add nats websocket support

2022-06-26 21:41:06 +00:00 · 2022-06-26 21:41:06 +00:00 · 42e1717455
parent bfb19a9eb7
commit 42e1717455
8 changed files with 54 additions and 5 deletions
--- a/api/tacticalrmm/agents/models.py
+++ b/api/tacticalrmm/agents/models.py
@ -37,6 +37,7 @@ from tacticalrmm.constants import (
    PAAction,
    PAStatus,
 )
+from tacticalrmm.helpers import get_nats_ports
 from tacticalrmm.models import PermissionQuerySet

 if TYPE_CHECKING:
@ -786,8 +787,9 @@ class Agent(BaseAuditModel):
    async def nats_cmd(
        self, data: Dict[Any, Any], timeout: int = 30, wait: bool = True
    ) -> Any:
+        nats_std_port, _ = get_nats_ports()
        options = {
-            "servers": f"tls://{settings.ALLOWED_HOSTS[0]}:4222",
+            "servers": f"tls://{settings.ALLOWED_HOSTS[0]}:{nats_std_port}",
            "user": "tacticalrmm",
            "password": settings.SECRET_KEY,
            "connect_timeout": 3,
--- a/api/tacticalrmm/core/management/commands/create_natsapi_conf.py
+++ b/api/tacticalrmm/core/management/commands/create_natsapi_conf.py
@ -4,6 +4,8 @@ import os
 from django.conf import settings
 from django.core.management.base import BaseCommand

+from tacticalrmm.helpers import get_nats_ports
+

 class Command(BaseCommand):
    help = "Generate conf for nats-api"
@ -19,9 +21,10 @@ class Command(BaseCommand):
        else:
            ssl = "disable"

+        nats_std_port, _ = get_nats_ports()
        config = {
            "key": settings.SECRET_KEY,
-            "natsurl": f"tls://{settings.ALLOWED_HOSTS[0]}:4222",
+            "natsurl": f"tls://{settings.ALLOWED_HOSTS[0]}:{nats_std_port}",
            "user": db["USER"],
            "pass": db["PASSWORD"],
            "host": db["HOST"],
--- a/api/tacticalrmm/tacticalrmm/helpers.py
+++ b/api/tacticalrmm/tacticalrmm/helpers.py
@ -17,3 +17,13 @@ def get_certs() -> tuple[str, str]:

 def notify_error(msg: str) -> Response:
    return Response(msg, status=status.HTTP_400_BAD_REQUEST)
+
+
+def get_nats_ports() -> tuple[int, int]:
+    """
+    Returns: tuple[nats_standard_port: int, nats_websocket_port: int]
+    """
+    nats_standard_port = getattr(settings, "NATS_STANDARD_PORT", 4222)
+    nats_websocket_port = getattr(settings, "NATS_WEBSOCKET_PORT", 9235)
+
+    return (nats_standard_port, nats_websocket_port)
--- a/api/tacticalrmm/tacticalrmm/utils.py
+++ b/api/tacticalrmm/tacticalrmm/utils.py
@ -28,7 +28,7 @@ from tacticalrmm.constants import (
    DebugLogType,
    ScriptShell,
 )
-from tacticalrmm.helpers import get_certs, notify_error
+from tacticalrmm.helpers import get_certs, notify_error, get_nats_ports


 def generate_winagent_exe(
@ -193,6 +193,8 @@ def reload_nats() -> None:
            )

    cert_file, key_file = get_certs()
+    nats_std_port, nats_ws_port = get_nats_ports()
+
    config = {
        "tls": {
            "cert_file": cert_file,
@ -200,6 +202,11 @@ def reload_nats() -> None:
        },
        "authorization": {"users": users},
        "max_payload": 67108864,
+        "port": nats_std_port,  # internal only
+        "websocket": {
+            "port": nats_ws_port,
+            "no_tls": True,  # TLS is handled by nginx, so not needed here
+        },
    }

    conf = os.path.join(settings.BASE_DIR, "nats-rmm.conf")
--- a/docker/containers/tactical-nats/dockerfile
+++ b/docker/containers/tactical-nats/dockerfile
@ -26,4 +26,4 @@ ENTRYPOINT [ "/entrypoint.sh" ]

 USER 1000

-EXPOSE 4222
+EXPOSE 4222 9235
--- a/docker/containers/tactical-nginx/entrypoint.sh
+++ b/docker/containers/tactical-nginx/entrypoint.sh
@ -10,6 +10,7 @@ set -e
 : "${FRONTEND_SERVICE:=tactical-frontend}"
 : "${MESH_SERVICE:=tactical-meshcentral}"
 : "${WEBSOCKETS_SERVICE:=tactical-websockets}"
+: "${NATS_SERVICE:=tactical-nats}"
 : "${DEV:=0}"

 : "${CERT_PRIV_PATH:=${TACTICAL_DIR}/certs/privkey.pem}"
@ -97,6 +98,19 @@ server  {
        proxy_set_header   X-Forwarded-Host \$server_name;
    }

+    location ~ ^/natsws {
+        set \$natswebsocket http://${NATS_SERVICE}:9235;
+        proxy_pass \$natswebsocket;
+        proxy_http_version 1.1;
+
+        proxy_set_header Host \$host;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header X-Forwarded-Host \$host:\$server_port;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+    }
+
    client_max_body_size 300M;

    listen 4443 ssl;
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@ -86,6 +86,7 @@ services:
      API_HOST: ${API_HOST}
    ports:
      - "4222:4222"
+      - "9235:9235"
    volumes:
      - tactical_data:/opt/tactical
    networks:
--- a/install.sh
+++ b/install.sh
@ -556,6 +556,18 @@ server {
        proxy_set_header   X-Forwarded-Host \$server_name;
    }

+    location ~ ^/natsws {
+        proxy_pass http://127.0.0.1:9235;
+        proxy_http_version 1.1;
+
+        proxy_set_header Host \$host;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header X-Forwarded-Host \$host:\$server_port;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+    }
+
    location / {
        uwsgi_pass  tacticalrmm;
        include     /etc/nginx/uwsgi_params;
@ -864,7 +876,7 @@ if [ "$BEHIND_NAT" = true ]; then
    echo -ne "${GREEN}If you will be accessing the web interface of the RMM from the same LAN as this server,${NC}\n"
    echo -ne "${GREEN}you'll need to make sure your 3 subdomains resolve to ${IPV4}${NC}\n"
    echo -ne "${GREEN}This also applies to any agents that will be on the same local network as the rmm.${NC}\n"
-    echo -ne "${GREEN}You'll also need to setup port forwarding in your router on ports 80, 443 and 4222 tcp.${NC}\n\n"
+    echo -ne "${GREEN}You'll also need to setup port forwarding in your router on port 443${NC}\n\n"
 fi

 printf >&2 "${YELLOW}Please refer to the github README for next steps${NC}\n\n"