You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
added opentunnel and closetunnel commands for remote SSH port forwarding
added webctrl.tunnels to store persistent SSH port forwarding tunnels
added an optional SSH proxy connection
added local hostname checking to prevent duplicate servers synced from clippings
updated jsch dependency
updated README
@@ -50,7 +52,7 @@ When this WebCTRL add-on is installed and configured, it periodically communicat
50
52
- Blacklist operators to delete them everywhere
51
53
- Local operators (those that are not white or blacklisted) remain unaltered
52
54
- WebCTRL's operator authentication provider is unaffected
53
-
- For security, operator passwords hashed and salted using the same algorithm WebCTRL uses
55
+
- For security, operator passwords are hashed and salted using the same algorithm WebCTRL uses
54
56
- Add-on synchronization:
55
57
- Synchronize a subnet of whitelisted add-ons between all connected servers
56
58
- Deploy a new add-on everywhere in a single motion
@@ -61,6 +63,7 @@ When this WebCTRL add-on is installed and configured, it periodically communicat
61
63
- Only whitelisted operators are permitted to manage the database
62
64
- Remotely push out commands for servers to execute during their next sync
63
65
- Among other things, this function can be used for automated bulk installation of WebCTRL patches
66
+
- Configure reverse SSH tunnels for remote access of connected servers
64
67
- Import or export a JSON document containing local operators
65
68
- Optionally collect data from specific WebCTRL trends
66
69
@@ -141,9 +144,13 @@ Fill out all the required fields, click *Save Changes* and then click *Sync Now*
141
144
142
145
When the add-on connects to the PostgreSQL database for the first time, it generates a unique server ID for itself. The *Reset ID* button can be used to delete the saved ID and generate a new one.
143
146
147
+
If firewall restrictions limit PostgreSQL traffic, you can try using an SSH proxy server as an intermediary. In the below example, you would connect to `127.0.0.1:5433/database` after the proxy is set. The proxy is activated only when the add-on tries to sync, and then is deactivated afterwards. For security and simplicity, proxy settings cannot be viewed from a web browser after they are set.
148
+
149
+

150
+
144
151
### SFTP Server
145
152
146
-
Whitelisted add-ons must reside on an SFTP server. [JSch](https://github.com/mwiede/jsch) is a third-party library this add-on uses to establish SFTP connections. If you want to lock down an SSH daemon to serve SFTP only, refer to the following example snippet from *sshd_config*.
153
+
Whitelisted add-ons must reside on an SFTP server. [JSch](https://github.com/mwiede/jsch) is a third-party library this add-on uses to establish SSH and SFTP connections. If you want to lock down an SSH daemon to serve SFTP only, refer to the following example snippet from [*sshd_config*](https://man.openbsd.org/sshd_config).
147
154
148
155
```
149
156
Match group sftp
@@ -154,6 +161,23 @@ AllowTcpForwarding no
154
161
ForceCommand internal-sftp
155
162
```
156
163
164
+
If you want to support reverse SSH tunnels and a proxy for connecting to the PostgreSQL database, you might want to configure something like the following instead:
165
+
166
+
```
167
+
Match group sftp
168
+
ChrootDirectory /data/sftp
169
+
GatewayPorts yes
170
+
AllowTcpForwarding yes
171
+
PermitOpen 127.0.0.1:5432
172
+
AllowAgentForwarding no
173
+
AllowStreamLocalForwarding no
174
+
X11Forwarding no
175
+
PermitTTY no
176
+
ClientAliveInterval 60
177
+
ClientAliveCountMax 3
178
+
ForceCommand internal-sftp
179
+
```
180
+
157
181
You'll need to configure [public-key authentication](https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server) for your SFTP user. Go to the settings page in the add-on and set `ftp_key` to the full private key your user needs for authentication. Set `ftp_host` to the hostname or IP address of the SFTP server. Also configure `ftp_port` and `ftp_username` appropriately. The [`ssh-keyscan`](https://man.openbsd.org/ssh-keyscan.1) command can be used to retrieve the data required to populate the `ftp_known_hosts` field.
158
182
159
183

@@ -171,7 +195,7 @@ In addition to the SFTP connection settings shown in the previous section, there
171
195
|`debug`|`false`| When enabled, log messages will be more verbose. |
172
196
|`log_expiration`|`60`| Specifies how many days to retain log messages in the database. |
173
197
|`auto_update`|`true`| Specifies whether to attempt automatic updates for this add-on. |
174
-
|`version`|`0.5.10`| When `auto_update` is enabled, any connected client whose add-on version is less than this value will be updated. |
198
+
|`version`|`0.5.12`| When `auto_update` is enabled, any connected client whose add-on version is less than this value will be updated. |
175
199
|`download_path`|`/webctrl/addons/PostgreSQL_Connect.addon`| When `auto_update` is enabled, this is the SFTP server path where the latest version add-on file will be retrieved. |
176
200
|`license_directory`|`/webctrl/licenses`| Specifies an SFTP server directory path for where to store WebCTRL license files. |
177
201
|`ftp_host`|`postgresql.domain.com`| SFTP server hostname or IP address. |
@@ -193,7 +217,7 @@ You cannot use this mechanism to automatically downgrade the add-on to an earlie
193
217
194
218
## Synchronizaton
195
219
196
-
Now that your PostgreSQL database and SFTP server is configured, this section explains how to setup synchronization of operators, add-ons, and trends. We will go through each page accessible from the web UI.
220
+
Now that your PostgreSQL database and SFTP server is configured, this section explains how to setup synchronization of operators, add-ons, reverse SSH tunnels, and trends. We will go through each page accessible from the web UI.
197
221
198
222
### Server List
199
223
@@ -204,7 +228,7 @@ This page lists all connected servers. If a server is decomissioned or permanent
204
228
| ID |`1`| Internal ID which uniquely identifies the server within the PostgreSQL database. (Read-only) |
205
229
| Name |`ACES Main Building`| User-friendly display name for the server. This defaults to the display name of the root of the Geo tree. |
206
230
| WebCTRL Version |`8.5.002.20230323-123687`| Full version of the WebCTRL server. (Read-only) |
207
-
| Add-On Version |`0.5.10`| Installed version of the PostgreSQL_Connect add-on. (Read-only) |
231
+
| Add-On Version |`0.5.12`| Installed version of the PostgreSQL_Connect add-on. (Read-only) |
208
232
| IP Address |`123.45.67.89`| External IP address of the server as viewed by the PostgreSQL database. (Read-only) |
209
233
| Last Sync |`2024-12-02 14:05:32`| Timestamp of the last successful synchronization. If synced within the last 24 hours, the background color is green; otherwise, the background is red. (Read-only) |
210
234
| License |`WebCTRL Premium`| Click this field to download WebCTRL's license. (Read-only) |
@@ -290,7 +314,7 @@ Commands entered into this table are executed on servers during their next sync
290
314
| Ordering |`3`| When there are multiple command entries for a single server, this column specifies the ascending order in which commands are executed. |
291
315
| Command |`notify "Hello!"`| The command(s) to execute. Multiple commands can be separated by newlines for fail-fast semantics. |
292
316
293
-
Commands chained together using new-lines in a single entry are fail-fast, which means that execution is terminated immediately when an error is encountered. However, errors in one command entry do not affect other entries. Generally, commands are case-insensitive. Commands are tokenized using whitespace as delimiters. Double quotes can be used if a token must include whitespace. The caret character `^` can be used as an escape character. The local file path are specified, paths starting with `/` or `\` are treated as relative to WebCTRL's installation directory, and paths starting with `./` or `.\` are treated as relative to WebCTRL's active system directory. The two dots in `a/../b` go to the parent folder of `a`, so that `b` would be a sibling folder of `a`. Environment variables enclosed in percent signs (e.g, `%USERNAME%`) are expanded when present in local paths. Single-line comments are supported when a line is starts with `//`. The following commands are supported.
317
+
Commands chained together using new-lines in a single entry are fail-fast, which means that execution is terminated immediately when an error is encountered. However, errors in one command entry do not affect other entries. Generally, commands are case-insensitive. Commands are tokenized using whitespace as delimiters. Double quotes can be used if a token must include whitespace. The caret character `^` can be used as an escape character. When local file paths are specified, paths starting with `/` or `\` are treated as relative to WebCTRL's installation directory, and paths starting with `./` or `.\` are treated as relative to WebCTRL's active system directory. The two dots in `a/../b` go to the parent folder of `a`, so that `b` would be a sibling folder of `a`. Environment variables enclosed in percent signs (e.g, `%USERNAME%`) are expanded when present in local paths. Single-line comments are supported when a line is starts with `//`. The following commands are supported.
294
318
295
319
| Command | Description |
296
320
| - | - |
@@ -318,6 +342,8 @@ Commands chained together using new-lines in a single entry are fail-fast, which
318
342
|`canApplyUpdate <file_path>`| Asserts that WebCTRL is able to apply the specified *.update* patch file. If the update cannot be applied, then command execution is terminated. |
319
343
|`!canApplyUpdate <file_path>`| Asserts that WebCTRL is not able to apply the specified *.update* patch file. If the update can be applied, then command execution is terminated. |
320
344
|`updateDST`| Updates daylight savings dates stored in the WebCTRL database and marks controllers for a pending parameter download. |
345
+
|`opentunnel <listen_port> <target_port> [timeout]`| Open a reverse SSH tunnel from the WebCTRL server to the SFTP server. `listen_port` is opened on the SFTP server, and connections to this port are forwarded to `target_port` on the WebCTRL server. After `timeout` expires, the tunnel will be closed at the next sync. If `timeout` is undefined, then the tunnel stays open until the next server reboot. |
346
+
|`closetunnel [listen_port]`| Close a reverse SSH tunnel that was previously opened with the `opentunnel` command. If `listen_port` is unspecified, all tunnels are closed (excluding those configured in the [SSH Tunnels](#ssh-tunnels) section). |
321
347
322
348
#### Examples
323
349
@@ -349,6 +375,14 @@ log "Update did not install."
349
375
rmdir "/update_on_restart"
350
376
```
351
377
378
+
### SSH Tunnels
379
+
380
+
This webpage permits configuration of persistent reverse SSH tunnels from the WebCTRL server to the SFTP server. The source port is opened on the SFTP server, and any connections to the source port are forwarded through the tunnel to the target port on the WebCTRL server. This can be used to get remote access to the webserver over port 80 or 443, for example. Or it can be used to access RDP with port 3389. Beware that shutting down the WebCTRL service over RDP will terminate the RDP connection because WebCTRL itself is functioning as the VPN tunnel provider. So I would suggest not tunneling RDP in this manner unless all users understand the risks.
381
+
382
+

383
+
384
+
Persistent tunnels are checked during each sync. If you reboot the SFTP server and interrupt the tunnel's connection, you will have to wait until the next sync for the tunnel to reform. Therefore, it is suggested to perform maintenance on the SFTP server only when users are unlikely to be utilizing the tunnels.
385
+
352
386
### Find Trends
353
387
354
388
This webpage helps you to find the persistent identifier for trends in order to track them in the database. See the next section for more details on how to use this identifier. You can browse the Geographic tree to search for trends. When you find a trend you want to track, click the turquoise colored trend type in order to copy the persistent identifier.
@@ -418,9 +452,13 @@ CREATE INDEX webctrl_trend_data_time ON webctrl.trend_data ("time" DESC);
418
452
### Packaged Dependencies
419
453
420
454
-[PostgreSQL JDBC 42.7.5](https://jdbc.postgresql.org/) - Used to connect to PostgreSQL databases.
421
-
-[JSch 0.2.22](https://github.com/mwiede/jsch) - Used to connect to SFTP servers.
455
+
-[JSch 0.2.23](https://github.com/mwiede/jsch) - Used to connect to SFTP servers.
422
456
-[JSON-java 20250107](https://github.com/stleary/JSON-java) - Used to encode and decode JSON data.
423
457
424
458
### Server ID Reset
425
459
426
-
There is a *Reset ID* button on the add-on's main page. This will make the add-on forget its current server ID and re-register with the database at the start of the next sync. This server ID is the primary mechanism for how the database separates out data corresponding to different WebCTRL servers. If you ever need to force the add-on to choose a particular ID, you can craft and submit a particular HTTP request to the WebCTRL server. For example, *https://localhost/PostgreSQL_Connect/index?type=resetNow&newID=3* will force the ID of the WebCTRL server accessible at *localhost* to 3.
460
+
There is a *Reset ID* button on the add-on's main page. This will make the add-on forget its current server ID and re-register with the database at the start of the next sync. This server ID is the primary mechanism for how the database separates out data corresponding to different WebCTRL servers. If you ever need to force the add-on to choose a particular ID, you can craft and submit a particular HTTP request to the WebCTRL server. For example, *https://localhost/PostgreSQL_Connect/index?type=resetNow&newID=3* will force the ID of the WebCTRL server accessible at *localhost* to 3.
461
+
462
+
### Hostname Matching
463
+
464
+
If a technician copies a WebCTRL system folder over to another computer, then the configuration file for this add-on is also copied. When the other computer starts up, this add-on will try to connect to the PostgreSQL database using the same ID as the original computer. This is a problem. There should not be multiple computers connecting with the same ID. In an attempt to resolve this issue, the add-on stores the hostname of the computer alongside the database ID. When initializing, if the hostname stored in the config file does not match the hostname of the computer, the add-on will become inert. Therefore, if you ever need to change the hostname of a WebCTRL server, you should delete `./programdata/systems/test_system/webapp_data/PostgreSQL_Connect/private/hostname.dat` and restart this add-on.
0 commit comments