starred/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2026-03-02 23:07:02 -05:00
Code Issues 97 Projects Packages Wiki Activity

Unable to authenticate when using MC2 in multi-zoned environment #1855

New issue
Closed
opened 2026-02-20 09:01:05 -05:00 by deekerman · 5 comments
deekerman commented 2026-02-20 09:01:05 -05:00
Owner
Copy link

Originally created by @D4V3M0NK on GitHub (Dec 11, 2020).

Originally assigned to: @Ylianst on GitHub.

MeshCentral 0.6.70 (Ubuntu 16 running on NodeJS 8.17.1 FIPS enabled)

Please forgive the notes: it's taken me about 4 hours so far to write this as things keep on happening differently from prior testing...

I have a freshly built MC2 server that sits behind a network load balancer then an application load balancer (both operating their internal IPs from separate zones). I've created an admin account through the CLI, logged in and updated the version in my image (0.5.97) to the latest stable (0.6.70). I then start up the server in --debug mode

I then attempt to login and get the Unable to authenticate error, similar to that in #1770. Debug1 shows the output from the server after I was initially rejected, then hit refresh after which I was able to login.

Config1 
{
  "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json",
  "__comment1__": "This is a simple configuration file, all values and sections that start with underscore (_) are ignored. Edit a section and remove the _ in front of the name. Refer to the user's guide for details.",
  "__comment2__": "See node_modules/meshcentral/sample-config-advanced.json for a more advanced example.",
  "settings": {
    "_cert": "myserver.mydomain.com",
    "_WANonly": true,
    "_LANonly": true,
    "_sessionKey": "MyReallySecretPassword1",
    "_port": 443,
    "_aliasPort": 443,
    "_redirPort": 80,
    "_redirAliasPort": 80
  },
  "domains": {
    "": {
      "title": "domains..title",
      "title2": "domains..title2",
      "_minify": true,
      "newAccounts": false,
      "_userNameIsEmail": true,
      "passwordRequirements": {
        "force2factor": true
      }
    }
  },
  "_letsencrypt": {
    "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before trying Let's Encrypt.",
    "email": "myemail@mydomain.com",
    "names": "myserver.mydomain.com",
    "production": false
  }
}
Debug1 
MeshCentral HTTP redirection server running on port 80.
MeshCentral v0.6.70, Hybrid (LAN + WAN) mode.
MeshCentral Intel(R) AMT server running on IP_ADDR_A:4433.
MeshCentral HTTPS server running on IP_ADDR_A:443.
WEBREQUEST: (IP_ADDR_B) /
WEB: handleRootRequestLogin()
WEBREQUEST: (IP_ADDR_B) /styles/style.css
WEBREQUEST: (IP_ADDR_B) /scripts/common-0.0.1.js
WEBREQUEST: (IP_ADDR_B) /scripts/u2f-api.js
WEBREQUEST: (IP_ADDR_B) /welcome.jpg
WEBREQUEST: (IP_ADDR_B) /logo.png
WEBREQUEST: (IP_ADDR_B) /favicon.ico
WEBREQUEST: (IP_ADDR_C) /
WEB: handleRootRequestLogin()
WEBREQUEST: (IP_ADDR_B) /
WEB: handleRootRequestLogin()
WEBREQUEST: (IP_ADDR_B) /
WEB: handleRootPostRequest, action: login
WEBREQUEST: (IP_ADDR_B) /
WEB: handleRootPostRequest, action: login
WEB: handleLoginRequest: successful login
WEB: handleLoginRequest: login ok (2)
COOKIE: Encoded AESGCM cookie: {"userid":"user//admin1","domainid":"","ip":"IP_ADDR_B","time":1607732546}
COOKIE: Encoded AESGCM cookie: {"ruserid":"user//admin1","domainid":"","time":1607732546}
WEB: handleRootRequestEx: success.
WEB: handleLoginRequest: successful login
WEB: handleLoginRequest: login ok (2)
COOKIE: Encoded AESGCM cookie: {"userid":"user//admin1","domainid":"","ip":"IP_ADDR_B","time":1607732547}
COOKIE: Encoded AESGCM cookie: {"ruserid":"user//admin1","domainid":"","time":1607732547}
WEB: handleRootRequestEx: success.
WEBREQUEST: (IP_ADDR_B) /styles/style.css
WEBREQUEST: (IP_ADDR_B) /styles/ol3-contextmenu.min.css
WEBREQUEST: (IP_ADDR_B) /styles/xterm.css
WEBREQUEST: (IP_ADDR_B) /scripts/common-0.0.1.js
WEBREQUEST: (IP_ADDR_B) /scripts/meshcentral.js
WEBREQUEST: (IP_ADDR_B) /scripts/zlib-crc32.js
WEBREQUEST: (IP_ADDR_B) /styles/ol.css
WEBREQUEST: (IP_ADDR_B) /scripts/amt-0.2.0.js
WEBREQUEST: (IP_ADDR_B) /scripts/amt-desktop-0.0.2.js
WEBREQUEST: (IP_ADDR_B) /scripts/amt-wsman-0.2.0.js
WEBREQUEST: (IP_ADDR_B) /scripts/zlib.js
WEBREQUEST: (IP_ADDR_B) /scripts/zlib-inflate.js
WEBREQUEST: (IP_ADDR_B) /scripts/zlib-adler32.js
WEBREQUEST: (IP_ADDR_B) /scripts/amt-terminal-0.0.2.js
WEBREQUEST: (IP_ADDR_B) /scripts/amt-redir-ws-0.1.0.js
WEBREQUEST: (IP_ADDR_B) /scripts/amt-wsman-ws-0.2.0.js
WEBREQUEST: (IP_ADDR_B) /scripts/agent-redir-ws-0.1.1.js
WEBREQUEST: (IP_ADDR_B) /scripts/agent-desktop-0.0.2.js
WEBREQUEST: (IP_ADDR_B) /scripts/agent-redir-rtc-0.1.0.js
WEBREQUEST: (IP_ADDR_B) /scripts/qrcode.min.js
WEBREQUEST: (IP_ADDR_B) /scripts/xterm.js
WEBREQUEST: (IP_ADDR_B) /scripts/charts.js
WEBREQUEST: (IP_ADDR_B) /scripts/filesaver.min.js
WEBREQUEST: (IP_ADDR_B) /scripts/ol.js
WEBREQUEST: (IP_ADDR_B) /scripts/ol3-contextmenu.js
WEBREQUEST: (IP_ADDR_B) /scripts/xterm-addon-fit.js
WEBREQUEST: (IP_ADDR_B) /scripts/u2f-api.js
WEBREQUEST: (IP_ADDR_B) /images/link4.png
WEBREQUEST: (IP_ADDR_B) /images/link6.png
WEBREQUEST: (IP_ADDR_B) /images/icon-star-notify-16.png
WEBREQUEST: (IP_ADDR_B) /serverpic.ashx
WEBREQUEST: (IP_ADDR_B) /images/icon-relay-notify.png
WEBREQUEST: (IP_ADDR_B) /images/icon-chat.png
WEBREQUEST: (IP_ADDR_B) /images/icon-notify.png
WEBREQUEST: (IP_ADDR_B) /images/icon-help-notify-16.png
WEBREQUEST: (IP_ADDR_B) /images/icon-url2.png
WEBREQUEST: (IP_ADDR_B) /images/icon-camera.png
WEBREQUEST: (IP_ADDR_B) /images/icon-film.png
WEBREQUEST: (IP_ADDR_B) /images/icon-background.png
WEBREQUEST: (IP_ADDR_B) /images/icon-clipboard-in.png
WEBREQUEST: (IP_ADDR_B) /images/icon-clipboard-out.png
WEBREQUEST: (IP_ADDR_B) /images/icon-refresh.png
WEBREQUEST: (IP_ADDR_B) /images/webp/mesh-256.webp
WEBREQUEST: (IP_ADDR_B) /images/webp/user-256.webp
WEBREQUEST: (IP_ADDR_B) /images/webp/group-256.webp
WEBREQUEST: (IP_ADDR_B) /commander.htm
WEBREQUEST: (IP_ADDR_B) /sounds/chimes.mp3
WEBREQUEST: (IP_ADDR_B) /scriptblocks.txt
WEBREQUEST: (IP_ADDR_B) /images/leftbar-64.png
WEBREQUEST: (IP_ADDR_C) /control.ashx/.websocket?auth=0iIv$6i3ye$mcOwCkV5F0zKuFKdcLvROjFHnRS0BvM8HE@$IXpdWjtjMlUNHfQYubnkigsKvK8FISYx4HjC1oC5gC0CusOnG2mTsPFxeqe6phyEuwHpP6b4vq85V6Wd9un$74zDz
COOKIE: Decoded AESGCM cookie: {"userid":"user//admin1","domainid":"","ip":"IP_ADDR_B","time":1607732547000,"dtime":879}
WEB: ERR: Invalid cookie IP address, got "IP_ADDR_B", expected "IP_ADDR_C".
WEB: ERR: Websocket bad cookie auth (Cookie:false): 0iIv$6i3ye$mcOwCkV5F0zKuFKdcLvROjFHnRS0BvM8HE@$IXpdWjtjMlUNHfQYubnkigsKvK8FISYx4HjC1oC5gC0CusOnG2mTsPFxeqe6phyEuwHpP6b4vq85V6Wd9un$74zDz
WEBREQUEST: (IP_ADDR_B) /
COOKIE: Encoded AESGCM cookie: {"userid":"user//admin1","domainid":"","ip":"IP_ADDR_B","time":1607732549}
COOKIE: Encoded AESGCM cookie: {"ruserid":"user//admin1","domainid":"","time":1607732549}
WEB: handleRootRequestEx: success.
WEBREQUEST: (IP_ADDR_B) /styles/style.css
WEBREQUEST: (IP_ADDR_B) /styles/ol.css
WEBREQUEST: (IP_ADDR_B) /styles/ol3-contextmenu.min.css
WEBREQUEST: (IP_ADDR_B) /styles/xterm.css
WEBREQUEST: (IP_ADDR_B) /scripts/meshcentral.js
WEBREQUEST: (IP_ADDR_B) /scripts/amt-0.2.0.js
WEBREQUEST: (IP_ADDR_B) /scripts/amt-wsman-0.2.0.js
WEBREQUEST: (IP_ADDR_B) /scripts/common-0.0.1.js
WEBREQUEST: (IP_ADDR_B) /scripts/zlib-inflate.js
WEBREQUEST: (IP_ADDR_B) /scripts/zlib-crc32.js
WEBREQUEST: (IP_ADDR_B) /scripts/zlib-adler32.js
WEBREQUEST: (IP_ADDR_B) /scripts/amt-wsman-ws-0.2.0.js
WEBREQUEST: (IP_ADDR_B) /scripts/zlib.js
WEBREQUEST: (IP_ADDR_B) /scripts/agent-redir-ws-0.1.1.js
WEBREQUEST: (IP_ADDR_B) /scripts/amt-desktop-0.0.2.js
WEBREQUEST: (IP_ADDR_B) /scripts/amt-redir-ws-0.1.0.js
WEBREQUEST: (IP_ADDR_B) /scripts/amt-terminal-0.0.2.js
WEBREQUEST: (IP_ADDR_B) /scripts/agent-desktop-0.0.2.js
WEBREQUEST: (IP_ADDR_B) /scripts/xterm.js
WEBREQUEST: (IP_ADDR_B) /scripts/xterm-addon-fit.js
WEBREQUEST: (IP_ADDR_B) /scripts/u2f-api.js
WEBREQUEST: (IP_ADDR_B) /scripts/charts.js
WEBREQUEST: (IP_ADDR_B) /scripts/qrcode.min.js
WEBREQUEST: (IP_ADDR_B) /scripts/filesaver.min.js
WEBREQUEST: (IP_ADDR_B) /scripts/agent-redir-rtc-0.1.0.js
WEBREQUEST: (IP_ADDR_B) /scripts/ol.js
WEBREQUEST: (IP_ADDR_B) /scripts/ol3-contextmenu.js
WEBREQUEST: (IP_ADDR_B) /images/link4.png
WEBREQUEST: (IP_ADDR_B) /serverpic.ashx
WEBREQUEST: (IP_ADDR_B) /images/icon-star-notify-16.png
WEBREQUEST: (IP_ADDR_B) /images/icon-relay-notify.png
WEBREQUEST: (IP_ADDR_B) /images/icon-chat.png
WEBREQUEST: (IP_ADDR_B) /images/link6.png
WEBREQUEST: (IP_ADDR_B) /images/icon-notify.png
WEBREQUEST: (IP_ADDR_B) /images/icon-help-notify-16.png
WEBREQUEST: (IP_ADDR_B) /images/icon-url2.png
WEBREQUEST: (IP_ADDR_B) /images/icon-background.png
WEBREQUEST: (IP_ADDR_B) /images/icon-clipboard-in.png
WEBREQUEST: (IP_ADDR_B) /images/icon-camera.png
WEBREQUEST: (IP_ADDR_B) /images/icon-film.png
WEBREQUEST: (IP_ADDR_B) /images/icon-refresh.png
WEBREQUEST: (IP_ADDR_B) /images/icon-clipboard-out.png
WEBREQUEST: (IP_ADDR_B) /images/webp/mesh-256.webp
WEBREQUEST: (IP_ADDR_B) /images/webp/user-256.webp
WEBREQUEST: (IP_ADDR_B) /commander.htm
WEBREQUEST: (IP_ADDR_B) /images/webp/group-256.webp
WEBREQUEST: (IP_ADDR_B) /scriptblocks.txt
WEBREQUEST: (IP_ADDR_B) /favicon.ico
WEBREQUEST: (IP_ADDR_B) /control.ashx/.websocket?auth=Jzwk4EVEfHDvrCx5dieZKCstddxI00ObFYw4oTED86Emye9DEmpryfVjnsYYICUxOvF@4AGyBh5DaThPPkGscMAxPixXPcdIj3XHlGGEo2bLOWpWYwihchGS95HzZfjiRNA6M2wA
COOKIE: Decoded AESGCM cookie: {"userid":"user//admin1","domainid":"","ip":"IP_ADDR_B","time":1607732549000,"dtime":956}
WEBREQUEST: (IP_ADDR_B) /images/leftbar-64.png
WEBREQUEST: (IP_ADDR_B) /images/info.png
^CServer Ctrl-C exit...

Now, in reading #1770 I see that there's a config setting ("cookieipcheck": false) that I can potentially set, so I update my config accordingly:

Config2 
{
  "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json",
  "__comment1__": "This is a simple configuration file, all values and sections that start with underscore (_) are ignored. Edit a section and remove the _ in front of the name. Refer to the user's guide for details.",
  "__comment2__": "See node_modules/meshcentral/sample-config-advanced.json for a more advanced example.",
  "settings": {
    "_cert": "myserver.mydomain.com",
    "_WANonly": true,
    "_LANonly": true,
    "_sessionKey": "MyReallySecretPassword1",
    "_port": 443,
    "_aliasPort": 443,
    "_redirPort": 80,
    "_redirAliasPort": 80
  },
  "domains": {
    "": {
      "title": "domains..title",
      "title2": "domains..title2",
      "_minify": true,
      "newAccounts": false,
      "_userNameIsEmail": true,
      "passwordRequirements": {
        "force2factor": true
      },
      "cookieipcheck": false
    }
  },
  "_letsencrypt": {
    "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before trying Let's Encrypt.",
    "email": "myemail@mydomain.com",
    "names": "myserver.mydomain.com",
    "production": false
  }
}
Debug2 
MeshCentral HTTP redirection server running on port 80.
MeshCentral v0.6.70, Hybrid (LAN + WAN) mode.
MeshCentral Intel(R) AMT server running on IP_ADDR_A:4433.
MeshCentral HTTPS server running on IP_ADDR_A:443.
WEBREQUEST: (IP_ADDR_B) /
WEB: handleRootRequestLogin()
WEBREQUEST: (IP_ADDR_B) /styles/style.css
WEBREQUEST: (IP_ADDR_B) /scripts/common-0.0.1.js
WEBREQUEST: (IP_ADDR_B) /scripts/u2f-api.js
WEBREQUEST: (IP_ADDR_B) /welcome.jpg
WEBREQUEST: (IP_ADDR_B) /logo.png
WEBREQUEST: (IP_ADDR_B) /
WEB: handleRootPostRequest, action: login
WEB: handleLoginRequest: successful login
WEB: handleLoginRequest: login ok (2)
COOKIE: Encoded AESGCM cookie: {"userid":"user//admin1","domainid":"","ip":"IP_ADDR_B","time":1607733023}
COOKIE: Encoded AESGCM cookie: {"ruserid":"user//admin1","domainid":"","time":1607733023}
WEB: handleRootRequestEx: success.
WEBREQUEST: (IP_ADDR_B) /
WEB: handleRootPostRequest, action: login
WEB: handleLoginRequest: successful login
WEB: handleLoginRequest: login ok (2)
COOKIE: Encoded AESGCM cookie: {"userid":"user//admin1","domainid":"","ip":"IP_ADDR_B","time":1607733023}
COOKIE: Encoded AESGCM cookie: {"ruserid":"user//admin1","domainid":"","time":1607733023}
WEB: handleRootRequestEx: success.
WEBREQUEST: (IP_ADDR_B) /styles/style.css
WEBREQUEST: (IP_ADDR_B) /styles/ol3-contextmenu.min.css
WEBREQUEST: (IP_ADDR_B) /styles/ol.css
WEBREQUEST: (IP_ADDR_B) /scripts/common-0.0.1.js
WEBREQUEST: (IP_ADDR_B) /styles/xterm.css
WEBREQUEST: (IP_ADDR_B) /scripts/zlib-inflate.js
WEBREQUEST: (IP_ADDR_B) /scripts/zlib-adler32.js
WEBREQUEST: (IP_ADDR_B) /scripts/zlib.js
WEBREQUEST: (IP_ADDR_B) /scripts/zlib-crc32.js
WEBREQUEST: (IP_ADDR_B) /scripts/meshcentral.js
WEBREQUEST: (IP_ADDR_B) /scripts/amt-0.2.0.js
WEBREQUEST: (IP_ADDR_B) /scripts/amt-wsman-0.2.0.js
WEBREQUEST: (IP_ADDR_B) /scripts/amt-desktop-0.0.2.js
WEBREQUEST: (IP_ADDR_B) /scripts/amt-terminal-0.0.2.js
WEBREQUEST: (IP_ADDR_B) /scripts/amt-redir-ws-0.1.0.js
WEBREQUEST: (IP_ADDR_B) /scripts/agent-redir-rtc-0.1.0.js
WEBREQUEST: (IP_ADDR_B) /scripts/agent-redir-ws-0.1.1.js
WEBREQUEST: (IP_ADDR_B) /scripts/amt-wsman-ws-0.2.0.js
WEBREQUEST: (IP_ADDR_B) /scripts/qrcode.min.js
WEBREQUEST: (IP_ADDR_B) /scripts/xterm.js
WEBREQUEST: (IP_ADDR_B) /scripts/agent-desktop-0.0.2.js
WEBREQUEST: (IP_ADDR_B) /scripts/u2f-api.js
WEBREQUEST: (IP_ADDR_B) /scripts/xterm-addon-fit.js
WEBREQUEST: (IP_ADDR_B) /scripts/charts.js
WEBREQUEST: (IP_ADDR_B) /scripts/filesaver.min.js
WEBREQUEST: (IP_ADDR_B) /scripts/ol3-contextmenu.js
WEBREQUEST: (IP_ADDR_B) /scripts/ol.js
WEBREQUEST: (IP_ADDR_C) /
WEB: handleRootRequestLogin()
WEBREQUEST: (IP_ADDR_B) /images/link4.png
WEBREQUEST: (IP_ADDR_B) /images/link6.png
WEBREQUEST: (IP_ADDR_B) /serverpic.ashx
WEBREQUEST: (IP_ADDR_B) /images/icon-star-notify-16.png
WEBREQUEST: (IP_ADDR_B) /images/icon-relay-notify.png
WEBREQUEST: (IP_ADDR_B) /images/icon-help-notify-16.png
WEBREQUEST: (IP_ADDR_B) /images/icon-chat.png
WEBREQUEST: (IP_ADDR_B) /images/icon-notify.png
WEBREQUEST: (IP_ADDR_B) /images/icon-background.png
WEBREQUEST: (IP_ADDR_B) /images/icon-camera.png
WEBREQUEST: (IP_ADDR_B) /images/icon-url2.png
WEBREQUEST: (IP_ADDR_B) /images/icon-film.png
WEBREQUEST: (IP_ADDR_B) /images/icon-clipboard-in.png
WEBREQUEST: (IP_ADDR_B) /images/icon-clipboard-out.png
WEBREQUEST: (IP_ADDR_B) /images/icon-refresh.png
WEBREQUEST: (IP_ADDR_B) /images/webp/mesh-256.webp
WEBREQUEST: (IP_ADDR_B) /images/webp/user-256.webp
WEBREQUEST: (IP_ADDR_B) /sounds/chimes.mp3
WEBREQUEST: (IP_ADDR_B) /images/webp/group-256.webp
WEBREQUEST: (IP_ADDR_B) /commander.htm
WEBREQUEST: (IP_ADDR_B) /
WEB: handleRootRequestLogin()
WEBREQUEST: (IP_ADDR_B) /scriptblocks.txt
WEBREQUEST: (IP_ADDR_B) /images/leftbar-64.png
WEBREQUEST: (IP_ADDR_C) /control.ashx/.websocket?auth=me@AbZBmsjgx7igRZ@gKv2Gviyem@W8@9R@gmxSxGgANnf433zboSfZ1joAQHiPTbVCWZUws2uSTT9HxKLjo2YBz8fCtxU@K2xL@R$dhAAkn8bfnBnYbxJRLGJuD8xP0yBkmqlJe
COOKIE: Decoded AESGCM cookie: {"userid":"user//admin1","domainid":"","ip":"IP_ADDR_B","time":1607733023000,"dtime":1175}
WEB: ERR: Invalid cookie IP address, got "IP_ADDR_B", expected "IP_ADDR_C".
WEB: ERR: Websocket bad cookie auth (Cookie:false): me@AbZBmsjgx7igRZ@gKv2Gviyem@W8@9R@gmxSxGgANnf433zboSfZ1joAQHiPTbVCWZUws2uSTT9HxKLjo2YBz8fCtxU@K2xL@R$dhAAkn8bfnBnYbxJRLGJuD8xP0yBkmqlJe
WEBREQUEST: (IP_ADDR_B) /
COOKIE: Encoded AESGCM cookie: {"userid":"user//admin1","domainid":"","ip":"IP_ADDR_B","time":1607733026}
COOKIE: Encoded AESGCM cookie: {"ruserid":"user//admin1","domainid":"","time":1607733026}
WEB: handleRootRequestEx: success.
WEBREQUEST: (IP_ADDR_B) /styles/style.css
WEBREQUEST: (IP_ADDR_B) /styles/ol.css
WEBREQUEST: (IP_ADDR_B) /styles/ol3-contextmenu.min.css
WEBREQUEST: (IP_ADDR_B) /styles/xterm.css
WEBREQUEST: (IP_ADDR_B) /scripts/common-0.0.1.js
WEBREQUEST: (IP_ADDR_B) /scripts/meshcentral.js
WEBREQUEST: (IP_ADDR_B) /scripts/amt-0.2.0.js
WEBREQUEST: (IP_ADDR_B) /scripts/amt-wsman-0.2.0.js
WEBREQUEST: (IP_ADDR_B) /scripts/amt-desktop-0.0.2.js
WEBREQUEST: (IP_ADDR_B) /scripts/zlib.js
WEBREQUEST: (IP_ADDR_B) /scripts/zlib-inflate.js
WEBREQUEST: (IP_ADDR_B) /scripts/zlib-adler32.js
WEBREQUEST: (IP_ADDR_B) /scripts/amt-terminal-0.0.2.js
WEBREQUEST: (IP_ADDR_B) /scripts/zlib-crc32.js
WEBREQUEST: (IP_ADDR_B) /scripts/amt-wsman-ws-0.2.0.js
WEBREQUEST: (IP_ADDR_B) /scripts/agent-redir-ws-0.1.1.js
WEBREQUEST: (IP_ADDR_B) /scripts/agent-desktop-0.0.2.js
WEBREQUEST: (IP_ADDR_B) /scripts/agent-redir-rtc-0.1.0.js
WEBREQUEST: (IP_ADDR_B) /scripts/qrcode.min.js
WEBREQUEST: (IP_ADDR_B) /scripts/xterm.js
WEBREQUEST: (IP_ADDR_B) /scripts/amt-redir-ws-0.1.0.js
WEBREQUEST: (IP_ADDR_B) /scripts/xterm-addon-fit.js
WEBREQUEST: (IP_ADDR_B) /scripts/u2f-api.js
WEBREQUEST: (IP_ADDR_B) /scripts/charts.js
WEBREQUEST: (IP_ADDR_B) /scripts/filesaver.min.js
WEBREQUEST: (IP_ADDR_B) /scripts/ol.js
WEBREQUEST: (IP_ADDR_B) /scripts/ol3-contextmenu.js
WEBREQUEST: (IP_ADDR_B) /images/link4.png
WEBREQUEST: (IP_ADDR_B) /images/link6.png
WEBREQUEST: (IP_ADDR_B) /serverpic.ashx
WEBREQUEST: (IP_ADDR_B) /images/icon-star-notify-16.png
WEBREQUEST: (IP_ADDR_B) /images/icon-relay-notify.png
WEBREQUEST: (IP_ADDR_B) /images/icon-help-notify-16.png
WEBREQUEST: (IP_ADDR_B) /images/icon-chat.png
WEBREQUEST: (IP_ADDR_B) /images/icon-notify.png
WEBREQUEST: (IP_ADDR_B) /images/icon-url2.png
WEBREQUEST: (IP_ADDR_B) /images/icon-background.png
WEBREQUEST: (IP_ADDR_B) /images/icon-film.png
WEBREQUEST: (IP_ADDR_B) /images/icon-camera.png
WEBREQUEST: (IP_ADDR_B) /images/icon-clipboard-in.png
WEBREQUEST: (IP_ADDR_B) /images/icon-clipboard-out.png
WEBREQUEST: (IP_ADDR_B) /images/icon-refresh.png
WEBREQUEST: (IP_ADDR_B) /images/webp/mesh-256.webp
WEBREQUEST: (IP_ADDR_B) /commander.htm
WEBREQUEST: (IP_ADDR_B) /images/webp/user-256.webp
WEBREQUEST: (IP_ADDR_B) /images/webp/group-256.webp
WEBREQUEST: (IP_ADDR_B) /scriptblocks.txt
WEBREQUEST: (IP_ADDR_B) /favicon.ico
WEBREQUEST: (IP_ADDR_B) /control.ashx/.websocket?auth=v6wTfIcCHgRSzCLIqv53yfQVrAz2$YlyqQo4liGrl1ADE0IipSwj2gXOQL6rQNTKGYCvwV13xZ0z$wK2uJak8kAJ22rME@Z7TxG5YKuDgNRh3hAQjDW@jmiBSYJhMlNoTZ3bzGDS
COOKIE: Decoded AESGCM cookie: {"userid":"user//admin1","domainid":"","ip":"IP_ADDR_B","time":1607733026000,"dtime":1113}
WEBREQUEST: (IP_ADDR_B) /images/leftbar-64.png
WEBREQUEST: (IP_ADDR_B) /images/info.png
^CServer Ctrl-C exit...

Now I had other notes (see #2072 and #2073) but as I've gone through testing this out today I think perhaps the MFA issues that I've been experiencing are still related to IP issues. Additionally, and differing from #1770, we don't currently use IPv6.

I'm surmising here, but I'm thinking that because the MC2 server is sitting behind a load balancer, traffic within the same session is being requested from either of the two load balancer internal IPs, but the initial set up of the cookie is recorded and set from a single IP address. Depending on the traffic, intermittent issues arise in authenticating the source IPs (WEB: ERR: Invalid cookie IP address, got "IP_ADDR_B", expected "IP_ADDR_C".) because it could be coming from the same IP (load balancer A) that was set up from the initial request, but a subsequent request could be sourced from another address (load balancer B). I'm unsure as to whether or not setting the LB's to sticky mode would help here or not, but in the interests of making MC2 as flexible as possible, I've not currently enabled that on my LBs.

I'm nowhere near the programmers you fine chaps are, but I wonder if there's a setting within the config that could be set that puts an array of IP addresses in the initial cookie as being "validated" IPs, so that if traffic comes in from one of the addresses in the array, it's assumed to be authenticated. For my particular scenario, I would configure IP_ADDR_B and IP_ADDR_C in this configuration. I see there are other IP options within the config.json file, but I don't believe that any of them address this particular situation?

Originally created by @D4V3M0NK on GitHub (Dec 11, 2020). Originally assigned to: @Ylianst on GitHub. > MeshCentral 0.6.70 (Ubuntu 16 running on NodeJS 8.17.1 FIPS enabled) Please forgive the notes: it's taken me about 4 hours so far to write this as things keep on happening differently from prior testing... I have a freshly built MC2 server that sits behind a network load balancer then an application load balancer (both operating their internal IPs from separate zones). I've created an admin account through the CLI, logged in and updated the version in my image (0.5.97) to the latest stable (0.6.70). I then start up the server in `--debug` mode I then attempt to login and get the `Unable to authenticate` error, similar to that in #1770. Debug1 shows the output from the server after I was initially rejected, then hit refresh after which I was able to login. <details> <summary>Config1</summary> ``` { "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json", "__comment1__": "This is a simple configuration file, all values and sections that start with underscore (_) are ignored. Edit a section and remove the _ in front of the name. Refer to the user's guide for details.", "__comment2__": "See node_modules/meshcentral/sample-config-advanced.json for a more advanced example.", "settings": { "_cert": "myserver.mydomain.com", "_WANonly": true, "_LANonly": true, "_sessionKey": "MyReallySecretPassword1", "_port": 443, "_aliasPort": 443, "_redirPort": 80, "_redirAliasPort": 80 }, "domains": { "": { "title": "domains..title", "title2": "domains..title2", "_minify": true, "newAccounts": false, "_userNameIsEmail": true, "passwordRequirements": { "force2factor": true } } }, "_letsencrypt": { "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before trying Let's Encrypt.", "email": "myemail@mydomain.com", "names": "myserver.mydomain.com", "production": false } } ``` </details> <details> <summary>Debug1</summary> ``` MeshCentral HTTP redirection server running on port 80. MeshCentral v0.6.70, Hybrid (LAN + WAN) mode. MeshCentral Intel(R) AMT server running on IP_ADDR_A:4433. MeshCentral HTTPS server running on IP_ADDR_A:443. WEBREQUEST: (IP_ADDR_B) / WEB: handleRootRequestLogin() WEBREQUEST: (IP_ADDR_B) /styles/style.css WEBREQUEST: (IP_ADDR_B) /scripts/common-0.0.1.js WEBREQUEST: (IP_ADDR_B) /scripts/u2f-api.js WEBREQUEST: (IP_ADDR_B) /welcome.jpg WEBREQUEST: (IP_ADDR_B) /logo.png WEBREQUEST: (IP_ADDR_B) /favicon.ico WEBREQUEST: (IP_ADDR_C) / WEB: handleRootRequestLogin() WEBREQUEST: (IP_ADDR_B) / WEB: handleRootRequestLogin() WEBREQUEST: (IP_ADDR_B) / WEB: handleRootPostRequest, action: login WEBREQUEST: (IP_ADDR_B) / WEB: handleRootPostRequest, action: login WEB: handleLoginRequest: successful login WEB: handleLoginRequest: login ok (2) COOKIE: Encoded AESGCM cookie: {"userid":"user//admin1","domainid":"","ip":"IP_ADDR_B","time":1607732546} COOKIE: Encoded AESGCM cookie: {"ruserid":"user//admin1","domainid":"","time":1607732546} WEB: handleRootRequestEx: success. WEB: handleLoginRequest: successful login WEB: handleLoginRequest: login ok (2) COOKIE: Encoded AESGCM cookie: {"userid":"user//admin1","domainid":"","ip":"IP_ADDR_B","time":1607732547} COOKIE: Encoded AESGCM cookie: {"ruserid":"user//admin1","domainid":"","time":1607732547} WEB: handleRootRequestEx: success. WEBREQUEST: (IP_ADDR_B) /styles/style.css WEBREQUEST: (IP_ADDR_B) /styles/ol3-contextmenu.min.css WEBREQUEST: (IP_ADDR_B) /styles/xterm.css WEBREQUEST: (IP_ADDR_B) /scripts/common-0.0.1.js WEBREQUEST: (IP_ADDR_B) /scripts/meshcentral.js WEBREQUEST: (IP_ADDR_B) /scripts/zlib-crc32.js WEBREQUEST: (IP_ADDR_B) /styles/ol.css WEBREQUEST: (IP_ADDR_B) /scripts/amt-0.2.0.js WEBREQUEST: (IP_ADDR_B) /scripts/amt-desktop-0.0.2.js WEBREQUEST: (IP_ADDR_B) /scripts/amt-wsman-0.2.0.js WEBREQUEST: (IP_ADDR_B) /scripts/zlib.js WEBREQUEST: (IP_ADDR_B) /scripts/zlib-inflate.js WEBREQUEST: (IP_ADDR_B) /scripts/zlib-adler32.js WEBREQUEST: (IP_ADDR_B) /scripts/amt-terminal-0.0.2.js WEBREQUEST: (IP_ADDR_B) /scripts/amt-redir-ws-0.1.0.js WEBREQUEST: (IP_ADDR_B) /scripts/amt-wsman-ws-0.2.0.js WEBREQUEST: (IP_ADDR_B) /scripts/agent-redir-ws-0.1.1.js WEBREQUEST: (IP_ADDR_B) /scripts/agent-desktop-0.0.2.js WEBREQUEST: (IP_ADDR_B) /scripts/agent-redir-rtc-0.1.0.js WEBREQUEST: (IP_ADDR_B) /scripts/qrcode.min.js WEBREQUEST: (IP_ADDR_B) /scripts/xterm.js WEBREQUEST: (IP_ADDR_B) /scripts/charts.js WEBREQUEST: (IP_ADDR_B) /scripts/filesaver.min.js WEBREQUEST: (IP_ADDR_B) /scripts/ol.js WEBREQUEST: (IP_ADDR_B) /scripts/ol3-contextmenu.js WEBREQUEST: (IP_ADDR_B) /scripts/xterm-addon-fit.js WEBREQUEST: (IP_ADDR_B) /scripts/u2f-api.js WEBREQUEST: (IP_ADDR_B) /images/link4.png WEBREQUEST: (IP_ADDR_B) /images/link6.png WEBREQUEST: (IP_ADDR_B) /images/icon-star-notify-16.png WEBREQUEST: (IP_ADDR_B) /serverpic.ashx WEBREQUEST: (IP_ADDR_B) /images/icon-relay-notify.png WEBREQUEST: (IP_ADDR_B) /images/icon-chat.png WEBREQUEST: (IP_ADDR_B) /images/icon-notify.png WEBREQUEST: (IP_ADDR_B) /images/icon-help-notify-16.png WEBREQUEST: (IP_ADDR_B) /images/icon-url2.png WEBREQUEST: (IP_ADDR_B) /images/icon-camera.png WEBREQUEST: (IP_ADDR_B) /images/icon-film.png WEBREQUEST: (IP_ADDR_B) /images/icon-background.png WEBREQUEST: (IP_ADDR_B) /images/icon-clipboard-in.png WEBREQUEST: (IP_ADDR_B) /images/icon-clipboard-out.png WEBREQUEST: (IP_ADDR_B) /images/icon-refresh.png WEBREQUEST: (IP_ADDR_B) /images/webp/mesh-256.webp WEBREQUEST: (IP_ADDR_B) /images/webp/user-256.webp WEBREQUEST: (IP_ADDR_B) /images/webp/group-256.webp WEBREQUEST: (IP_ADDR_B) /commander.htm WEBREQUEST: (IP_ADDR_B) /sounds/chimes.mp3 WEBREQUEST: (IP_ADDR_B) /scriptblocks.txt WEBREQUEST: (IP_ADDR_B) /images/leftbar-64.png WEBREQUEST: (IP_ADDR_C) /control.ashx/.websocket?auth=0iIv$6i3ye$mcOwCkV5F0zKuFKdcLvROjFHnRS0BvM8HE@$IXpdWjtjMlUNHfQYubnkigsKvK8FISYx4HjC1oC5gC0CusOnG2mTsPFxeqe6phyEuwHpP6b4vq85V6Wd9un$74zDz COOKIE: Decoded AESGCM cookie: {"userid":"user//admin1","domainid":"","ip":"IP_ADDR_B","time":1607732547000,"dtime":879} WEB: ERR: Invalid cookie IP address, got "IP_ADDR_B", expected "IP_ADDR_C". WEB: ERR: Websocket bad cookie auth (Cookie:false): 0iIv$6i3ye$mcOwCkV5F0zKuFKdcLvROjFHnRS0BvM8HE@$IXpdWjtjMlUNHfQYubnkigsKvK8FISYx4HjC1oC5gC0CusOnG2mTsPFxeqe6phyEuwHpP6b4vq85V6Wd9un$74zDz WEBREQUEST: (IP_ADDR_B) / COOKIE: Encoded AESGCM cookie: {"userid":"user//admin1","domainid":"","ip":"IP_ADDR_B","time":1607732549} COOKIE: Encoded AESGCM cookie: {"ruserid":"user//admin1","domainid":"","time":1607732549} WEB: handleRootRequestEx: success. WEBREQUEST: (IP_ADDR_B) /styles/style.css WEBREQUEST: (IP_ADDR_B) /styles/ol.css WEBREQUEST: (IP_ADDR_B) /styles/ol3-contextmenu.min.css WEBREQUEST: (IP_ADDR_B) /styles/xterm.css WEBREQUEST: (IP_ADDR_B) /scripts/meshcentral.js WEBREQUEST: (IP_ADDR_B) /scripts/amt-0.2.0.js WEBREQUEST: (IP_ADDR_B) /scripts/amt-wsman-0.2.0.js WEBREQUEST: (IP_ADDR_B) /scripts/common-0.0.1.js WEBREQUEST: (IP_ADDR_B) /scripts/zlib-inflate.js WEBREQUEST: (IP_ADDR_B) /scripts/zlib-crc32.js WEBREQUEST: (IP_ADDR_B) /scripts/zlib-adler32.js WEBREQUEST: (IP_ADDR_B) /scripts/amt-wsman-ws-0.2.0.js WEBREQUEST: (IP_ADDR_B) /scripts/zlib.js WEBREQUEST: (IP_ADDR_B) /scripts/agent-redir-ws-0.1.1.js WEBREQUEST: (IP_ADDR_B) /scripts/amt-desktop-0.0.2.js WEBREQUEST: (IP_ADDR_B) /scripts/amt-redir-ws-0.1.0.js WEBREQUEST: (IP_ADDR_B) /scripts/amt-terminal-0.0.2.js WEBREQUEST: (IP_ADDR_B) /scripts/agent-desktop-0.0.2.js WEBREQUEST: (IP_ADDR_B) /scripts/xterm.js WEBREQUEST: (IP_ADDR_B) /scripts/xterm-addon-fit.js WEBREQUEST: (IP_ADDR_B) /scripts/u2f-api.js WEBREQUEST: (IP_ADDR_B) /scripts/charts.js WEBREQUEST: (IP_ADDR_B) /scripts/qrcode.min.js WEBREQUEST: (IP_ADDR_B) /scripts/filesaver.min.js WEBREQUEST: (IP_ADDR_B) /scripts/agent-redir-rtc-0.1.0.js WEBREQUEST: (IP_ADDR_B) /scripts/ol.js WEBREQUEST: (IP_ADDR_B) /scripts/ol3-contextmenu.js WEBREQUEST: (IP_ADDR_B) /images/link4.png WEBREQUEST: (IP_ADDR_B) /serverpic.ashx WEBREQUEST: (IP_ADDR_B) /images/icon-star-notify-16.png WEBREQUEST: (IP_ADDR_B) /images/icon-relay-notify.png WEBREQUEST: (IP_ADDR_B) /images/icon-chat.png WEBREQUEST: (IP_ADDR_B) /images/link6.png WEBREQUEST: (IP_ADDR_B) /images/icon-notify.png WEBREQUEST: (IP_ADDR_B) /images/icon-help-notify-16.png WEBREQUEST: (IP_ADDR_B) /images/icon-url2.png WEBREQUEST: (IP_ADDR_B) /images/icon-background.png WEBREQUEST: (IP_ADDR_B) /images/icon-clipboard-in.png WEBREQUEST: (IP_ADDR_B) /images/icon-camera.png WEBREQUEST: (IP_ADDR_B) /images/icon-film.png WEBREQUEST: (IP_ADDR_B) /images/icon-refresh.png WEBREQUEST: (IP_ADDR_B) /images/icon-clipboard-out.png WEBREQUEST: (IP_ADDR_B) /images/webp/mesh-256.webp WEBREQUEST: (IP_ADDR_B) /images/webp/user-256.webp WEBREQUEST: (IP_ADDR_B) /commander.htm WEBREQUEST: (IP_ADDR_B) /images/webp/group-256.webp WEBREQUEST: (IP_ADDR_B) /scriptblocks.txt WEBREQUEST: (IP_ADDR_B) /favicon.ico WEBREQUEST: (IP_ADDR_B) /control.ashx/.websocket?auth=Jzwk4EVEfHDvrCx5dieZKCstddxI00ObFYw4oTED86Emye9DEmpryfVjnsYYICUxOvF@4AGyBh5DaThPPkGscMAxPixXPcdIj3XHlGGEo2bLOWpWYwihchGS95HzZfjiRNA6M2wA COOKIE: Decoded AESGCM cookie: {"userid":"user//admin1","domainid":"","ip":"IP_ADDR_B","time":1607732549000,"dtime":956} WEBREQUEST: (IP_ADDR_B) /images/leftbar-64.png WEBREQUEST: (IP_ADDR_B) /images/info.png ^CServer Ctrl-C exit... ``` </details> Now, in reading #1770 I see that there's a config setting (` "cookieipcheck": false `) that I can potentially set, so I update my config accordingly: <details> <summary>Config2</summary> ``` { "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json", "__comment1__": "This is a simple configuration file, all values and sections that start with underscore (_) are ignored. Edit a section and remove the _ in front of the name. Refer to the user's guide for details.", "__comment2__": "See node_modules/meshcentral/sample-config-advanced.json for a more advanced example.", "settings": { "_cert": "myserver.mydomain.com", "_WANonly": true, "_LANonly": true, "_sessionKey": "MyReallySecretPassword1", "_port": 443, "_aliasPort": 443, "_redirPort": 80, "_redirAliasPort": 80 }, "domains": { "": { "title": "domains..title", "title2": "domains..title2", "_minify": true, "newAccounts": false, "_userNameIsEmail": true, "passwordRequirements": { "force2factor": true }, "cookieipcheck": false } }, "_letsencrypt": { "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before trying Let's Encrypt.", "email": "myemail@mydomain.com", "names": "myserver.mydomain.com", "production": false } } ``` </details> <details> <summary>Debug2</summary> ``` MeshCentral HTTP redirection server running on port 80. MeshCentral v0.6.70, Hybrid (LAN + WAN) mode. MeshCentral Intel(R) AMT server running on IP_ADDR_A:4433. MeshCentral HTTPS server running on IP_ADDR_A:443. WEBREQUEST: (IP_ADDR_B) / WEB: handleRootRequestLogin() WEBREQUEST: (IP_ADDR_B) /styles/style.css WEBREQUEST: (IP_ADDR_B) /scripts/common-0.0.1.js WEBREQUEST: (IP_ADDR_B) /scripts/u2f-api.js WEBREQUEST: (IP_ADDR_B) /welcome.jpg WEBREQUEST: (IP_ADDR_B) /logo.png WEBREQUEST: (IP_ADDR_B) / WEB: handleRootPostRequest, action: login WEB: handleLoginRequest: successful login WEB: handleLoginRequest: login ok (2) COOKIE: Encoded AESGCM cookie: {"userid":"user//admin1","domainid":"","ip":"IP_ADDR_B","time":1607733023} COOKIE: Encoded AESGCM cookie: {"ruserid":"user//admin1","domainid":"","time":1607733023} WEB: handleRootRequestEx: success. WEBREQUEST: (IP_ADDR_B) / WEB: handleRootPostRequest, action: login WEB: handleLoginRequest: successful login WEB: handleLoginRequest: login ok (2) COOKIE: Encoded AESGCM cookie: {"userid":"user//admin1","domainid":"","ip":"IP_ADDR_B","time":1607733023} COOKIE: Encoded AESGCM cookie: {"ruserid":"user//admin1","domainid":"","time":1607733023} WEB: handleRootRequestEx: success. WEBREQUEST: (IP_ADDR_B) /styles/style.css WEBREQUEST: (IP_ADDR_B) /styles/ol3-contextmenu.min.css WEBREQUEST: (IP_ADDR_B) /styles/ol.css WEBREQUEST: (IP_ADDR_B) /scripts/common-0.0.1.js WEBREQUEST: (IP_ADDR_B) /styles/xterm.css WEBREQUEST: (IP_ADDR_B) /scripts/zlib-inflate.js WEBREQUEST: (IP_ADDR_B) /scripts/zlib-adler32.js WEBREQUEST: (IP_ADDR_B) /scripts/zlib.js WEBREQUEST: (IP_ADDR_B) /scripts/zlib-crc32.js WEBREQUEST: (IP_ADDR_B) /scripts/meshcentral.js WEBREQUEST: (IP_ADDR_B) /scripts/amt-0.2.0.js WEBREQUEST: (IP_ADDR_B) /scripts/amt-wsman-0.2.0.js WEBREQUEST: (IP_ADDR_B) /scripts/amt-desktop-0.0.2.js WEBREQUEST: (IP_ADDR_B) /scripts/amt-terminal-0.0.2.js WEBREQUEST: (IP_ADDR_B) /scripts/amt-redir-ws-0.1.0.js WEBREQUEST: (IP_ADDR_B) /scripts/agent-redir-rtc-0.1.0.js WEBREQUEST: (IP_ADDR_B) /scripts/agent-redir-ws-0.1.1.js WEBREQUEST: (IP_ADDR_B) /scripts/amt-wsman-ws-0.2.0.js WEBREQUEST: (IP_ADDR_B) /scripts/qrcode.min.js WEBREQUEST: (IP_ADDR_B) /scripts/xterm.js WEBREQUEST: (IP_ADDR_B) /scripts/agent-desktop-0.0.2.js WEBREQUEST: (IP_ADDR_B) /scripts/u2f-api.js WEBREQUEST: (IP_ADDR_B) /scripts/xterm-addon-fit.js WEBREQUEST: (IP_ADDR_B) /scripts/charts.js WEBREQUEST: (IP_ADDR_B) /scripts/filesaver.min.js WEBREQUEST: (IP_ADDR_B) /scripts/ol3-contextmenu.js WEBREQUEST: (IP_ADDR_B) /scripts/ol.js WEBREQUEST: (IP_ADDR_C) / WEB: handleRootRequestLogin() WEBREQUEST: (IP_ADDR_B) /images/link4.png WEBREQUEST: (IP_ADDR_B) /images/link6.png WEBREQUEST: (IP_ADDR_B) /serverpic.ashx WEBREQUEST: (IP_ADDR_B) /images/icon-star-notify-16.png WEBREQUEST: (IP_ADDR_B) /images/icon-relay-notify.png WEBREQUEST: (IP_ADDR_B) /images/icon-help-notify-16.png WEBREQUEST: (IP_ADDR_B) /images/icon-chat.png WEBREQUEST: (IP_ADDR_B) /images/icon-notify.png WEBREQUEST: (IP_ADDR_B) /images/icon-background.png WEBREQUEST: (IP_ADDR_B) /images/icon-camera.png WEBREQUEST: (IP_ADDR_B) /images/icon-url2.png WEBREQUEST: (IP_ADDR_B) /images/icon-film.png WEBREQUEST: (IP_ADDR_B) /images/icon-clipboard-in.png WEBREQUEST: (IP_ADDR_B) /images/icon-clipboard-out.png WEBREQUEST: (IP_ADDR_B) /images/icon-refresh.png WEBREQUEST: (IP_ADDR_B) /images/webp/mesh-256.webp WEBREQUEST: (IP_ADDR_B) /images/webp/user-256.webp WEBREQUEST: (IP_ADDR_B) /sounds/chimes.mp3 WEBREQUEST: (IP_ADDR_B) /images/webp/group-256.webp WEBREQUEST: (IP_ADDR_B) /commander.htm WEBREQUEST: (IP_ADDR_B) / WEB: handleRootRequestLogin() WEBREQUEST: (IP_ADDR_B) /scriptblocks.txt WEBREQUEST: (IP_ADDR_B) /images/leftbar-64.png WEBREQUEST: (IP_ADDR_C) /control.ashx/.websocket?auth=me@AbZBmsjgx7igRZ@gKv2Gviyem@W8@9R@gmxSxGgANnf433zboSfZ1joAQHiPTbVCWZUws2uSTT9HxKLjo2YBz8fCtxU@K2xL@R$dhAAkn8bfnBnYbxJRLGJuD8xP0yBkmqlJe COOKIE: Decoded AESGCM cookie: {"userid":"user//admin1","domainid":"","ip":"IP_ADDR_B","time":1607733023000,"dtime":1175} WEB: ERR: Invalid cookie IP address, got "IP_ADDR_B", expected "IP_ADDR_C". WEB: ERR: Websocket bad cookie auth (Cookie:false): me@AbZBmsjgx7igRZ@gKv2Gviyem@W8@9R@gmxSxGgANnf433zboSfZ1joAQHiPTbVCWZUws2uSTT9HxKLjo2YBz8fCtxU@K2xL@R$dhAAkn8bfnBnYbxJRLGJuD8xP0yBkmqlJe WEBREQUEST: (IP_ADDR_B) / COOKIE: Encoded AESGCM cookie: {"userid":"user//admin1","domainid":"","ip":"IP_ADDR_B","time":1607733026} COOKIE: Encoded AESGCM cookie: {"ruserid":"user//admin1","domainid":"","time":1607733026} WEB: handleRootRequestEx: success. WEBREQUEST: (IP_ADDR_B) /styles/style.css WEBREQUEST: (IP_ADDR_B) /styles/ol.css WEBREQUEST: (IP_ADDR_B) /styles/ol3-contextmenu.min.css WEBREQUEST: (IP_ADDR_B) /styles/xterm.css WEBREQUEST: (IP_ADDR_B) /scripts/common-0.0.1.js WEBREQUEST: (IP_ADDR_B) /scripts/meshcentral.js WEBREQUEST: (IP_ADDR_B) /scripts/amt-0.2.0.js WEBREQUEST: (IP_ADDR_B) /scripts/amt-wsman-0.2.0.js WEBREQUEST: (IP_ADDR_B) /scripts/amt-desktop-0.0.2.js WEBREQUEST: (IP_ADDR_B) /scripts/zlib.js WEBREQUEST: (IP_ADDR_B) /scripts/zlib-inflate.js WEBREQUEST: (IP_ADDR_B) /scripts/zlib-adler32.js WEBREQUEST: (IP_ADDR_B) /scripts/amt-terminal-0.0.2.js WEBREQUEST: (IP_ADDR_B) /scripts/zlib-crc32.js WEBREQUEST: (IP_ADDR_B) /scripts/amt-wsman-ws-0.2.0.js WEBREQUEST: (IP_ADDR_B) /scripts/agent-redir-ws-0.1.1.js WEBREQUEST: (IP_ADDR_B) /scripts/agent-desktop-0.0.2.js WEBREQUEST: (IP_ADDR_B) /scripts/agent-redir-rtc-0.1.0.js WEBREQUEST: (IP_ADDR_B) /scripts/qrcode.min.js WEBREQUEST: (IP_ADDR_B) /scripts/xterm.js WEBREQUEST: (IP_ADDR_B) /scripts/amt-redir-ws-0.1.0.js WEBREQUEST: (IP_ADDR_B) /scripts/xterm-addon-fit.js WEBREQUEST: (IP_ADDR_B) /scripts/u2f-api.js WEBREQUEST: (IP_ADDR_B) /scripts/charts.js WEBREQUEST: (IP_ADDR_B) /scripts/filesaver.min.js WEBREQUEST: (IP_ADDR_B) /scripts/ol.js WEBREQUEST: (IP_ADDR_B) /scripts/ol3-contextmenu.js WEBREQUEST: (IP_ADDR_B) /images/link4.png WEBREQUEST: (IP_ADDR_B) /images/link6.png WEBREQUEST: (IP_ADDR_B) /serverpic.ashx WEBREQUEST: (IP_ADDR_B) /images/icon-star-notify-16.png WEBREQUEST: (IP_ADDR_B) /images/icon-relay-notify.png WEBREQUEST: (IP_ADDR_B) /images/icon-help-notify-16.png WEBREQUEST: (IP_ADDR_B) /images/icon-chat.png WEBREQUEST: (IP_ADDR_B) /images/icon-notify.png WEBREQUEST: (IP_ADDR_B) /images/icon-url2.png WEBREQUEST: (IP_ADDR_B) /images/icon-background.png WEBREQUEST: (IP_ADDR_B) /images/icon-film.png WEBREQUEST: (IP_ADDR_B) /images/icon-camera.png WEBREQUEST: (IP_ADDR_B) /images/icon-clipboard-in.png WEBREQUEST: (IP_ADDR_B) /images/icon-clipboard-out.png WEBREQUEST: (IP_ADDR_B) /images/icon-refresh.png WEBREQUEST: (IP_ADDR_B) /images/webp/mesh-256.webp WEBREQUEST: (IP_ADDR_B) /commander.htm WEBREQUEST: (IP_ADDR_B) /images/webp/user-256.webp WEBREQUEST: (IP_ADDR_B) /images/webp/group-256.webp WEBREQUEST: (IP_ADDR_B) /scriptblocks.txt WEBREQUEST: (IP_ADDR_B) /favicon.ico WEBREQUEST: (IP_ADDR_B) /control.ashx/.websocket?auth=v6wTfIcCHgRSzCLIqv53yfQVrAz2$YlyqQo4liGrl1ADE0IipSwj2gXOQL6rQNTKGYCvwV13xZ0z$wK2uJak8kAJ22rME@Z7TxG5YKuDgNRh3hAQjDW@jmiBSYJhMlNoTZ3bzGDS COOKIE: Decoded AESGCM cookie: {"userid":"user//admin1","domainid":"","ip":"IP_ADDR_B","time":1607733026000,"dtime":1113} WEBREQUEST: (IP_ADDR_B) /images/leftbar-64.png WEBREQUEST: (IP_ADDR_B) /images/info.png ^CServer Ctrl-C exit... ``` </details> Now I had other notes (see #2072 and #2073) but as I've gone through testing this out today I think perhaps the MFA issues that I've been experiencing are still related to IP issues. Additionally, and differing from #1770, we don't currently use IPv6. I'm surmising here, but I'm thinking that because the MC2 server is sitting behind a load balancer, traffic within the same session is being requested from either of the two load balancer internal IPs, but the initial set up of the cookie is recorded and set from a single IP address. Depending on the traffic, intermittent issues arise in authenticating the source IPs (`WEB: ERR: Invalid cookie IP address, got "IP_ADDR_B", expected "IP_ADDR_C".`) because it could be coming from the same IP (load balancer A) that was set up from the initial request, but a subsequent request could be sourced from another address (load balancer B). I'm unsure as to whether or not setting the LB's to `sticky` mode would help here or not, but in the interests of making MC2 as flexible as possible, I've not currently enabled that on my LBs. I'm nowhere near the programmers you fine chaps are, but I wonder if there's a setting within the config that could be set that puts an array of IP addresses in the initial cookie as being "validated" IPs, so that if traffic comes in from one of the addresses in the array, it's assumed to be authenticated. For my particular scenario, I would configure IP_ADDR_B and IP_ADDR_C in this configuration. I see there are other IP options within the config.json file, but I don't _believe_ that any of them address this particular situation?
deekerman commented 2026-02-20 09:01:06 -05:00
Author
Owner
Copy link

@Ylianst commented on GitHub (Dec 12, 2020):

Can you try adding this line to the settings part of the config.json:

"trustedproxy": ["IP_ADDR_A", "IP_ADDR_B", "IP_ADDR_C"]

You will need to have the latest MeshCentral server. You can then remove the "cookieipcheck": false in the domain section.

The trusted proxy line needs to include all of the internal IP addresses of you load balancer(s). This will indicate to MeshCentral that it's safe to parse the extra HTTP headers in these requests and your load balancers will likely tell MeshCentral what the original IP address of the request was. As, you will start seeing the actual IP address of the request, not the address of your load balancers. Let me know if that helps.

@Ylianst commented on GitHub (Dec 12, 2020): Can you try adding this line to the settings part of the config.json: ``` "trustedproxy": ["IP_ADDR_A", "IP_ADDR_B", "IP_ADDR_C"] ``` You will need to have the latest MeshCentral server. You can then remove the `"cookieipcheck": false` in the domain section. The trusted proxy line needs to include all of the internal IP addresses of you load balancer(s). This will indicate to MeshCentral that it's safe to parse the extra HTTP headers in these requests and your load balancers will likely tell MeshCentral what the original IP address of the request was. As, you will start seeing the actual IP address of the request, not the address of your load balancers. Let me know if that helps.
deekerman commented 2026-02-20 09:01:06 -05:00
Author
Owner
Copy link

@D4V3M0NK commented on GitHub (Dec 12, 2020):

I'm running 0.7.24 and with the updated config, I start up MC2 in debug mode but get the following Unrecognized configuration option warning:

$ clear && node node_modules/meshcentral --debug cookie,web,webrequest
WARNING: Unrecognized configuration option "trustedproxy".
MeshCentral HTTP redirection server running on port 80.
MeshCentral v0.7.24, Hybrid (LAN + WAN) mode.
...
CurrentConfig 
{
  "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json",
  "__comment1__": "This is a simple configuration file, all values and sections that start with underscore (_) are ignored. Edit a section and remove the _ in front of the name. Refer to the user's guide for details.",
  "__comment2__": "See node_modules/meshcentral/sample-config-advanced.json for a more advanced example.",
  "settings": {
    "_cert": "myserver.mydomain.com",
    "_WANonly": true,
    "_LANonly": true,
    "_sessionKey": "MyReallySecretPassword1",
    "_port": 443,
    "_aliasPort": 443,
    "_redirPort": 80,
    "_redirAliasPort": 80
  },
  "trustedProxy": ["IP_ADDR_B", "IP_ADDR_C"],
  "no2FactorAuth": false,
  "domains": {
    "": {
      "title": "domains..title",
      "title2": "domains..title2",
      "_minify": true,
      "newAccounts": false,
      "_userNameIsEmail": true,
      "passwordRequirements": {
        "force2factor": true
      },
      "_cookieIpCheck": false
    }
  },
  "_letsencrypt": {
    "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before trying Let's Encrypt.",
    "email": "myemail@mydomain.com",
    "names": "myserver.mydomain.com",
    "production": false
  }
}
@D4V3M0NK commented on GitHub (Dec 12, 2020): I'm running 0.7.24 and with the updated config, I start up MC2 in debug mode but get the following **Unrecognized configuration option** warning: ``` $ clear && node node_modules/meshcentral --debug cookie,web,webrequest WARNING: Unrecognized configuration option "trustedproxy". MeshCentral HTTP redirection server running on port 80. MeshCentral v0.7.24, Hybrid (LAN + WAN) mode. ... ``` <details> <summary>CurrentConfig</summary> ``` { "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json", "__comment1__": "This is a simple configuration file, all values and sections that start with underscore (_) are ignored. Edit a section and remove the _ in front of the name. Refer to the user's guide for details.", "__comment2__": "See node_modules/meshcentral/sample-config-advanced.json for a more advanced example.", "settings": { "_cert": "myserver.mydomain.com", "_WANonly": true, "_LANonly": true, "_sessionKey": "MyReallySecretPassword1", "_port": 443, "_aliasPort": 443, "_redirPort": 80, "_redirAliasPort": 80 }, "trustedProxy": ["IP_ADDR_B", "IP_ADDR_C"], "no2FactorAuth": false, "domains": { "": { "title": "domains..title", "title2": "domains..title2", "_minify": true, "newAccounts": false, "_userNameIsEmail": true, "passwordRequirements": { "force2factor": true }, "_cookieIpCheck": false } }, "_letsencrypt": { "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before trying Let's Encrypt.", "email": "myemail@mydomain.com", "names": "myserver.mydomain.com", "production": false } } ``` </details>
deekerman commented 2026-02-20 09:01:06 -05:00
Author
Owner
Copy link

@D4V3M0NK commented on GitHub (Dec 12, 2020):

I do like the warning in the new version of the GUI though... Very useful!

Screenshot from 2020-12-12 12-56-57

@D4V3M0NK commented on GitHub (Dec 12, 2020): I do like the warning in the new version of the GUI though... Very useful! ![Screenshot from 2020-12-12 12-56-57](https://user-images.githubusercontent.com/7572742/101994751-9006b480-3c79-11eb-8ea1-12fbced1f144.png)
deekerman commented 2026-02-20 09:01:06 -05:00
Author
Owner
Copy link

@Ylianst commented on GitHub (Dec 13, 2020):

I see the problem, the trustedProxy value needs to be in the Settings section. You can look at an example here. Same goes for no2FactorAuth, that also goes in the settings section, but in the case of no2FactorAuth, the default is false and you probably don't need it.

Let me know if that helps,
Ylian

@Ylianst commented on GitHub (Dec 13, 2020): I see the problem, the `trustedProxy` value needs to be in the `Settings` section. You can look at an [example here](https://github.com/Ylianst/MeshCentral/blob/master/sample-config-advanced.json). Same goes for `no2FactorAuth`, that also goes in the `settings` section, but in the case of `no2FactorAuth`, the default is false and you probably don't need it. Let me know if that helps, Ylian
deekerman commented 2026-02-20 09:01:06 -05:00
Author
Owner
Copy link

@D4V3M0NK commented on GitHub (Dec 13, 2020):

You know, I read and re-read that advanced sample JSON file so many times, I saw the } on line 23 and every time read that as the closing of settings and not dbexpire ... I'm sorry @Ylianst that's a newbie mistake and I should've seen that waaaaaaaay before now.
Apologies for the inconvenience. Enjoy your holiday sir.

@D4V3M0NK commented on GitHub (Dec 13, 2020): You know, I read and re-read that advanced sample JSON file so many times, I saw the `}` on line 23 and *every* time read that as the closing of `settings` and not `dbexpire` ... I'm sorry @Ylianst that's a newbie mistake and I should've seen that waaaaaaaay before now. Apologies for the inconvenience. Enjoy your holiday sir.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
gh-pages
snyk-fix-11f6b6d3d18fb8b9b45629fc6c08e668
snyk-fix-9015811cd4e5c52092acfab631b47df3
dockersimple
testme-docker
snyk-fix-dba6849b1af47af2d8c4840f5a827bf0
snyk-fix-5ee04cc5e0f57e787daeeeed43b3302c
windows-service-fix
MeshCore_GC_UPDATE
Yvan-Masson-master
1.1.57
1.1.56
1.1.55
1.1.54
1.1.53
1.1.52
1.1.51
1.1.50
1.1.49
1.1.48
1.1.47
1.1.46
1.1.45
1.1.44
1.1.43
1.1.42
1.1.41
1.1.40
1.1.39
1.1.38
1.1.37
1.1.36
1.1.35
1.1.34
1.1.33
1.1.32
1.1.31
1.1.30
1.1.29
1.1.27
1.1.26
1.1.25
1.1.24
1.1.23
1.1.22
1.1.21
1.1.20
1.1.19
1.1.18
1.1.17
1.1.16
1.1.15
1.1.14
1.1.13
1.1.12
1.1.11
1.1.10
1.1.9
1.1.8
1.1.7
1.1.6
1.1.5
1.1.4
1.1.3
1.1.2
1.1.1
1.1.0
1.0.99
1.0.98
1.0.97
1.0.96
1.0.95
1.0.94
1.0.93
1.0.92
1.0.91
1.0.90
1.0.89
1.0.88
1.0.87
1.0.86
1.0.85
1.0.84
1.0.83
1.0.82
1.0.81
1.0.80
1.0.79
1.0.78
1.0.77
1.0.76
MeshCentral_v1.0.75
1.0.75
1.0.74
1.0.73
1.0.72
1.0.71
1.0.70
1.0.69
1.0.68
1.0.67
1.0.66
1.0.65
1.0.64
1.0.63
1.0.62
1.0.61
1.0.60
1.0.59
1.0.58
1.0.57
1.0.56
1.0.55
1.0.54
1.0.53
1.0.52
1.0.51
1.0.50
1.0.49
1.0.48
1.0.47
1.0.46
1.0.45
1.0.44
MeshCentral_v1.0.44
v1.0.45
MeshCentral_v1.0.2
MeshCentral_v1.0.1
MeshCentral_v0.9.85
MeshCentral_v0.9.81
MeshCentral_v0.9.66
MeshCentral_v0.9.16
MeshCentral_v0.8.98
MeshCentral_v0.7.65
MeshCentral_v0.7.59
MeshCentral_v0.7.48
MeshCentral_v0.7.44
MeshCentral_v0.7.29
MeshCentral_v0.7.23
MeshCentral_v0.7.21
MeshCentral_v0.7.15
MeshCentral_v0.6.99
MeshCentral_v0.6.95
MeshCentral_v0.6.93
MeshCentral_v0.6.85
MeshCentral_v0.6.33
MeshCentral_v0.6.28
MeshCentral_v0.6.6
MeshCentral_v0.6.1
MeshCentral_v0.5.99
MeshCentral_v0.5.97
MeshCentral_v0.5.95
MeshCentral_v0.5.90
MeshCentral_v0.5.81
MeshCentral_v0.5.77
MeshCentral_v0.5.76
MeshCentral_v0.5.73
MeshCentral_v0.5.65
MeshCentral_v0.5.61
MeshCentral_v0.5.59
MeshCentral_v0.5.58
MeshCentral_v0.5.51
MeshCentral_v0.5.37
MeshCentral_v0.5.13
MeshCentral_v0.5.12
MeshCentral_v0.5.1-t
MeshCentral_v0.5.1-q
MeshCentral_v0.5.1-m
MeshCentral_v0.5.1-L
MeshCentral_v0.5.1-k
MeshCentral_v0.5.1-c
v0.4.8-p
Labels
Clear labels   
Can't Replicate

   
Closed

   
Feedback

   
Fixed - Please Verify & Close

   
Low Priority

   
Plugin's in use

   
Sponsor required

   
Stale

   
bootstrap

   
bug

   
docker

   
docs

   
duplicate

   
enhancement

   
help wanted

   
important

   
invalid

   
question

   
sponsor found

   
temporarily fixed

   
upstream fix needed

   
wontfix
No labels
Can't Replicate
Closed
Feedback
Fixed - Please Verify & Close
Low Priority
Plugin's in use
Sponsor required
Stale
bootstrap
bug
docker
docs
duplicate
enhancement
help wanted
important
invalid
question
sponsor found
temporarily fixed
upstream fix needed
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/MeshCentral#1855
No description provided.