Point value crossed out in red

CraigWeb

@mihairosu There are 2 reasons for those diagonal lines, either the point is disabled or you are losing connection to the Mango API which is what I suspect Since the watchlists are not working either. Can you open your browser console and see if there are any console errors and also look if there are any network requests that are failing?

Are you browsing from the same windows PC that you are hosting on?

mihairosu

@CraigWeb

Okay I figured out the "problem". Thanks for the guidance. I am accessing the GUI through HAProxy. If I use the direct IP address, there is no issue.

I would like to use HTTPS/SSL, ideally through HAProxy (running on pfsense) since I'm using that for most everything else.

Is there a way to get it to work through some sort of advanced settings?

Else, I will just have to resort to certbot.

mihairosu

@mihairosu

I did find these instructions, but they're for Apache. I'm not sure how to do the same thing in pfSense's HAProxy configs.

CraigWeb

@mihairosu I am not familiar with that proxy and I have seen many people struggle with similar firewalls. You will need to reach out to their support and ask how the proxy can be configured to allow WebSocket upgrades. All points value and event updates use WebSockets, most proxies do not allow this by default and it needs to be explicitly allowed.

Here are the instructions to get SSL enabled but I can see this is going to be quite a struggle with that firewall, I can assist on the mango side but won't be able to help much with that Proxy.
https://docs-v3.mango-os.com/ssl

mihairosu

@CraigWeb

Got it, thanks Craig.

In this case, there's no issues on the Mango side, so I'll see what I can figure out and how to proceed.

MattFox

@mihairosu I'd argue that since you need a web server to host an ssl cert, use pfsense and port forward to the mango box instead. Use nginx as it offers better support for reverse proxy headers and websockets. Much simpler and allows you to have nginx automate the ssl certs to keep everything up to date.

Fox

mihairosu

@MattFox

Do you have an nginx configuration you can share?

The documentation shows an example for apache, but not nginx.

CraigWeb

@mihairosu nginx is by far the most popular however we have internally settled on using Caddy https://caddyserver.com/
which does everything @MattFox described, auto SSL renewal from LetsEncrypt ect. The only reason I mention this is that I would be able to support you on caddy.

MattFox

@mihairosu sure, give me a moment

MattFox

@mihairosu https://forum.mango-os.com/topic/5616/use-nginx-with-mango-as-an-ssl-reverse-proxy

mihairosu

@MattFox
Then you for the instructions, but I ran into a problem.

simply running certbot --nginx assumed it can do a challenge over port 80, i.e. mango os ip is publicly exposed, which ours is not, and that will fail.

We need do a dns challenge (cloudflare), which would look like this:

certonly --nginx --dns-cloudflare --dns-cloudflare-credentials /loc/to/cloudflare-api-token.ini -d mangoos.com

But running that will give a different error:

Too many flags setting configurators/installers/authenticators 'nginx' -> 'dns-cloudflare'

I haven't figured out to do either of these things:

1. Convert your HTTP nginx config to https
2. Figure out how to use the certbot --nginx with cloudflare dns challenge

When I figure it out I'll post here, but if you have any tips for either of those I would much appreciate it!

P.S. I do have the LetsEncrypt certificates on the system for step 1.

mihairosu

@mihairosu

After running certbot, it created the certificate and key in the /etc/letsencrypt/live/fqdn.com/ directory, I was able to get it to work with the following nginx configuration:

server {

listen 443 ssl;
server_name fqdn.com;
root /opt/mango/overrides/web/;
index index.html;

ssl_certificate /etc/letsencrypt/live/fqdn.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/fqdn.com/privkey.pem;

include /etc/letsencrypt/options-ssl-nginx.conf;

location / {
proxy_pass http://127.0.0.1:8080/;
proxy_http_version 1.1;

# Inform Mango about the real host, port and protocol

proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}

}

MattFox

@mihairosu nicely done! If desired save the successful ssh call you made into a bash script followed by a sudo service nginx restart
You can then routinely call this once a month to keep your certs always up to date via cron.monthly or using crontab itself.

Fox

mihairosu

@MattFox

Based on the installation instructions for certbot on Ubuntu here, it looks like it should have automatically installed a renew job.

I found it in systemctl list-timers

Wed 2023-02-15 21:42:00 CST 1h 56min left n/a                         n/a          snap.certbot.renew.timer       snap.certbot.renew.service

So I assume I should be good, but thanks for the heads up.

MattFox

@mihairosu good, it doesn't for the mango units so I'm glad everything is resolved.

Fox