Please Note This forum exists for community support for the Mango product family and the Radix IoT Platform. Although Radix IoT employees participate in this forum from time to time, there is no guarantee of a response to anything posted here, nor can Radix IoT, LLC guarantee the accuracy of any information expressed or conveyed. Specific project questions from customers with active support contracts are asked to send requests to support@radixiot.com.

Radix IoT Website Mango 3 Documentation Website Mango 4 Documentation Website

  • I've followed through the few threads on here trying to setup cloud connect. Mainly this one https://forum.infiniteautomation.com/topic/3812/cloud-connect-401-403-errors

    I've managed to get my cloud connect client to connect to my cloud connect server, though that's about it.
    For background, the server is sitting behind a firewall and I have registered a subdomain.domain name for it. For browser traffic, 80,443 etc, the firewall routes this to a reverse proxy on another machine behind the firewall, and that takes care of users accessing the UI over the web. For the cloud connect I've just set the firewall to bypass the reverse proxy and route all 9005 traffic (the port the cloud connect server is listening on) to the mango server. This seems to be working fine.

    My issue is trying to open a web browser to the client. Whenever I go to the connected clients page, and click the 'open client' button, it just takes me straight to another window with a nonsense url and says it can't find the IP. The URL in the opened window is 'GUID.hostname'. (GUID being the GUID of the client and hostname being the host name of the server). I've followed the settings in the linked thread. I've also tried a all sorts of other combinations but every time it just opens the window with the same url. My understanding is that it should be opening the window with something like 'GUID.mysubomain.mydomain'.

    Also I'm not sure exactly what settings need to be in the proxy, I've attached what I've got so far as at this stage trying to connect in general seems to be the first hurdle. Any help much appreciated.
    2_1598400684031_Proxy Settings.png 1_1598400684031_Cloud Connect Window.png 0_1598400684030_Cloud Connect Client.png


  • Have you done a DNS lookup to see if an IP even matches that URL?


  • @mattfox said in Cloud Connect Help:

    Have you done a DNS lookup to see if an IP even matches that URL?

    Yeah it doesn't, that's kind of the problem. my subdomain.domain is valid. But my the host name 'mangoHTSXXXXX' is just a hostname.
    According to the other thread I should be getting 'GUID.subdomain.domain'.


  • Show your env.properties settings. let's compare to see if you missed anything or need to amend anything...
    feel free to change the domain name as long as it matches your pattern
    Fox


  • @mattfox thanks man

    Here's the overrides env.properties files

    #    Copyright (C) 2014 Infinite Automation Systems Inc. All rights reserved.
    #    @author Matthew Lohbihler
    
    ###############################################################################
    # TO OVERRIDE VALUES IN THIS FILE...
    #
    # Do not change the values in this file, because when you upgrade your core 
    # your changes will be overwritten. Instead, create a new file called 
    # <MA_HOME>/overrides/properties/env.properties and override properties 
    # there. The overrides directory will never be overwritten by an upgrade, so 
    # your customizations will be safe.
    # 
    ###############################################################################
    
    # The port at which Mango Automation will listen for browser connections
    web.port=80
    # The host interface to which Mango Automation will bind and listen for new connections
    #  0.0.0.0 is the special interface that will force a bind to all available interfaces
    web.host=0.0.0.0
    
    # Should Mango Automation open (if possible) a browser window when it starts up?
    web.openBrowserOnStartup=true
    
    # Set this to true if you are running Mango behind a reverse proxy that sends "Forwarded" or "X-Forwarded-*" headers.
    # This includes accessing Mango via Cloud Connect module. By default only requests from localhost are trusted.
    web.forwardedHeaders.enabled=true
    # Set a comma separated list of IP ranges from which to trust Forwarded headers
    web.forwardedHeaders.trustedIpRanges=127.0.0.0/8,::1,10.1.1.0/24
    
    # HTTP session (authentication) cookie name and domain name settings.
    #
    # Use the Mango GUID as the session cookie name
    sessionCookie.useGuid=true
    # Set the domain name that the cookie is valid for, can be used to make the session login valid for subdomains too.
    # If left blank the session cookie can only be used for the domain that you login at.
    sessionCookie.domain=.mango.abc.wyxz.nz
    
    # Default database settings, NOTE that on windows this must be an absolute path
    db.type=h2
    db.url=jdbc:h2:${ma.home}/databases/mah2
    db.location=${ma.home}/databases/mah2
    db.username=
    db.password=
    #For web console
    db.web.start=false
    db.web.port=8091
    
    #General Database Settings
    db.pool.maxActive=100
    db.pool.maxIdle=10
    db.update.log.dir=${ma.home}/logs/
    # setting to show query times in the logs as INFO
    db.useMetrics=false
    
    #--The following database properties are for RQL REST queries and can be changed during runtime and will be picked up at most in 5s--
    #Force the use of indexes (Experimental and only on MySQL so far)
    db.forceUseIndex=true
    #Tell the jdbc driver to fetch this many rows at a time, useful over network connected dbs (Not MySQL)
    # negative values will force use jdbc driver default
    db.fetchSize=-1
    #Tell the database to not return the entire result set (or fetch blocks) but to return row by row
    # can slow down performance on network systems but reduce memory footprint for large queries
    db.stream=false
    #-- End auto-reloading Database Properties --
    
    # MySQL database settings. Your MySQL instance must already be running and configured before this can be used.
    #db.type=mysql
    #db.url=jdbc:mysql://localhost/<your mysql schema name>
    #db.username=<your mysql username>
    #db.password=<your mysql password>
    #db.mysqldump=<location/command for mysqldump executable for backups>
    #db.mysql=<location/command for mysql executable for restore>
    
    # Database settings for conversion. If the db.* settings point to a new database instance, and the convert type setting
    # is set, Mango Automation will attempt to convert from the convert.db.* settings to the db.* settings
    # Note that database conversions should not be performed in the same step as an upgrade. First upgrade, then convert.
    convert.db.type=
    convert.db.url=${convert.db.url}
    convert.db.username=${convert.db.username}
    convert.db.password=${convert.db.password}
    
    #Set the base path for where the NoSQL data will be stored
    db.nosql.location=${ma.home}/databases/
    #Set the folder name of the point value store
    db.nosql.pointValueStoreName=mangoTSDB
    #Set the number of files the database can have open at one time
    db.nosql.maxOpenFiles=500
    #Time after which a shard will be closed
    db.nosql.shardStalePeriod=36000000
    #Period to check for stale shards
    db.nosql.flushInterval=300000
    #Query Performance Tuning, File Access Type: Available[INPUT_STREAM,FILE_CHANNEL,RANDOM_ACCESS_FILE,MAPPED_BYTE_BUFFER]
    db.nosql.shardStreamType=INPUT_STREAM
    #Setting to speed up NoSQL queries at the expense of a small increase in disk usage
    db.nosql.reversible=false
    #Setting this will convert your existing point value store [NONE, REVERSIBLE, UNREVERSIBLE]
    db.nosql.convert=NONE
    #Number of concurrent threads to use to convert the database
    db.nosql.convertThreads=4
    #Run the corruption scan if the db is marked dirty
    db.nosql.runCorruptionOnStartupIfDirty=false
    
    #Password encryption scheme [BCRYPT, SHA-1, NONE]
    #Legacy is SHA-1, 2.8+ BCRYPT
    #security.hashAlgorithm=BCRYPT
    
    # The location of the Mango Automation store from which to get license files.
    store.url=https://store.infiniteautomation.com
    
    # SSL control
    ssl.on=false
    ssl.port=8443
    ssl.keystore.location=/location/to/keystore/file.jks
    ssl.keystore.password=freetextpassword
    
    # System time zone. Leave blank to use default VM time zone.
    timezone=
    
    #Rest API Configuration
    rest.enabled=true
    #For using other than timestamp
    rest.customDateOutputFormat=YYYY-MM-dd HH:mm:ss.SSS Z
    rest.customDateInputFormat=YYYY-MM-dd HH:mm:ss.SSS Z
    #Enable to make JSON More readable
    rest.indentJSON=false
    #Cross Origin Request Handling
    rest.cors.enabled=false
    rest.cors.allowedOrigins=*,localhost
    rest.cors.allowedMethods=PUT,POST,GET,OPTIONS,DELETE
    rest.cors.allowedHeaders=LOGOUT,PASSWORD
    rest.cors.exposedHeaders=
    rest.cors.allowCredentials=true
    rest.cors.maxAge=3600
    
    #For rest API Documentation at /swagger/index.html
    swagger.enabled=true
    #Regex Patter to scan for REST API endpoints for Swagger to document/display
    swagger.mangoApiVersion=v[12]
    
    
    #Distributor Settings
    distributor=IA
    
    #Jetty Thread Pool Tuning
    # Time a thread must be idle before killing to keep pool size at minimum
    web.threads.msIdleTimeout=10000
    # Number of threads to keep around to handle incoming connections
    web.threads.minimum=10
    # Number of threads allowed to be created to handle incoming requests as needed
    web.threads.maximum=200
    # Number of Requests To Queue if all threads are busy
    web.requests.queueSize=200
    # Ping timeout for response from browser
    web.websocket.pingTimeoutMs=10000
    
    #Jetty JSP Configuration
    # See here for options: http://www.eclipse.org/jetty/documentation/9.2.10.v20150310/configuring-jsp.html
    web.jsp.development=true
    web.jsp.genStringsAsCharArray=true
    web.jsp.trimSpaces=false
    web.jsp.classdebuginfo=false
    web.jsp.supressSmap=true
    web.jsp.compilerClassName=org.apache.jasper.compiler.JDTCompiler
    web.jsp.compiler=modern
    web.jsp.fork=false
    web.jsp.keepgenerated=true
    
    #iFrame Header Control iFrame Header Control 'X-Frame-Options' (case sensitive options)
    # SAMEORIGIN - Only allow Mango to embed i-frames when the requesting page was loaded from the Mango domain
    # DENY - Do not allow at all
    # ANY - Do not even use the header at all 
    # One specific domain name can be supplied so that the header becomes: ALLOW-FROM http://foo.bar.com 
    web.security.iFrameAccess=SAMEORIGIN
    
    #Regex used to match serial ports so they show up in the menu
    serial.port.linux.regex=((cu|ttyS|ttyUSB|ttyACM|ttyAMA|rfcomm|ttyO|COM)[0-9]{1,3}|rs(232|485)-[0-9])
    serial.port.linux.path=/dev/
    serial.port.windows.regex=
    serial.port.windows.path=
    serial.port.osx.path=/dev/
    serial.port.osx.regex=(cu|tty)..*
    
    #Start data sources in parallel threads
    runtime.datasource.startupThreads=4
    #Log startup times for runtime manager
    runtime.datasource.logStartupMetrics=true
    #Log number of aborted polls for a polling data source this often at a minimum (only logged after next aborted poll past this time)
    runtime.datasource.pollAbortedLogFrequency=3600000
    
    #Report Javascript Execution Times at INFO Level logging
    # add this to log4j.xml   <category name="org.perf4j.TimingLogger"><level value="info"/></category>
    runtime.javascript.metrics=false
    
    #Default task queue size for the Real Time Timer, should multiple tasks of the same type be queued up?
    # Tasks are rejected from a full queue, a size of 0 means reject multiple instances of the same task
    runtime.realTimeTimer.defaultTaskQueueSize=0
    #When a task queue is full should the waiting tasks be discarded and replaced with the most recent
    runtime.realTimeTimer.flushTaskQueueOnReject=false
    
    #Maximum counts to wait to terminate the thread pool's tasks that are running or queued to run
    # each count is 1 second.  So the default of 60 = 1 minute.  Note that the medium and low
    # timeout happens first and then the remaining time is spent waiting of the high priority tasks.
    # So by setting both to the same value will result in waiting only as long as that value.
    runtime.shutdown.medLowTimeout=60
    runtime.shutdown.highTimeout=60
    
    

    And here's the core env.properties file

    #    Copyright (C) 2014 Infinite Automation Systems Inc. All rights reserved.
    #    @author Matthew Lohbihler
    
    ###############################################################################
    # TO OVERRIDE VALUES IN THIS FILE...
    #
    # Do not change the values in this file, because when you upgrade your core 
    # your changes will be overwritten. Instead, create a new file called 
    # <MA_HOME>/overrides/properties/env.properties and override properties 
    # there. The overrides directory will never be overwritten by an upgrade, so 
    # your customizations will be safe.
    # 
    ###############################################################################
    
    # The port at which Mango Automation will listen for browser connections
    web.port=8080
    # The host interface to which Mango Automation will bind and listen for new connections
    #  0.0.0.0 is the special interface that will force a bind to all available interfaces
    web.host=0.0.0.0
    
    # Should Mango Automation open (if possible) a browser window when it starts up?
    web.openBrowserOnStartup=true
    
    # Web caching settings
    
    # disable caching
    web.cache.noStore=false
    web.cache.noStore.rest=true
    web.cache.noStore.resources=false
    
    # set max age of cached files in seconds, only if noStore=false
    # versioned resources are those with ?v=xxx on the query string
    web.cache.maxAge=0
    web.cache.maxAge.rest=0
    web.cache.maxAge.resources=86400
    web.cache.maxAge.versionedResources=31536000
    
    #Upload file size limit (bytes) -1 means no limit
    web.fileUpload.maxSize=250000000
    
    # Set this to true if you are running Mango behind a reverse proxy that sends "Forwarded" or "X-Forwarded-*" headers.
    # This includes accessing Mango via Cloud Connect module. By default only requests from localhost are trusted.
    web.forwardedHeaders.enabled=true
    # Set a comma separated list of IP ranges from which to trust Forwarded headers
    web.forwardedHeaders.trustedIpRanges=127.0.0.0/8,::1
    
    # Default database settings, NOTE that on windows this must be an absolute path
    db.type=h2
    db.url=jdbc:h2:${ma.home}/databases/mah2
    db.username=
    db.password=
    #For web console
    db.web.start=false
    db.web.port=8091
    #to compact the database size at shutdown (may take longer but will free up disk space)
    db.h2.shutdownCompact=false
    
    #General Database Settings
    db.pool.maxActive=100
    db.pool.maxIdle=10
    db.update.log.dir=${ma.home}/logs/
    
    # setting to show query times in the logs as INFO
    db.useMetrics=false
    # if set, will only log slow queries, above this threshold in ms. Will be logged at WARN level instead of INFO
    db.metricsThreshold=100
    
    #--The following database properties are for RQL REST queries and can be changed during runtime and will be picked up at most in 5s--
    #Force the use of indexes (Experimental and only on MySQL so far)
    db.forceUseIndex=true
    #Tell the jdbc driver to fetch this many rows at a time, useful over network connected dbs (Not MySQL)
    # negative values will force use jdbc driver default
    db.fetchSize=-1
    #Tell the database to not return the entire result set (or fetch blocks) but to return row by row
    # can slow down performance on network systems but reduce memory footprint for large queries
    db.stream=false
    #-- End auto-reloading Database Properties --
    
    # MySQL database settings. Your MySQL instance must already be running and configured before this can be used.
    #db.type=mysql
    #db.url=jdbc:mysql://localhost/<your mysql schema name>
    #db.username=<your mysql username>
    #db.password=<your mysql password>
    #db.mysqldump=<location/command for mysqldump executable for backups>
    #db.mysql=<location/command for mysql executable for restore>
    
    # Database settings for conversion. If the db.* settings point to a new database instance, and the convert type setting
    # is set, Mango Automation will attempt to convert from the convert.db.* settings to the db.* settings
    # Note that database conversions should not be performed in the same step as an upgrade. First upgrade, then convert.
    convert.db.type=
    convert.db.url=${convert.db.url}
    convert.db.username=${convert.db.username}
    convert.db.password=${convert.db.password}
    
    #Set the base path for where the NoSQL data will be stored
    db.nosql.location=${ma.home}/databases/
    #Set the folder name of the point value store
    db.nosql.pointValueStoreName=mangoTSDB
    #Set the number of files the database can have open at one time
    db.nosql.maxOpenFiles=500
    #Time after which a shard will be closed
    db.nosql.shardStalePeriod=36000000
    #Period to check for stale shards
    db.nosql.flushInterval=300000
    #Query Performance Tuning, File Access Type: Available[INPUT_STREAM,FILE_CHANNEL,RANDOM_ACCESS_FILE,MAPPED_BYTE_BUFFER]
    db.nosql.shardStreamType=MAPPED_BYTE_BUFFER
    #Setting to speed up NoSQL queries at the expense of a small increase in disk usage
    db.nosql.reversible=true
    #Setting this will convert your existing point value store [NONE, REVERSIBLE, UNREVERSIBLE]
    db.nosql.convert=NONE
    #Number of concurrent threads to use to convert the database
    db.nosql.convertThreads=4
    #Run the corruption scan if the db is marked dirty
    db.nosql.runCorruptionOnStartupIfDirty=false
    
    #Password encryption scheme [BCRYPT, SHA-1, NONE]
    #Legacy is SHA-1, 2.8+ BCRYPT
    #security.hashAlgorithm=BCRYPT
    
    # The location of the Mango Automation store from which to get license files.
    store.url=https://store.infiniteautomation.com
    
    # SSL control
    
    # *** NOTE ***
    # You can generate a self-signed certificate for testing using the following command
    # keytool -genkey -keyalg RSA -alias mango -keystore /location/to/keystore/file.jks -validity 365 -keysize 2048
    
    # Enter keystore password: {type your keystore password <ENTER>}
    # Re-enter new password: {type your keystore password <ENTER>}
    # What is your first and last name?
    #   [Unknown]: {the hostname mango is running on e.g. mymangotest.com OR localhost <ENTER>}
    # What is the name of your organizational unit?
    #   [Unknown]: {e.g. Mango testing <ENTER>}
    # What is the name of your organization?
    #   [Unknown]: {e.g. Infinite Automation Systems Inc. <ENTER>}
    # What is the name of your City or Locality?
    #   [Unknown]: {e.g. Erie <ENTER>}
    # What is the name of your State or Province?
    #   [Unknown]: {e.g. Colorado <ENTER>}
    # What is the two-letter country code for this unit?
    #   [Unknown]: {e.g. US <ENTER>}
    # Is CN=localhost, OU=Development, O=Infinite Automation Systems Inc., L=Erie, ST=Colorado, C=US correct?
    #   [no]:  {type yes <ENTER>}
    # 
    # Enter key password for <mango>
    #         (RETURN if same as keystore password): {type your key password or just press <ENTER>}
    
    # Note: Enabling SSL also turns on HSTS which may not be desirable, see below
    ssl.on=false
    ssl.port=8443
    ssl.keystore.watchFile=true
    ssl.keystore.location=overrides/keystore.p12
    ssl.keystore.password=freetextpassword
    # If they key password is commented out, it is assumed to be the same as the keystore password
    #ssl.key.password=
    #Time socket can be idle before being closed (ms)
    ssl.socketIdleTimeout=70000
    
    #Enable ALPN (Application-Layer Protocol Negotiation) for HTTP/2
    # on current browsers HTTP/2 is only available for TLS/SSL connections.
    # Note that with this setting you must also have the ALPN script extension enabled for Mango to start on pre Java 10.
    # (Adds -javaagent:${MA_HOME}/boot/jetty-alpn-agent.jar to the java options)
    # If you are running on Java 10+ this library is not required and will actually cause problems, so make sure you don't use that extension.
    ssl.alpn.on=true
    #Show debug output for alpn connections in log
    ssl.alpn.debug=false
    
    # Configure HSTS (HTTP Strict Transport Security)
    # Enabled by default when ssl.on=true
    # Sets the Strict-Transport-Security header, web browsers will always connect using HTTPS when they
    # see this header and they will cache the result for max-age seconds
    ssl.hsts.enabled=true
    ssl.hsts.maxAge=31536000
    ssl.hsts.includeSubDomains=false
    
    # System time zone. Leave blank to use default VM time zone.
    timezone=
    
    #Rest API Configuration
    rest.enabled=true
    
    #Enable to make JSON More readable
    rest.indentJSON=false
    #Cross Origin Request Handling
    rest.cors.enabled=false
    rest.cors.allowedOrigins=
    rest.cors.allowedMethods=PUT,POST,GET,OPTIONS,DELETE,HEAD
    rest.cors.allowedHeaders=content-type,x-requested-with,authorization
    rest.cors.exposedHeaders=
    rest.cors.allowCredentials=false
    rest.cors.maxAge=3600
    # disable browser redirects
    rest.disableErrorRedirects=false
    # enable test endpoints
    rest.testMode=false
    
    # Limits the rate at which an unauthenticated IP address can access the REST API
    # Defaults to an initial 10 request burst then 2 requests per 1 second thereafter
    rateLimit.rest.anonymous.enabled=true
    rateLimit.rest.anonymous.burstQuantity=40
    rateLimit.rest.anonymous.quanitity=5
    rateLimit.rest.anonymous.period=1
    rateLimit.rest.anonymous.periodUnit=SECONDS
    
    # Limits the rate at which an authenticated user can access the REST API
    # Disabled by default
    rateLimit.rest.user.enabled=false
    rateLimit.rest.user.burstQuantity=20
    rateLimit.rest.user.quanitity=10
    rateLimit.rest.user.period=1
    rateLimit.rest.user.periodUnit=SECONDS
    
    # Limits the rate at which authentication attempts can occur by an IP address
    # Defaults to an initial 5 attempt burst then 1 attempt per 1 minute thereafter
    rateLimit.authentication.ip.enabled=true
    rateLimit.authentication.ip.burstQuantity=5
    rateLimit.authentication.ip.quanitity=1
    rateLimit.authentication.ip.period=1
    rateLimit.authentication.ip.periodUnit=MINUTES
    
    # Limits the rate at which authentication attempts can occur against a username
    # Defaults to an initial 5 attempt burst then 1 attempt per 1 minute thereafter
    rateLimit.authentication.user.enabled=true
    rateLimit.authentication.user.burstQuantity=5
    rateLimit.authentication.user.quanitity=1
    rateLimit.authentication.user.period=1
    rateLimit.authentication.user.periodUnit=MINUTES
    
    #For rest API Documentation at /swagger-ui.html
    swagger.enabled=false
    #path to api-docs for swagger tools, will be appended to base REST api version URL i.e. /rest/v1/
    springfox.documentation.swagger.v2.path=/swagger/v2/api-docs
    # Require authentication to access Swagger API documentation.
    # If you set this to false then you can use an authentication token (generated on the Mango Users page) from the swagger UI instead.
    # To use, enter: Bearer <space> <token value> into the Authorize value input in the swagger ui
    swagger.apidocs.protected=true
    
    #Distributor Settings
    distributor=IA
    
    #Jetty Thread Pool Tuning
    # Time a thread must be idle before killing to keep pool size at minimum
    web.threads.msIdleTimeout=30000
    # Number of threads allowed to be created to handle incoming requests as needed (defaults to 10x number of processors, or 200, whichever is greater)
    web.threads.maximum=
    # Number of threads to keep around to handle incoming connections (defaults to max threads, or 8, whichever is lesser)
    web.threads.minimum=
    # Number of Requests To queue if all threads are busy (defaults 1280)
    web.requests.queueSize=
    # Ping timeout for response from browser
    web.websocket.pingTimeoutMs=10000
    #Time socket can be idle before being closed (ms)
    web.socketIdleTimeout=70000
    
    #Jetty QoS filter settings 
    # https://www.eclipse.org/jetty/documentation/current/qos-filter.html
    # Filter enabled setting
    web.qos.enabled=false
    #The maximum number of requests to be serviced at a time. The default is 10.
    web.qos.maxRequests=10
    #The length of time, in milliseconds, to wait while trying to accept a new request. Used when the maxRequests limit is reached. Default is 50 ms
    web.qos.waitMs=50
    #Length of time, in milliseconds, that the request will be suspended if it is not accepted immediately. If set to -1, the container default timeout applies. Default is 30000 ms.
    web.qos.suspendMs=30000
    
    #Jetty DoS filter settings 
    # https://www.eclipse.org/jetty/documentation/current/dos-filter.html
    # Filter enabled setting
    web.dos.enabled=false
    #Maximum number of requests from a connection per second. Requests in excess of this are first delayed, then throttled. Default is 25.
    web.dos.maxRequestsPerSec=75
    #Delay imposed on all requests over the rate limit, before they are considered at all
    #  100ms default, -1 = Reject request, 0 = no delay, any other value is delay in ms
    web.dos.delayMs=100
    #Length of time, in ms, to blocking wait for the throttle semaphore. Default is 50 ms.
    web.dos.maxWaitMs=50
    #Number of requests over the rate limit able to be considered at once. Default is 5.
    web.dos.throttledRequests=5
    #Length of time, in ms, to async wait for semaphore. Default is 30000.
    web.dos.throttleMs=30000
    #Length of time to let the request run, default is 30000 (Keep above 60s for DWR Long Poll to work in legacy UI) 
    web.dos.maxRequestMs=120000
    #Length of time, in ms, to keep track of request rates for a connection, before deciding that the user has gone away, and discarding it. Default is 30000.
    web.dos.maxIdleTrackerMs=30000
    #If true, insert the DoSFilter headers into the response. Defaults to true.
    web.dos.insertHeaders=true
    #If true, usage rate is tracked by session if a session exists. Defaults to true.
    web.dos.trackSessions=true
    #If true and session tracking is not used, then rate is tracked by IP and port (effectively connection). Defaults to false.
    web.dos.remotePort=false
    #A comma-separated list of IP addresses that will not be rate limited.
    # Note: These are actual client IPs when behind a proxy server if you configure web.forwardedHeaders.trustedIpRanges to trust your proxy's IP
    web.dos.ipWhitelist=
    
    #Jetty Low Resource Management (Used to attempt to free resources when under heavy load)
    # https://www.eclipse.org/jetty/documentation/current/limit-load.html
    web.lowResource.enabled=false
    # Period in ms to check for a low resource condition, default 10000
    web.lowResource.checkPeriod=10000
    # In low resource condition all existing connection idle timeouts are set to this value, default 1000
    web.lowResource.lowResourcesIdleTimeout=1000
    # check connectors executors to see if their ThreadPool instances that are low on threads, default true
    web.lowResource.monitorThreads=true
    # The maximum memory in bytes that Java is allowed to use before the low resource condition is triggered.
    # If left empty, the default is 90% of the maximum memory the JVM is configured to use.
    # Set to 0 to disable the memory usage checks.
    web.lowResource.maxMemory=
    # The time in milliseconds that a low resource state can persist before the low resource idle timeout is reapplied to all connections, default 5000
    web.lowResource.maxLowResourceTime=5000
    # If false, new connections are not accepted while in low resources
    web.lowResource.acceptingInLowResources=true
    
    # Maximum number of allowed connections, defaults to 0 (disabled)
    web.connectionLimit=0
    
    # Jetty JSP servlet configuration (init parameters)
    # See for descriptions
    # https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-webapp/src/main/config/etc/webdefault.xml
    web.jsp.development=true
    web.jsp.genStringsAsCharArray=true
    web.jsp.trimSpaces=false
    web.jsp.classdebuginfo=false
    web.jsp.supressSmap=true
    web.jsp.compilerClassName=org.apache.jasper.compiler.JDTCompiler
    web.jsp.compiler=modern
    web.jsp.fork=false
    web.jsp.keepgenerated=true
    web.jsp.modificationTestInterval=4
    
    # Jetty default servlet configuration (init parameters)
    # See for descriptions
    # https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-webapp/src/main/config/etc/webdefault.xml
    web.defaultServlet.dirAllowed=false
    web.defaultServlet.maxCacheSize=256000000
    web.defaultServlet.maxCachedFileSize=200000000
    web.defaultServlet.maxCachedFiles=2048
    web.defaultServlet.etags=false
    # defaults to false for Windows, defaults to true for all other OS
    # see https://www.eclipse.org/jetty/documentation/current/troubleshooting-locked-files-on-windows.html
    #web.defaultServlet.useFileMappedBuffer=true
    
    #iFrame Header Control iFrame Header Control 'X-Frame-Options' (case sensitive options)
    # SAMEORIGIN - Only allow Mango to embed i-frames when the requesting page was loaded from the Mango domain
    # DENY - Do not allow at all
    # ANY - Do not even use the header at all 
    # One specific domain name can be supplied so that the header becomes: ALLOW-FROM http://foo.bar.com 
    web.security.iFrameAccess=SAMEORIGIN
    
    #Follow symbolic links when serving files from Jetty
    web.security.followSymlinks=true
    
    # Content Security Policy settings, please see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    # The reasons for the default policy are outlined below
    # style-src 'unsafe-inline' - inline styles are used by AngularJS Material for the dynamic theming
    # script-src 'unsafe-eval' - needed by Fabric.js used in amCharts for drawing on charts, also gives AngularJS a 30% performance boost
    # connect-src ws: wss: - necessary as 'self' does not permit connections to websockets on the same origin, this should be configured to restrict it to your server's actual hostname
    # img-src data: - allows for small base64 encoded images to be embedded inline into the html
    # img-src/script-src https://www.google-analytics.com - allows for enabling Google analytics (not enabled by default, must be manually enabled by admin via UI Settings page)
    # img-src/script-src https://maps.google.com https://maps.googleapis.com https://maps.gstatic.com - allows for using the Google maps component
    # style-src/font-src https://fonts.googleapis.com https://fonts.gstatic.com - allows for using Google fonts in dashboards
    web.security.contentSecurityPolicy.enabled=false
    web.security.contentSecurityPolicy.reportOnly=false
    web.security.contentSecurityPolicy.defaultSrc='self'
    web.security.contentSecurityPolicy.scriptSrc='self' 'unsafe-eval' https://maps.google.com https://maps.googleapis.com https://www.google-analytics.com
    web.security.contentSecurityPolicy.styleSrc='self' 'unsafe-inline' https://fonts.googleapis.com
    web.security.contentSecurityPolicy.connectSrc='self' ws: wss:
    web.security.contentSecurityPolicy.imgSrc='self' data: https://maps.google.com https://maps.gstatic.com https://www.google-analytics.com
    web.security.contentSecurityPolicy.fontSrc='self' https://fonts.gstatic.com
    web.security.contentSecurityPolicy.mediaSrc=
    web.security.contentSecurityPolicy.objectSrc=
    web.security.contentSecurityPolicy.frameSrc=
    web.security.contentSecurityPolicy.workerSrc=
    web.security.contentSecurityPolicy.manifestSrc=
    web.security.contentSecurityPolicy.other=
    
    # script-src 'unsafe-inline' - inline scripts are used extensively throughout the Mango legacy UI
    # script-src 'unsafe-eval' - The Dojo JS library uses eval()
    # style-src 'unsafe-inline' - inline styles are used throughout the Mango legacy UI
    # connect-src ws: wss: - necessary as 'self' does not permit connections to websockets on the same origin, this should be configured to restrict it to your server's actual hostname
    # img-src data: - allows for small base64 encoded images to be embedded inline into the html
    # img-src/script-src https://www.google-analytics.com - allows for enabling Google analytics
    web.security.contentSecurityPolicy.legacyUi.enabled=false
    web.security.contentSecurityPolicy.legacyUi.reportOnly=false
    web.security.contentSecurityPolicy.legacyUi.defaultSrc='self'
    web.security.contentSecurityPolicy.legacyUi.scriptSrc='self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com
    web.security.contentSecurityPolicy.legacyUi.styleSrc='self' 'unsafe-inline'
    web.security.contentSecurityPolicy.legacyUi.connectSrc='self' ws: wss:
    web.security.contentSecurityPolicy.legacyUi.imgSrc='self' data: https://www.google-analytics.com
    web.security.contentSecurityPolicy.legacyUi.fontSrc=
    web.security.contentSecurityPolicy.legacyUi.mediaSrc=
    web.security.contentSecurityPolicy.legacyUi.objectSrc=
    web.security.contentSecurityPolicy.legacyUi.frameSrc=
    web.security.contentSecurityPolicy.legacyUi.workerSrc=
    web.security.contentSecurityPolicy.legacyUi.manifestSrc=
    web.security.contentSecurityPolicy.legacyUi.other=
    
    #Regex used to match serial ports so they show up in the menu
    serial.port.linux.regex=((cu|ttyS|ttyUSB|ttyACM|ttyAMA|rfcomm|ttyO|COM)[0-9]{1,3}|rs(232|485)-[0-9])
    serial.port.linux.path=/dev/
    serial.port.windows.regex=
    serial.port.windows.path=
    serial.port.osx.path=/dev/
    serial.port.osx.regex=(cu|tty)..*
    #Number of bytes read events to queue up before discarding
    serial.port.eventQueueSize=10000
    #Rate at which to poll the serial port for new data in Linux (Windows uses interrupts)
    serial.port.linux.readPeriods=100
    serial.port.linux.readPeriodType=NANOSECONDS
    
    #Start data sources in parallel threads
    runtime.datasource.startupThreads=8
    #Log startup times for runtime manager
    runtime.datasource.logStartupMetrics=true
    #Log number of aborted polls for a polling data source this often at a minimum (only logged after next aborted poll past this time)
    runtime.datasource.pollAbortedLogFrequency=3600000
    
    #Report Javascript Execution Times at INFO Level logging
    # add this to log4j.xml   <category name="org.perf4j.TimingLogger"><level value="info"/></category>
    runtime.javascript.metrics=false
    
    #Default task queue size for the Real Time Timer, should multiple tasks of the same type be queued up?
    # Tasks are rejected from a full queue, a size of 0 means reject multiple instances of the same task
    runtime.realTimeTimer.defaultTaskQueueSize=0
    #When a task queue is full should the waiting tasks be discarded and replaced with the most recent
    runtime.realTimeTimer.flushTaskQueueOnReject=false
    #Delay (in ms) to wait to rate limit task rejection log messages so they don't fill up logs and use too much cpu doing it
    runtime.taskRejectionLogPeriod=10000
    #Maximum counts to wait to terminate the thread pool's tasks that are running or queued to run
    # each count is 1 second.  So the default of 60 = 1 minute.  Note that the medium and low
    # timeout happens first and then the remaining time is spent waiting of the high priority tasks.
    # So by setting both to the same value will result in waiting only as long as that value.
    runtime.shutdown.medLowTimeout=60
    runtime.shutdown.highTimeout=60
    
    # Set the location of the file stores, (relative to $MA_HOME if not absolute)
    # If not set, the location is $MA_HOME/filestore
    filestore.location=filestore
    
    # Set the location of the modules data directory, (relative to $MA_HOME if not absolute)
    # If not set, the location is $MA_HOME/data
    moduleData.location=data
    
    # HTTP session (authentication) cookie name and domain name settings.
    #
    # Use the Mango GUID as the session cookie name
    sessionCookie.useGuid=true
    # name takes precedence over useGuid if set
    sessionCookie.name=
    # Set the domain name that the cookie is valid for, can be used to make the session login valid for subdomains too.
    # If left blank the session cookie can only be used for the domain that you login at.
    sessionCookie.domain=
    
    # Controls the poll period for collecting internal metrics
    internal.monitor.pollPeriod=10000
    # Controls the poll period for collecting disk usage
    internal.monitor.diskUsage.pollPeriod=1200000
    # Should MA_HOME and each file store directory be monitored individually in addition to the partitions?
    internal.monitor.diskUsage.monitorDirectories=false
    

  • Is your client running on port 80?
    Looking at that, the server will connect on the same port it's set up on. Also note your ssh settings as well. since ES units run on port 2222, you'd have to configure port forwarding if you're coming in from port 22.


  • Hi @cmason

    Have you set up a wildcard DNS record for *.subdomain.hostname?
    Is your Certificate a wildcard certificate?

    The proxy basically routes guid.subdomain.domain -> localhost:"client web port" . I have never seen this before where you get a guid.mangoHTS### URL. Probably cause it's not common to set up an HTS as the CC server.
    Please go to administration --> system settings -> ES configuration and change the hostname to your public hostname. I believe that will fix the URL issue.


  • This post is deleted!

  • @mattfox said in Cloud Connect Help:

    settings as well. since ES units run on port 2222, you'd have to configure port forwarding if yo

    The reverse proxy will setup port forwarding for both web and ssh ports so that you will be able to access both from your CC server. You will not need to setup port forwarding on the mangoHTS side.

    If you want to ssh into your mangoHTS you will ssh into the CC server and then run the following cmd:
    ssh -p 37001 mango@localhost the CC server will route that to the mangoHTS on the reverse proxy connection.


  • 0_1598424208231_1f8d31a7-83ce-43cb-ab87-aaf6993e9c17-image.png
    Was what i was referring to


  • The proxy basically routes guid.subdomain.domain -> localhost:"client web port" . I have never seen this before where you get a guid.mangoHTS### URL. Probably cause it's not common to set up an HTS as the CC server.
    Please go to administration --> system settings -> ES configuration and change the hostname to your public hostname. I believe that will fix the URL issue.

    Yes this did fix the issue of the url that was given to the new window.

    The new windows now opens up with 'GUID.subdomain.domain'

    However I've got a new problem. The window just opens and directs straight into the servers UI from where I just came from. Basically just loops it around on itself.

    Have you set up a wildcard DNS record for *.subdomain.hostname?

    Not technically but the subdomain.domain is resolving to the domain. the subdomain part is really so the reverse proxy can identify it.

    Is your Certificate a wildcard certificate?

    Yes


  • I suggest trying to get it working without the complexity of your reverse proxy first.

    You will need a wildcard DNS record that resolves to your MangoHTS server.

    Basically, when you open the link the traffic will go as below
    GUID.subdomain.domain --> "CC server"-->.localhost:37000-->MangoHTS:8080


  • @craigweb said in Cloud Connect Help:

    I suggest trying to get it working without the complexity of your reverse proxy first.

    Ok I'll try that out. What's the recommended way to secure the connections then between the mango and the internet? The main reason I was using the reverse proxy was for security.

    @MattFox Are you using cloud connect with the reverse proxy? If so is that using apache on the same machine as your mango like I've seen you describe in some of the other threads?


  • Ive just dropped apache in favour of Nginx because it has better support for proxy headers.
    Happy to help you with that.
    In the meantime we can focus on plain http with the mango running on port 8080 then using the proxy engine to handle all requests and merely serve them to mango.
    Im going to bed now so Ill assist with that tomorrow. In fact I think Ill write a tutorial...

    Fox


  • @cmason
    Mount your certificate on the mango web server so all HTTP traffic is encrypted.
    Mango webserver has a rate limiter on unauthorized API requests.
    CC server uses ssh so those sockets are all encrypted.
    The persistent data source/publisher uses encryption as well. you can choose the size of the shared key.
    Use a firewall to block all unused ports.

    I may be wrong but how I don't see how the reverse proxy will make it more secure.


  • @MattFox @CraigWeb

    Thanks Guys. I followed what you guys said and stripped it all back to the basics and got it working without the proxy. Funnily enough though It worked with HTTPS 'ssl.on=true' (self signed on the mango) but HTTP was having issues.
    Anyway I enabled set 'ssl.on=true' on the server and got it all working.

    Then I moved it all back behind the reverse proxy, and so far it all seems to be working fine.
    The only difference this time is the ssl.on = true.

    I may be wrong but how I don't see how the reverse proxy will make it more secure

    Yeah I mainly did this because I'm using a Synology NAS as the reverse proxy, it has nginx built in. Having this take care of the certificates and the auto renewals etc seemed a lot more straight forward then getting it to work on the mango with the java keystore etc. Perhaps a feature to add for Mango 4? haha.

    I'll see how this goes and keep you posted.

    Bearing in mind that the ports 9005 for cloud connect and the ports I've opened for the PTCP publishers get forwarded straight to the mango itself. I haven't got them going through the reverse proxy. Are the HTTP/S payloads?


  • Awesome!
    They are not HTTP payloads.
    I use let's encrypt and certbot to handle certificate renewals. There is a script in mango that can be run after the cert is renewed that will move the certificate into the keystore and replace the old cert. /mango/bin/certbot-deploy.sh
    You may want to look at that.