### Upgrading to Tactical RMM 0.3.0 - Some of these steps may not apply to you depending on when you installed but please go through all of them just to make sure you have all. 1. stop all services ```bash for i in salt-master salt-api rmm celery celerybeat celery-winupdate meshcentral nginx; do sudo systemctl stop $i; done ``` 2. Edit `/etc/nginx/sites-available/rmm.conf` and add the following location block. You can add it right after the `location /builtin/ {...}` block. This file needs to be opened with sudo ```bash location ~ ^/(natsapi) { allow 127.0.0.1; deny all; uwsgi_pass tacticalrmm; include /etc/nginx/uwsgi_params; uwsgi_read_timeout 500s; uwsgi_ignore_client_abort on; } ``` Add the following to the top of the file right under the `upstream tacticalrmm {...}` block ```bash map $http_user_agent $ignore_ua { "~python-requests.*" 0; "~go-resty.*" 0; default 1; } ``` Look for this line ```bash access_log /rmm/api/tacticalrmm/tacticalrmm/private/log/access.log; ``` and change to ```bash access_log /rmm/api/tacticalrmm/tacticalrmm/private/log/access.log combined if=$ignore_ua; ``` Example of what entire file should look like: ```bash server_tokens off; upstream tacticalrmm { server unix:////rmm/api/tacticalrmm/tacticalrmm.sock; } map $http_user_agent $ignore_ua { "~python-requests.*" 0; "~go-resty.*" 0; default 1; } server { listen 80; server_name api.EXAMPLE.com; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name api.yourdomain.com; client_max_body_size 300M; access_log /rmm/api/tacticalrmm/tacticalrmm/private/log/access.log combined if=$ignore_ua; error_log /rmm/api/tacticalrmm/tacticalrmm/private/log/error.log; ssl_certificate /etc/letsencrypt/live/EXAMPLE.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/EXAMPLE.com/privkey.pem; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; location /static/ { root /rmm/api/tacticalrmm; } location /private/ { internal; add_header "Access-Control-Allow-Origin" "https://rmm.EXAMPLE.com"; alias /rmm/api/tacticalrmm/tacticalrmm/private/; } location /saltscripts/ { internal; add_header "Access-Control-Allow-Origin" "https://rmm.EXAMPLE.com"; alias /srv/salt/scripts/userdefined/; } location /builtin/ { internal; add_header "Access-Control-Allow-Origin" "https://rmm.EXAMPLE.com"; alias /srv/salt/scripts/; } location ~ ^/(natsapi) { allow 127.0.0.1; deny all; uwsgi_pass tacticalrmm; include /etc/nginx/uwsgi_params; uwsgi_read_timeout 9999s; uwsgi_ignore_client_abort on; } location / { uwsgi_pass tacticalrmm; include /etc/nginx/uwsgi_params; uwsgi_read_timeout 9999s; uwsgi_ignore_client_abort on; } } ``` 3. Edit `/etc/nginx/sites-available/meshcentral.conf` and change to match the example below. Don't forget to replace `mesh.EXAMPLE.COM` with your mesh domain. This file needs to be opened with sudo ```bash server { listen 80; server_name mesh.EXAMPLE.com; return 301 https://$server_name$request_uri; } server { listen 443 ssl; proxy_send_timeout 330s; proxy_read_timeout 330s; server_name mesh.example.com; ssl_certificate /etc/letsencrypt/live/EXAMPLE.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/EXAMPLE.com/privkey.pem; ssl_session_cache shared:WEBSSL:10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass http://127.0.0.1:4430/; proxy_http_version 1.1; proxy_set_header Host $host; ## this line is new proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } ``` 4. Edit `/meshcentral/meshcentral-data/config.json` and change to match the example below. Replace `mesh.example.com` with your mesh domain. After editing, use a json linter like `https://jsonlint.com/` to verify no syntax errors, otherwise meshcentral will fail to start. ``` { "settings": { "Cert": "mesh.example.com", "MongoDb": "mongodb://127.0.0.1:27017", "MongoDbName": "meshcentral", "WANonly": true, "Minify": 1, "Port": 4430, "AliasPort": 443, "RedirPort": 800, "AllowLoginToken": true, "AllowFraming": true, "_AgentPing": 60, "AgentPong": 200, "AllowHighQualityDesktop": true, "TlsOffload": "127.0.0.1", "agentCoreDump": false, "Compression": true, "WsCompression": true, "AgentWsCompression": true, "MaxInvalidLogin": { "time": 5, "count": 5, "coolofftime": 30 } }, "domains": { "": { "Title": "Tactical RMM", "Title2": "Tactical RMM", "NewAccounts": false, "CertUrl": "https://mesh.example.com:443/", "GeoLocation": true, "CookieIpCheck": false, "mstsc": true } } } ``` 5. Replace `/rmm/api/tacticalrmm/app.ini` with the following: ```bash [uwsgi] chdir = /rmm/api/tacticalrmm module = tacticalrmm.wsgi home = /rmm/api/env master = true processes = 6 threads = 6 enable-threads = True socket = /rmm/api/tacticalrmm/tacticalrmm.sock harakiri = 300 chmod-socket = 666 # clear environment on exit vacuum = true die-on-term = true max-requests = 500 max-requests-delta = 1000 ``` 6. Replace `/etc/salt/master.d/rmm-salt.conf` with the following. This file needs to be opened with sudo ``` timeout: 20 gather_job_timeout: 25 max_event_size: 30485760 external_auth: pam: saltapi: - .* - '@runner' - '@wheel' - '@jobs' rest_cherrypy: port: 8123 disable_ssl: True max_request_body_size: 30485760 ``` 7. Edit `/etc/conf.d/celery.conf` and `/etc/conf.d/celery-winupdate.conf` and change ``` CELERYD_LOG_LEVEL="INFO" ``` to ``` CELERYD_LOG_LEVEL="ERROR" ``` 8. Clear log files ```bash baselog="/rmm/api/tacticalrmm/tacticalrmm/private/log" for i in ${baselog}/access.log ${baselog}/error.log ${baselog}/debug.log ${baselog}/uwsgi.log; do sudo rm -f $i; done sudo rm -f /var/log/celery/* ``` 9. Verify nginx syntax is correct. If any errors check steps above and fix nginx configs ``` sudo nginx -t ``` 10. Edit `/etc/hosts` and make sure the line starting with 127.0.1.1 or 127.0.0.1 has your 3 subdomains in it like this: ```bash 127.0.0.1 localhost 127.0.1.1 yourservername api.example.com rmm.example.com mesh.example.com ``` 11. Start services ```bash for i in rmm celery celerybeat celery-winupdate salt-master salt-api nginx meshcentral; do sudo systemctl start $i; done ``` 12. Delete whatever `update.sh` script you currently have and download the latest one and run it ```bash wget https://raw.githubusercontent.com/wh1te909/tacticalrmm/master/update.sh chmod +x update.sh ./update.sh ```