FriendsOfMDT
Reverse Proxy Support
I have tried to use nginx to reverse proxy this, but have ran into issues passing the credentials over due to how ntlm auth works, I have tried with disabling auth and allowing anonymous on IIS and both basic and digest auth on the nginx reverse proxy.
After filling out the credentials it just gets stuck on Verifying connection to https://site.website.tld/deploy
As for the reason for the reverse proxy: my home isp changes ip pretty rapidly and the reverse proxy is hosted on a vps with a vpn tunnel back to my home lab.
We haven't tested such a scenario to validate its support or not. Maybe we can take a look at this functionality later, but I wouldn't expect it happening soon.
Why not try to use Caddy as reverse proxy and the Caddy WebDAV plugin to stop using IIS at all. This would also get this project working in a container environment on Windows and Linux.
@GeoSimos is there any windows only features besides NTLM i should worry about? When i enable anonymous auth and move the auth to nginx the IIS directory loads fine in a web browser. but the PE environment fails to load the files after authenticating.
@FLeven i was also going to look into nginx TCP streaming as well. But how does one use Caddy to proxy and the plugin to stop using IIS at all, it would be nice to not have to use a windows server os as it can be costly.
Use Xcady to compile a custom version ,include a webDAV Plugin. Caddy is a Webserver, with almost perfect default settings as Reverse Proxy. No reason to use nginx anymore.
Use Xcady to compile a custom version ,include a webDAV Plugin. Caddy is a Webserver, with almost perfect default settings as Reverse Proxy. No reason to use nginx anymore.
Hi @FLeven, have you tried this solution? Is it working with the NTLM authentication?
@GeoSimos is there any windows only features besides NTLM i should worry about? When i enable anonymous auth and move the auth to nginx the IIS directory loads fine in a web browser. but the PE environment fails to load the files after authenticating.
We use https to connect to the Web Server that serves the deployment share, this is the first requirement, the second is WebDav for the directory listing and transfer (however we're in the process to move away from it, because it has its quirks and security issues). In the solution, we provide the scripts to setup a standalone root CA to create the certificate for the Web server that serves the deployment share, you can as well use a public Certificate (that maps to your domain properly). However, we still rely on windows authentication, I'm not quite sure if you can switch to anonymous -yet-. So far your scenario is nice and rational but we don't support it for the time being. We can continue discussing your findings in this issue for a while.
By the way @laramy2020, have you considered using a Dynamic DNS service to have a static hostname with a dynamic IP? This would eliminate the reverse proxy need.
@GeoSimos not yet, first step was to move the current solution into a windows IIS container.
@GeoSimos not yet, first step was to move the current solution into a windows IIS container.
Then you can use PSD without issues (initially), for the reverse proxy though, it will be a challenge but it is a very interesting project and would like more details about it if you reach to a workable level. We may include documentation how to do it in the solution.
I will take a look at these options this weekend. Been busy between work and job hunting. will post any successes/roadblocks as I come into them
so a progress goea, nginx stream gets closer, will test caddy this weekend, Works
- NTLM auth over firefox/chrome
- downloading files through web browsers
Not Working
- PE Deploy (gets stuck on valid network config, pings to internet work)
Possible not working
- caching of files to improve speeds (home upload is 40 mbps, reverse proxy server is full gigabit
Would using a non-standard web port break this (in this case 8991)
well new issue, cant boot my PSD iso in libvirt even with secureboot and emulated TPM. just gets stuck here with out the spinner
But caddy is working just as much as nginx tcp streaming, wont be able to test till i figure out why my vm wont load the pe environment.
host is centos 9 stream with secure boot enabled, and the guest well was already mentioned, will have to test with hardware maybe?
moved to an archbox, that loaded, kinda
my task sequences where not showing up. so at least 1 more step in.
EDIT 1
never mind, it might have been because i had multiple sessions going, because i did not want to regen an iso, i was editing bootstrap.ini and running wpeinit, TS now show
EDIT2
i forgot the webdav stuff, it is stuck on inject drivers, will have to add that feature to caddy, will pick it back up tomorrow.
well new issue, cant boot my PSD iso in libvirt even with secureboot and emulated TPM. just gets stuck here with out the spinner But caddy is working just as much as nginx tcp streaming, wont be able to test till i figure out why my vm wont load the pe environment.
Does your host allows Secure Boot for other Vendors like Microsoft?
well new issue, cant boot my PSD iso in libvirt even with secureboot and emulated TPM. just gets stuck here with out the spinner But caddy is working just as much as nginx tcp streaming, wont be able to test till i figure out why my vm wont load the pe environment.
Does your host allows Secure Boot for other Vendors like Microsoft?
yes it does, i am booting both secureboot on and off, and it gets stuck in centos based hosts, arch seems to work fine. I have windows 11/server 2022 guest running, i guess it is some combo of windows 11 PE and centos 9 host
Also had my first successful deployment to baremetal, so it works, currently figuring out how to cache the data now. caddyconfigs are frustrating even more so when the module you need/want is not apart of the core program.
I will post my dockerfile for building a caddy container and the caddyfile i am currently using at some point today.
So the caching config is kinda working, i am trying to understand how to configure it properly, but it seems to not cache the way i want it to
build the container using the docker file
and ran with
docker run --name caddy --net host -v /path/to/config/on/host:/root/.local/share/ -v /path/to/caddy/file:/Caddyfile -it local/container:tag
i run ./caddy run manually to allow for testing config changes to Caddyfile
So the caching config is kinda working, i am trying to understand how to configure it properly, but it seems to not cache the way i want it to
build the container using the docker file
and ran with
docker run --name caddy --net host -v /path/to/config/on/host:/root/.local/share/ -v /path/to/caddy/file:/Caddyfile -it local/container:tagi run ./caddy run manually to allow for testing config changes to Caddyfile
Hi, would you mind to sharing how to make its work nginx ? i'm stuck with it
