!
                                      They are not HTTP payloads.
                                      I use let's encrypt and certbot to handle certificate renewals. There is a script in mango that can be run after the cert is renewed that will move the certificate into the keystore and replace the old cert. /mango/bin/certbot-deploy.sh
                                      You may want to look at that.

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post