Please Note This forum exists for community support for the Mango product family and the Radix IoT Platform. Although Radix IoT employees participate in this forum from time to time, there is no guarantee of a response to anything posted here, nor can Radix IoT, LLC guarantee the accuracy of any information expressed or conveyed. Specific project questions from customers with active support contracts are asked to send requests to support@radixiot.com.
Point value crossed out in red
-
Okay I figured out the "problem". Thanks for the guidance. I am accessing the GUI through HAProxy. If I use the direct IP address, there is no issue.
I would like to use HTTPS/SSL, ideally through HAProxy (running on pfsense) since I'm using that for most everything else.
Is there a way to get it to work through some sort of advanced settings?
Else, I will just have to resort to certbot.
-
I did find these instructions, but they're for Apache. I'm not sure how to do the same thing in pfSense's HAProxy configs.
-
@mihairosu I am not familiar with that proxy and I have seen many people struggle with similar firewalls. You will need to reach out to their support and ask how the proxy can be configured to allow WebSocket upgrades. All points value and event updates use WebSockets, most proxies do not allow this by default and it needs to be explicitly allowed.
Here are the instructions to get SSL enabled but I can see this is going to be quite a struggle with that firewall, I can assist on the mango side but won't be able to help much with that Proxy.
https://docs-v3.mango-os.com/ssl -
Got it, thanks Craig.
In this case, there's no issues on the Mango side, so I'll see what I can figure out and how to proceed.
-
@mihairosu I'd argue that since you need a web server to host an ssl cert, use pfsense and port forward to the mango box instead. Use nginx as it offers better support for reverse proxy headers and websockets. Much simpler and allows you to have nginx automate the ssl certs to keep everything up to date.
Fox
-
Do you have an nginx configuration you can share?
The documentation shows an example for apache, but not nginx.
-
@mihairosu nginx is by far the most popular however we have internally settled on using Caddy https://caddyserver.com/
which does everything @MattFox described, auto SSL renewal from LetsEncrypt ect. The only reason I mention this is that I would be able to support you on caddy. -
@mihairosu sure, give me a moment
-
-
@MattFox
Then you for the instructions, but I ran into a problem.simply running certbot --nginx assumed it can do a challenge over port 80, i.e. mango os ip is publicly exposed, which ours is not, and that will fail.
We need do a dns challenge (cloudflare), which would look like this:
certonly --nginx --dns-cloudflare --dns-cloudflare-credentials /loc/to/cloudflare-api-token.ini -d mangoos.comBut running that will give a different error:
Too many flags setting configurators/installers/authenticators 'nginx' -> 'dns-cloudflare'I haven't figured out to do either of these things:
- Convert your HTTP nginx config to https
- Figure out how to use the certbot --nginx with cloudflare dns challenge
When I figure it out I'll post here, but if you have any tips for either of those I would much appreciate it!
P.S. I do have the LetsEncrypt certificates on the system for step 1.
-
After running certbot, it created the certificate and key in the /etc/letsencrypt/live/fqdn.com/ directory, I was able to get it to work with the following nginx configuration:
server { listen 443 ssl; server_name fqdn.com; root /opt/mango/overrides/web/; index index.html; ssl_certificate /etc/letsencrypt/live/fqdn.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/fqdn.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; location / { proxy_pass http://127.0.0.1:8080/; proxy_http_version 1.1; # Inform Mango about the real host, port and protocol proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } -
@mihairosu nicely done! If desired save the successful ssh call you made into a bash script followed by a
sudo service nginx restart
You can then routinely call this once a month to keep your certs always up to date via cron.monthly or using crontab itself.Fox
-
Based on the installation instructions for certbot on Ubuntu here, it looks like it should have automatically installed a renew job.
I found it in systemctl list-timers
Wed 2023-02-15 21:42:00 CST 1h 56min left n/a n/a snap.certbot.renew.timer snap.certbot.renew.serviceSo I assume I should be good, but thanks for the heads up.
-
@mihairosu good, it doesn't for the mango units so I'm glad everything is resolved.
Fox
