261 lines
7.1 KiB
Markdown
261 lines
7.1 KiB
Markdown
### Upgrading to Tactical RMM 0.3.0
|
|
- Some of these steps may not apply to you depending on when you installed but please go through all of them just to make sure you have all.
|
|
|
|
1. stop all services
|
|
```bash
|
|
for i in salt-master salt-api rmm celery celerybeat celery-winupdate meshcentral nginx; do sudo systemctl stop $i; done
|
|
```
|
|
|
|
2. Edit `/etc/nginx/sites-available/rmm.conf` and add the following location block. You can add it right after the `location /builtin/ {...}` block. This file needs to be opened with sudo
|
|
```bash
|
|
location ~ ^/(natsapi) {
|
|
allow 127.0.0.1;
|
|
deny all;
|
|
uwsgi_pass tacticalrmm;
|
|
include /etc/nginx/uwsgi_params;
|
|
uwsgi_read_timeout 500s;
|
|
uwsgi_ignore_client_abort on;
|
|
}
|
|
```
|
|
|
|
Add the following to the top of the file right under the `upstream tacticalrmm {...}` block
|
|
```bash
|
|
map $http_user_agent $ignore_ua {
|
|
"~python-requests.*" 0;
|
|
"~go-resty.*" 0;
|
|
default 1;
|
|
}
|
|
```
|
|
|
|
Look for this line
|
|
```bash
|
|
access_log /rmm/api/tacticalrmm/tacticalrmm/private/log/access.log;
|
|
```
|
|
and change to
|
|
```bash
|
|
access_log /rmm/api/tacticalrmm/tacticalrmm/private/log/access.log combined if=$ignore_ua;
|
|
```
|
|
|
|
Example of what entire file should look like:
|
|
```bash
|
|
server_tokens off;
|
|
|
|
upstream tacticalrmm {
|
|
server unix:////rmm/api/tacticalrmm/tacticalrmm.sock;
|
|
}
|
|
|
|
map $http_user_agent $ignore_ua {
|
|
"~python-requests.*" 0;
|
|
"~go-resty.*" 0;
|
|
default 1;
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
server_name api.EXAMPLE.com;
|
|
return 301 https://$server_name$request_uri;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl;
|
|
server_name api.yourdomain.com;
|
|
client_max_body_size 300M;
|
|
access_log /rmm/api/tacticalrmm/tacticalrmm/private/log/access.log combined if=$ignore_ua;
|
|
error_log /rmm/api/tacticalrmm/tacticalrmm/private/log/error.log;
|
|
ssl_certificate /etc/letsencrypt/live/EXAMPLE.com/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/EXAMPLE.com/privkey.pem;
|
|
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
|
|
|
|
location /static/ {
|
|
root /rmm/api/tacticalrmm;
|
|
}
|
|
|
|
location /private/ {
|
|
internal;
|
|
add_header "Access-Control-Allow-Origin" "https://rmm.EXAMPLE.com";
|
|
alias /rmm/api/tacticalrmm/tacticalrmm/private/;
|
|
}
|
|
|
|
location /saltscripts/ {
|
|
internal;
|
|
add_header "Access-Control-Allow-Origin" "https://rmm.EXAMPLE.com";
|
|
alias /srv/salt/scripts/userdefined/;
|
|
}
|
|
|
|
location /builtin/ {
|
|
internal;
|
|
add_header "Access-Control-Allow-Origin" "https://rmm.EXAMPLE.com";
|
|
alias /srv/salt/scripts/;
|
|
}
|
|
|
|
location ~ ^/(natsapi) {
|
|
allow 127.0.0.1;
|
|
deny all;
|
|
uwsgi_pass tacticalrmm;
|
|
include /etc/nginx/uwsgi_params;
|
|
uwsgi_read_timeout 9999s;
|
|
uwsgi_ignore_client_abort on;
|
|
}
|
|
|
|
location / {
|
|
uwsgi_pass tacticalrmm;
|
|
include /etc/nginx/uwsgi_params;
|
|
uwsgi_read_timeout 9999s;
|
|
uwsgi_ignore_client_abort on;
|
|
}
|
|
}
|
|
```
|
|
|
|
3. Edit `/etc/nginx/sites-available/meshcentral.conf` and change to match the example below. Don't forget to replace `mesh.EXAMPLE.COM` with your mesh domain. This file needs to be opened with sudo
|
|
```bash
|
|
server {
|
|
listen 80;
|
|
server_name mesh.EXAMPLE.com;
|
|
return 301 https://$server_name$request_uri;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl;
|
|
proxy_send_timeout 330s;
|
|
proxy_read_timeout 330s;
|
|
server_name mesh.example.com;
|
|
ssl_certificate /etc/letsencrypt/live/EXAMPLE.com/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/EXAMPLE.com/privkey.pem;
|
|
ssl_session_cache shared:WEBSSL:10m;
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:4430/;
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_set_header Host $host; ## this line is new
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header X-Forwarded-Host $host:$server_port;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
}
|
|
```
|
|
|
|
4. Edit `/meshcentral/meshcentral-data/config.json` and change to match the example below. Replace `mesh.example.com` with your mesh domain. After editing, use a json linter like `https://jsonlint.com/` to verify no syntax errors, otherwise meshcentral will fail to start.
|
|
```
|
|
{
|
|
"settings": {
|
|
"Cert": "mesh.example.com",
|
|
"MongoDb": "mongodb://127.0.0.1:27017",
|
|
"MongoDbName": "meshcentral",
|
|
"WANonly": true,
|
|
"Minify": 1,
|
|
"Port": 4430,
|
|
"AliasPort": 443,
|
|
"RedirPort": 800,
|
|
"AllowLoginToken": true,
|
|
"AllowFraming": true,
|
|
"_AgentPing": 60,
|
|
"AgentPong": 200,
|
|
"AllowHighQualityDesktop": true,
|
|
"TlsOffload": "127.0.0.1",
|
|
"agentCoreDump": false,
|
|
"Compression": true,
|
|
"WsCompression": true,
|
|
"AgentWsCompression": true,
|
|
"MaxInvalidLogin": { "time": 5, "count": 5, "coolofftime": 30 }
|
|
},
|
|
"domains": {
|
|
"": {
|
|
"Title": "Tactical RMM",
|
|
"Title2": "Tactical RMM",
|
|
"NewAccounts": false,
|
|
"CertUrl": "https://mesh.example.com:443/",
|
|
"GeoLocation": true,
|
|
"CookieIpCheck": false,
|
|
"mstsc": true
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
5. Replace `/rmm/api/tacticalrmm/app.ini` with the following:
|
|
```bash
|
|
[uwsgi]
|
|
|
|
chdir = /rmm/api/tacticalrmm
|
|
module = tacticalrmm.wsgi
|
|
home = /rmm/api/env
|
|
master = true
|
|
processes = 6
|
|
threads = 6
|
|
enable-threads = True
|
|
socket = /rmm/api/tacticalrmm/tacticalrmm.sock
|
|
harakiri = 300
|
|
chmod-socket = 666
|
|
# clear environment on exit
|
|
vacuum = true
|
|
die-on-term = true
|
|
max-requests = 500
|
|
max-requests-delta = 1000
|
|
```
|
|
|
|
6. Replace `/etc/salt/master.d/rmm-salt.conf` with the following. This file needs to be opened with sudo
|
|
```
|
|
timeout: 20
|
|
gather_job_timeout: 25
|
|
max_event_size: 30485760
|
|
external_auth:
|
|
pam:
|
|
saltapi:
|
|
- .*
|
|
- '@runner'
|
|
- '@wheel'
|
|
- '@jobs'
|
|
|
|
rest_cherrypy:
|
|
port: 8123
|
|
disable_ssl: True
|
|
max_request_body_size: 30485760
|
|
```
|
|
|
|
7. Edit `/etc/conf.d/celery.conf` and `/etc/conf.d/celery-winupdate.conf` and change
|
|
```
|
|
CELERYD_LOG_LEVEL="INFO"
|
|
```
|
|
to
|
|
```
|
|
CELERYD_LOG_LEVEL="ERROR"
|
|
```
|
|
|
|
8. Clear log files
|
|
```bash
|
|
baselog="/rmm/api/tacticalrmm/tacticalrmm/private/log"
|
|
for i in ${baselog}/access.log ${baselog}/error.log ${baselog}/debug.log ${baselog}/uwsgi.log; do sudo rm -f $i; done
|
|
sudo rm -f /var/log/celery/*
|
|
```
|
|
|
|
9. Verify nginx syntax is correct. If any errors check steps above and fix nginx configs
|
|
```
|
|
sudo nginx -t
|
|
```
|
|
|
|
10. Edit `/etc/hosts` and make sure the line starting with 127.0.1.1 or 127.0.0.1 has your 3 subdomains in it like this:
|
|
```bash
|
|
127.0.0.1 localhost
|
|
127.0.1.1 yourservername api.example.com rmm.example.com mesh.example.com
|
|
```
|
|
|
|
11. Start services
|
|
```bash
|
|
for i in rmm celery celerybeat celery-winupdate salt-master salt-api nginx meshcentral; do sudo systemctl start $i; done
|
|
```
|
|
|
|
12. Delete whatever `update.sh` script you currently have and download the latest one and run it
|
|
```bash
|
|
wget https://raw.githubusercontent.com/wh1te909/tacticalrmm/master/update.sh
|
|
chmod +x update.sh
|
|
./update.sh
|
|
```
|
|
|
|
|
|
|