diff --git a/session-logs/2026-04-06-session.md b/session-logs/2026-04-06-session.md new file mode 100644 index 0000000..715c962 --- /dev/null +++ b/session-logs/2026-04-06-session.md @@ -0,0 +1,138 @@ +# Session Log: 2026-04-06 + +## Session Summary + +Mixed infrastructure session covering ScreenConnect redirect page, UniFi OS Server migration, and related networking changes. + +### Work Completed + +1. **ScreenConnect redirect page at azcomputerguru.com/sc** + - Created PHP redirect at `/home/azcomputerguru/public_html/sc/index.php` on IX server + - Initially tried .htaccess RewriteRule but Apache mangled `%2B` encoding in the RSA key + - Switched to PHP `header()` redirect which preserves URL encoding exactly + - Correct SC download URL: `https://computerguru.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest&c=&c=&c=&c=&c=&c=&c=&c=DirectDownload` + - Original attempt used wrong binary name (`ConnectWiseControl.ClientSetup.exe`) and included h/p/k params -- the correct URL from SC admin is simpler + +2. **UniFi OS Server - Docker troubleshooting on Jupiter (abandoned)** + - `unifi-os-server` Docker container on Jupiter (172.16.3.20) had "no internet" error on setup screen + - Container actually had full internet -- all Ubiquiti endpoints reachable + - Likely an application-level self-check issue + - `unifi-controller-reborn` Docker was crash-looping due to missing symlink targets: + - `logs` -> `/var/log/unifi` -> `/unifi/log` (didn't exist) + - `run` -> `/var/run/unifi` -> `/unifi/run` (didn't exist) + - Only `/unifi/var` was volume-mounted, not `/unifi/log` or `/unifi/run` + - Created missing directories, MongoDB started, container went healthy + - User ultimately removed Docker approach in favor of a dedicated VM + +3. **UniFi OS Server - VM installation (172.16.3.29)** + - New Rocky Linux 9.1 VM set up by user at 172.16.3.29 + - Hostname: `unifi.azcomputerguru.com` + - Installed `podman` (5.6.0) and `slirp4netns` (1.3.3) via dnf + - Downloaded UOS Server 5.0.6 installer (803MB) from Ubiquiti + - Ran installer with `echo y | ./installer` (requires interactive confirmation) + - Installer uses Podman internally to run a container as user `uosserver` (UID 1000) + - Service: `uosserver.service` (systemd) + - Web UI: https://172.16.3.29:11443/ + +4. **Firewall - Rocky Linux VM** + - Opened all required UniFi ports in firewalld: + - TCP: 11443, 8443, 8080, 8880, 8881, 8882, 8444, 6789, 5671, 5005, 9543, 11084 + - UDP: 3478, 10001, 1900, 5514, 10003 + +5. **pfSense NAT updates** + - Checked existing NAT rules on pfSense (172.16.0.1:2248) + - `Unifi_Server` alias was pointing to `172.16.3.28` (old Docker container IP) + - User manually updated alias to `172.16.3.29` (new VM) + - Existing port forwards on public IP 72.194.62.10: 8443/tcp, 3478/tcp+udp + - NPM (172.16.3.20) handles HTTPS on 72.194.62.10:443 -> port 18443 + +6. **UniFi inform URL configuration** + - Set `system_ip=unifi.azcomputerguru.com` in system.properties inside Podman container + - Path: `/usr/lib/unifi/data/system.properties` (inside container) + - Restarted uosserver service to apply + - Devices will inform to: `http://unifi.azcomputerguru.com:8080/inform` + +7. **NPM proxy host update** + - User updated `unifi.azcomputerguru.com` proxy host in NPM to point to new VM + - Port changed from 443 to 11443, scheme HTTPS + +### Key Decisions +- Abandoned Docker approach for UniFi OS on Jupiter -- too many symlink/volume issues +- Dedicated Rocky Linux 9.1 VM is cleaner for UOS Server +- UOS Server 5.0.6 uses Podman internally (not Docker) even on bare metal install +- Recommended bumping VM RAM from 8GB to 16GB before migrating ~300 devices + +--- + +### Credentials + +#### UniFi VM (172.16.3.29) +- SSH: root / Gptf*77ttb123!@#-unifi +- OS: Rocky Linux 9.1 +- Hostname: unifi.azcomputerguru.com + +#### IX Server (172.16.3.10) +- SSH: root / Gptf*77ttb!@#!@# (port 22) +- Requires sshpass or paramiko (no SSH key auth from this workstation) + +#### pfSense (172.16.0.1) +- SSH: admin / r3tr0gradE99!! (port 2248) +- See vault: infrastructure/pfsense-firewall.sops.yaml + +#### NPM (Nginx Proxy Manager) +- Host: 172.16.3.20:7818 +- See vault/1Password for credentials + +--- + +### Infrastructure & Servers + +| Server | IP | Role | Notes | +|--------|-----|------|-------| +| IX Server | 172.16.3.10 | Web hosting (cPanel) | azcomputerguru.com WordPress | +| Jupiter | 172.16.3.20 | Unraid, NPM, Gitea | NPM on port 7818/18443 | +| UniFi VM | 172.16.3.29 | UniFi OS Server 5.0.6 | Rocky Linux 9.1, 8 vCPU, 7.4GB RAM | +| pfSense | 172.16.0.1 | Firewall/router | SSH port 2248 | + +### DNS / Proxy +- `unifi.azcomputerguru.com` -> 72.194.62.10 (public) -> NPM -> 172.16.3.29:11443 +- `azcomputerguru.com/sc/` -> PHP redirect to ScreenConnect installer + +### Files Created/Modified +- `/home/azcomputerguru/public_html/sc/index.php` (IX server) -- SC redirect +- `/usr/lib/unifi/data/system.properties` (inside UOS Podman container) -- inform URL +- Firewalld rules on 172.16.3.29 -- all UniFi ports opened +- pfSense `Unifi_Server` alias updated from 172.16.3.28 to 172.16.3.29 + +--- + +### Pending/Incomplete Tasks +- [ ] Bump UniFi VM RAM from 8GB to 16GB (recommended for ~300 devices) +- [ ] Migrate from old UniFi Network controller to new UOS Server (backup + restore) +- [ ] Verify all pfSense port forwards are working correctly after alias change +- [ ] Consider adding port 11443 NAT rule on pfSense for external UOS web UI access +- [ ] Set up SSH key auth on IX server and UniFi VM for this workstation +- [ ] Note: captive portal port changed from 8843 (legacy) to 8444 (UOS Server) + +### Port Reference - UniFi OS Server +| Port | Protocol | Purpose | +|------|----------|---------| +| 11443 | TCP | UOS Web UI (maps to 443 inside container) | +| 8443 | TCP | UniFi Application HTTPS | +| 8080 | TCP | Device inform | +| 8444 | TCP | Captive portal HTTPS (was 8843 on legacy) | +| 8880 | TCP | HTTP portal redirect | +| 3478 | UDP | STUN | +| 10001 | UDP | Device discovery | +| 1900 | UDP | L2 discovery | +| 5514 | UDP | Remote syslog | + +### UOS Server Management Commands +```bash +sudo systemctl stop uosserver +sudo systemctl start uosserver +sudo systemctl restart uosserver +sudo systemctl status uosserver +# Container runs as user 'uosserver' via podman +su - uosserver -c "podman exec uosserver " +```