@sodium said in Sodium Helpdesk: Unable To Create Password In Chrome:

@quixoticjeremy said in Sodium Helpdesk: Unable To Create Password In Chrome:

Have found the issue and have pushed a release. Keeping an eye for when it hits production to verify that like in dev this will fix the issue.

Push to prod is done.

Confirmed. The fix allows me to create password in Chrome.

You may also want to harden the web server.

@Sodium

Should be an easy one to fix. Noticed HTTP doesn't auto-redirect to HTTPS.

@Sodium

Right now the only edit that is allowed for existing users are to change Group, Reset Password or Delete. Also need the ability to change login name (without having to create a brand new user), change user email address and change First Name or Last Name. Any of those changes should also allow the user account to remain "attached" to any tickets, comments, updates, either currently open or historical.

Also, if a user is deleted, all existing or past tickets, comments, attachments, etc, should automatically be assigned to a "system" user to allow for searching and filtering, reassignment if necessary. Deleting a user should not create any orphan records that cannot be searched or reported on.

When creating a user where an email address is used as the login username, the new user cannot access the site. The new user keeps getting an invalid username or password error.

If the user clicks on the "Forgot Password" link and proceeds to reset password, an email is successfully sent to their mailbox and clicking the link (except with Google Chrome) the user is prompted for a new password, after which he is directed to the dashboard. If this user then logs out and attempts to log back in with an email address as the username and using the new password, they continue to receive the invalid username or password error.

After creating a new group in Agent Groupings, I go to Group Permissions, select the new group and enable permissions however, enabling "Ticket Settings" doesn't stick. After clicking the "submit" button, there is no confirmation that new permissions have been saved and upon screen refresh, the "Ticket Settings" revert back to disabled.

Select all permissions:

This is what it looks like after clicking the Submit button (no confirmation after Submit):

This is what it looks like after screen refresh:

I created an account at https://sodium.waxquixotic.com and on clicking the confirmation link received in the email, the link takes me to my Chrome browser where I can briefly see the spot for password creation however it disappears in under a second, immediately taking me back to the standard login screen without giving me the ability to create a password. The behavior exists whether I click the link in the email or copy/paste the URL into a new browser window in Chrome.

Google Chrome Version 60.0.3112.90 (Official Build) (64-bit)
Windows 10 Pro 1607

This behavior does not exist when I copy and paste the email confirmation link into my MS Edge browser. In Edge, I am able to see the password creation overlay and once typed in, proceed to the dashboard.

@jaredbusch said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost:

@nashbrydges said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost:

@brandon220 said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost:

I've been using an ERL at home for a while and have them deployed at several business. Zero complaints and I recommend them all the time.

I wish I could use it at home. I'm on Bell Canada ftth and they use a different vlan for iptv and internet. All of the online guides I've seen haven't been able to get me to use my ERL and Bell won't give up which VLANs they use.

No one hasd figured this information out yet?

Sadly not yet, at least not that my Google-fu has allowed me to find.

@brandon220 said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost:

@nashbrydges seems like they would be able to put their equipment in bridge mode for you.

They refuse to let that happen too. They tell me that if in bridge mode, the iptv will fail. WHat I really wanted was for them to enable the second network connection on the ONT but they won't do that either. sigh. I'd switch to another provider if I wasn't already adicted to the Gb speed.

@brandon220 said in Comparing Ubiquiti EdgeRouter and Cisco ASA PPS Performance and Cost:

I've been using an ERL at home for a while and have them deployed at several business. Zero complaints and I recommend them all the time.

I wish I could use it at home. I'm on Bell Canada ftth and they use a different vlan for iptv and internet. All of the online guides I've seen haven't been able to get me to use my ERL and Bell won't give up which VLANs they use.

@jaredbusch said in Installing Debian 9.1 minimal:

@scottalanmiller said in Installing Debian 9.1 minimal:

I'm liking Debian more and more as I use it. However the install process has a ridiculous number of screens.

You can choose a different install method and should see fewer screens. My guides are not for the advanced users though.

The less advanced users thank you profusely for that.

@gjacobse Same here.

@travisdh1 said in Do you use Guacamole?:

fail2ban can handle it, tho some issues with rule matching happens according to the Google search I just did. https://www.jimwilbur.com/2016/08/fail2ban_guacamole/

Fail2ban now appears to be blocking failed attempts.

Using your link, I noticed catalina.out wasn't capturing failed logins so I created a blank file at /etc/rsyslog.d/tomcat.conf and then restarted rsyslog.

The regex wasn't working and the link didn't have the proper regex to use so a little search brought me here.
https://www.cb-net.co.uk/linux/debian-8-6-proxy-guacamole-via-nginx-using-https-and-fail2ban/

About 3/4 of the way down, the correct regex is shown as follows.
failregex = \bAuthentication attempt from \[<HOST>(?:,.*)?\] for user ".*" failed\.

Restarted Fail2ban confirmed that the regex would work
fail2ban-regex '/var/log/tomcat8/catalina.out' /etc/fail2ban/filter.d/guacamole.conf

I tried to login using an incorrect user/pwd combo. Sure enough, the outcome was this (masked IP address).

nashbrydges@guacamole:~$ sudo fail2ban-client status guacamole
Status for the jail: guacamole
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     13
|  `- File list:        /var/log/tomcat8/catalina.out
`- Actions
   |- Currently banned: 1
   |- Total banned:     2
   `- Banned IP list:   xxx.xxx.xxx.135

@travisdh1 Sweet! Gonna have to give this a try.

@stuartjordan said in Do you use Guacamole?:

Its very good, I have installed and used many times, would be nice to have a feature to limit the amount of login attempts or google Captcha.

I wrote a custom Fail2ban block script for a web app I had designed for a friend. Do you know where the access logs would be stored for Guac? I might be able to create something similar to use Fail2ban for.

@fateknollogee said in Do you use Guacamole?:

@nashbrydges I'm interested. You have any how-to-install notes?

I can't take any credit for these but I used the install script here with a fresh Ubuntu 17.04 install and it worked flawlessly.

https://www.chasewright.com/guacamole-with-mysql-on-ubuntu/

He also has one for a CentOS7 install somewhere on his site.

My Nginx proxy runs on a separate VM but the conf file for that looks like this.

server {
   listen 80;
   server_name mydomain.ca;
   return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  server_name mydomain.ca;
  
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Content-Type-Options nosniff;
  add_header Referrer-Policy strict-origin;
  #Had to comment out the line below as the CSP policy broke functionality.
  #add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always;
  ssl_stapling on;
  ssl_stapling_verify on;
  server_tokens off;

  ssl on;
  ssl_certificate /etc/letsencrypt/live/mydomain.ca/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/mydomain.ca/privkey.pem;
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_dhparam /etc/ssl/certs/dhparam.pem;
  proxy_cookie_path / "/; secure; HttpOnly";


    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://192.168.100.79:8080/guacamole/;
       #The line below is required because Guacamole is essentially streaming so buffering would get in the way
        proxy_buffering off;
        proxy_redirect off;
        access_log off;
        proxy_cookie_path / "/; secure; HttpOnly";

        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
   }
   
}

One additional note that took some Googling. If you're going to remote into a Win 10 desktop, you not only need to disable the NLA checkbox but you also need the following registry change.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]

Change the value from a 2 to a 1 for the following key

"SecurityLayer”=dword:00000001

So far it seems exceptionally smooth and way better than using my Sophos XG HTML5 RDP function. Not to mention I can run all of it through the proxy and manage SSL via Nginx which I can't do through Sophos XG.

I just setup a guacamole VM on my Hyper-V host and after some fiddling with the Nginx conf file, I was able to get the portal to work through the proxy. Awesome! Now the paranoid side of me kicks-in and probably unnecessarily. I've created a 40 character password to log into Guacamole along with a 30 character password for the subsequent Windows password. Wondering if anyone has ever heard of any security holes or issues with Guacamole that would make you re-think exposing it to the web even with SSL and long, complex passwords.

Is it time to put my tinfoil hat away? I realize that's what it was designed to do.

@scottalanmiller Just testing it out for now but so far so good. I had a client ask me for a good document management solution that wouldn't break the bank and could be hosted locally so I immediately thought of this. I've given him access to see if this could work and from the sounds of his feedback, he might want it setup.

This assumes you have already installed Ubuntu server on your VM. You're going to need at least 8GB memory. I realized this after I got an error with only 4GB assigned to the VM.

1. Go to https://www.alfresco.com/alfresco-community-download

2. Find the Linux download link and right-click and select "Copy link address"
   

3. Go back to your server and download Alfresco
   wget http://eu.dl.alfresco.com.s3.amazonaws.com/release/community/201707-build-00028/alfresco-community-installer-201707-linux-x64.bin

4. Create a directory for the installation
   sudo mkdir -p /var/www/html/alfresco

5. You're going to need to add a few libraries (if you copy/paste, these should be single lines, the web page here may wrap longer lines)
   sudo add-apt-repository ppa:opencpn/opencpn
sudo apt-get update
sudo apt-get install -y libfontconfig1 libsm6 libice6 libxrender1 libxt6 libcups2 opencpn libcairo2 ttf-mscorefonts-installer

6. Because you're installing MS Fonts, you'll have to accept the EULA
   
   

7. chmod and run
   chmod u+x alfresco-community-installer-201707-linux-x64.bin
sudo ./alfresco-community-installer-201707-linux-x64.bin

8. You'll get a warning about LibreOffice not being installed. Ignore, select "y" and continue.
   

9. Choose your language and press [ENTER]
   

10. Choose option 2 for Advanced Install at the next screen
    

11. Choose the following options for the next 9 selections

Java				– yes
PostgreSQL			– yes
LibreOffice			– yes
Alfresco Community Edition	- yes
Solr1				– no
Solr4				- yes
Alfresco Office Services	- yes
Web Quick Start			– yes
Google Docs Integration		– yes

12. When prompted for an installation folder, enter the folder path you created in step #4 above
    

13. For the next 8 selections, simply enter the default suggested values.

Database Server Parameters	= port 5432
Web Server domain		= 127.0.0.1
Tomcat Server Port		= 8080
Tomcat Shutdown Port		= 8005
Tomcat SSL Port			= 8443
Tomcat AJP Port			= 8009
LibreOffice Server Port		= 8100
Alfresco FTP Port		= 21

14. When prompted for an Admin password, choose one and enter it in each of the following 2 selections
    

15. When prompted to install Alfresco as a service, choose "y" and press [ENTER]
    

16. Proceed with installation
    

17. Select "n" to view Readme file and Launch Alfresco when prompted.

This might take a while. Even after the screen shows the server has started, accessing the web page may take a few minutes so be patient. To access the web page go to the IP address of your server in your favorite browser.
http://192.168.100.78:8080/share

To configure SSL using Nginx, create a new conf file for your new site (assuming Nginx is already installed). In my case, I am running it on a separate server. I am running Nginx on 192.168.100.77 and Alfresco is running on 192.168.100.78 so my conf file looks like this.

server {
   listen 80;
   server_name mydomain.com;
   return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  server_name mydomain.com;
  
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Content-Type-Options nosniff;
  add_header Referrer-Policy strict-origin;
  ssl_stapling on;
  ssl_stapling_verify on;
  server_tokens off;

  ssl on;
  ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_dhparam /etc/ssl/certs/dhparam.pem;
  proxy_cookie_path / "/; secure; HttpOnly";
  rewrite ^/$ /share;


    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass https://192.168.100.78:8443;
        proxy_redirect off;

        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
   }
}

18. Test your Nginx conf file and if everything looks ok, restart Nginx
    sudo nginx -y
sudo systemctl restart nginx

One important thing to remember is that, and this is the one thing that stumped me for a bit and took some Googling to find, enabling SSL means that you must change the proxy_pass port number as well as protocol to "https" (change IP address as needed). I've removed domain name and site name in the attachment below.
proxy_pass https://192.168.100.78:8443;

I've finally migrated all of my web servers to use Nginx as a proxy running on a separate server which does nothing but serve as a proxy and manage SSL certs. But when I check raw headers for my new Nextcloud install, I get a warning stating there are duplicates found. The server running Nextcloud has Apache but no SSL configured as that's all managed through the proxy.

Here is the warning I get.

I don't have anything else running on this server except Nginx. There are other config files but they are for separate domains so I can't understand why it is telling me I have duplicates. I got this warning from both https://securityheaders.io and https://observatory.mozilla.org. Any ideas where I should be looking?

Here is my Nginx conf file.

server {
   listen 80;
   server_name mydomain.com;
   return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  server_name mydomain.com;
  
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Content-Type-Options nosniff;
  add_header Referrer-Policy strict-origin;
  ssl_stapling on;
  ssl_stapling_verify on;
  server_tokens off;

  ssl on;
  ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_dhparam /etc/ssl/certs/dhparam.pem;
  proxy_cookie_path / "/; secure; HttpOnly";


    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://192.168.100.80;
        proxy_redirect off;

        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
   }
}

My Nextcloud Apache conf file is this.

<VirtualHost *:80>
 DocumentRoot "/var/www/nextcloud"
 ServerName mydomain.com

 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined

<Directory /var/www/nextcloud/>
 Options +FollowSymlinks
 AllowOverride All

 <IfModule mod_dav.c>
 Dav off
 </IfModule>

 SetEnv HOME /var/www/nextcloud
 SetEnv HTTP_HOME /var/www/nextcloud

</Directory>

</VirtualHost>