Zoraxy support ( Meshcentral Router debug )

[risturiz]

Hi, im testing Zoraxy reverse proxy with Meshcentral and Web dashboard work but Meshcentral Router don't... Any option to debug this? with ".\MeshCentralRouter.exe -debug" i only got:

18:58:PM.4842: WebSocket: Websocket TCP connected, doing TLS...
18:58:PM.5218: WebSocket: Websocket TLS setup, sending HTTP header...
18:58:PM.6219: WebSocket: Websocket got setup upgrade header.
18:58:PM.6219: WebSocket: Websocket got closed fragment.

Same config with Nginx Proxy Manager don't have any problem... Thanks!

[si458]

I want to say if u have it working with nginx but not this new one, then it must be something with the new reverse proxy server that's wrong? Maybe config?
Will try have a look when I get chance

Edit. Can u share any config/screenshots of the reverse proxy? Also ur config.json for meshcentral

[yeungalan]

Hello, this is the developer from Zoraxy.

If it's not too much trouble, would you mind sharing the configuration on the Zoraxy side? We would greatly appreciate it, as it would allow us to take a closer look and assist you more effectively. Thank you very much for your cooperation!

[risturiz]

Hi, my config is pretty simple ( Meshcentral work from browser Firefox/Chromium):

Zoraxy config:

 "ProxyType": 1,
 "RootOrMatchingDomain": "hub.domain.com",
 "Domain": "172.17.0.5:4430",
 "RequireTLS": false,
 "BypassGlobalTLS": false,
 "SkipCertValidations": false,
 "SkipWebSocketOriginCheck": true,
 "VirtualDirectories": [],
 "UserDefinedHeaders": [],
 "RequireBasicAuth": false,
 "BasicAuthCredentials": [],
 "BasicAuthExceptionRules": [],
 "DefaultSiteOption": 0,
 "DefaultSiteValue": "",
 "Disabled": false

Meshcentral config:

Maybe i need some "Custom Headers" with MeshRouter?

Thanks!

[si458]

Strange one, do u have port 80 open on ur reverse proxy? Or only 443? As I notice u have disabled the redirport which should be set?

Cam u access the webbui using http://mydomain.com? Or must u use https://mydomain.com

[risturiz]

Strange one, do u have port 80 open on ur reverse proxy? Or only 443? As I notice u have disabled the redirport which should be set?

Cam u access the webbui using http://mydomain.com? Or must u use https://mydomain.com

I don't have port 80 open... Every connection should be redirected

Like i said, same config with Nginx Proxy Manager works... Only MeshRouter fail to connect ( using some legacy communication? )

[si458]

yes sorry the screenshot you show now is self-explanitory, listen on 443 but also listen on port 80 and to http to https!
so in theory i think the proxy is ok?
one thing you can try is running meshcentral in full debug mode and then watch the web traffic and see if the meshcentralrouter talks to meshcentral.
node node_modules/meshcentral --debug
if meshcentralrouter isnt talking to meshcentral and meshcentral isnt showing web connections from it, then it will be a reverse proxy issue, im afraid

[risturiz]

Didn't know there is "Debug": true, for config.json :-)

Here you go... MeshRouter connection log

[si458]

Huh? Go-http-client?
That's not meshcentralrouter? As it's written in C not golang

I think zoraxy is doing a header request to check the url is valid then doing the request afterwards.
But the request afterwards is missing all the headers, very weird?

I'll have to set up a new vm and test it myself, see whats happening

Also note, the is no debug in config.json, it's part of the run arguments, but I could be mistaken! Might be missing from the schema.json!

[yeungalan]

It looks like something went wrong in Zoraxy's header passing, will take a look

[si458]

@yeungalan also the /control.ashx/.websocket in our case should be a websocket connection and not a webrequest!

[yeungalan]

Thanks! Will take a look as well

@tobychui is the main author of zoraxy and I will let him aware of this as well :)

[tobychui]

That is weird, Go-HTTP-Client has been removed from the headers since a few versions ago.
https://github.com/tobychui/zoraxy/blob/5805fe6ed212942aa20ed12499f6c06b50cabf05/src/mod/dynamicproxy/proxyRequestHandler.go#L100

//Hide Go-HTTP-Client UA if the client didnt sent us one
if _, ok := header["User-Agent"]; !ok {
	// If the outbound request doesn't have a User-Agent header set,
	// don't send the default Go HTTP client User-Agent.
	header.Set("User-Agent", "")
}

and I don't see any issue regarding the logic to identify requests that containing the Upgrade: websocket header and from your log, it seems there are no Zr-Origin-Upgrade header appended by Zoraxy.

https://github.com/tobychui/zoraxy/blob/5805fe6ed212942aa20ed12499f6c06b50cabf05/src/mod/dynamicproxy/proxyRequestHandler.go#L100

if r.Header["Upgrade"] != nil && strings.ToLower(r.Header["Upgrade"][0]) == "websocket" {
	//Handle WebSocket request. Forward the custom Upgrade header and rewrite origin
	r.Header.Set("Zr-Origin-Upgrade", "websocket")
	wsRedirectionEndpoint := target.Domain
	if wsRedirectionEndpoint[len(wsRedirectionEndpoint)-1:] != "/" {
		//Append / to the end of the redirection endpoint if not exists
		wsRedirectionEndpoint = wsRedirectionEndpoint + "/"
	}

Have you tried updating your Zoraxy to latest version?

[risturiz]

Hi, reinstalled all again with last Zoraxy ( 3.0.2 ) and same result ( i'm using docker btw )... I can install some sandbox server meshcentral+zoraxy to make tests and find out what could be wrong... It´s better to open another issue on Zoraxy repo? Or continue debug here?

Thanks!

[si458]

ok so just tagging onto this to remind me and others,
weirdly enough, i just created a quick test, Zoraxy and meshcentral in single compose
i used https://nip.io to create a dns to my server https://192-168-23-222.nip.io
setup meshcentral and its config.json with the cert value in
setup zoraxy by GUESSING the web ui and reading no docs
can access the web ui no problem, can create groups, can even add an agent no problem
but the min i try using meshcentralrouter, it just doesnt work?
very weird?

[si458]

ok just looked into it more, we add a custom header which contains our authentication
and meshcentral doesnt see this header which is why it doesnt work
ALSO if i go into the Zoraxy web ui, then http proxy then into custom headers
then add in a complete random custom header say X-MyHeader -> MyValue from Zoraxy to Origin
we dont see this custom header being added!
so the clearly is an issue with Zoraxy and this is nothing to do with meshcentral
you will need to speak to the developer of Zoraxy and find out whats going on
im using the latest version of Zoraxy v3.1.4

EDIT: clarification, its the websocket that doesnt have the headers!
the HTTP requests have the headers as expected, but the websockets DONT!

EDIT2: have opened request here tobychui/zoraxy#426

[risturiz]

Thanks for this update!