sync: auto-sync from HOWARD-HOME at 2026-05-08 19:53:03
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-05-08 19:53:03
This commit is contained in:
@@ -0,0 +1,92 @@
|
||||
# GuruRMM — macOS installer missing + Cloudflare blocking install one-liner
|
||||
|
||||
**Date:** 2026-05-07
|
||||
**Tenant / Site:** Main Office (`WEST-MEADOW-9025`)
|
||||
**Triggered by:** Sylvia's Mac mini (`Sylvias-Mini`) install attempt failed
|
||||
|
||||
## User
|
||||
- **User:** Howard Enos (howard)
|
||||
- **Machine:** Howard-Home
|
||||
- **Role:** tech
|
||||
|
||||
## Summary
|
||||
|
||||
While trying to enroll Sylvia's Mac mini in GuruRMM, two distinct issues surfaced. Both are server-side problems, not user error.
|
||||
|
||||
1. The bootstrap one-liner (`curl -fsSL ... | sudo bash`) returns 403 because Cloudflare Bot Fight Mode blocks bare `curl/*` user agents. This affects every platform, not just Mac — anyone running the documented install command on Linux/Windows/Mac is hitting the CF challenge page before the request ever reaches the GuruRMM server.
|
||||
2. There is no macOS installer route on the server. `/install/<site>/{macos,darwin,mac,osx}` all return 404. Only `linux` and `windows` are implemented.
|
||||
|
||||
## Reproduction
|
||||
|
||||
```
|
||||
sylvia@Sylvias-Mini ~ % curl -fsSL 'https://rmm.azcomputerguru.com/install/WEST-MEADOW-9025/linux' | sudo bash
|
||||
curl: (22) The requested URL returned error: 403
|
||||
```
|
||||
|
||||
(she used `/linux` — wrong platform anyway, but the 403 is from Cloudflare, not GuruRMM)
|
||||
|
||||
### Diagnosis from Howard-Home
|
||||
|
||||
```
|
||||
$ curl -i https://rmm.azcomputerguru.com/install/WEST-MEADOW-9025/linux
|
||||
HTTP/1.1 403 Forbidden
|
||||
Server: cloudflare
|
||||
Cf-Mitigated: challenge
|
||||
...
|
||||
```
|
||||
|
||||
With a normal browser UA, request reaches the server:
|
||||
|
||||
```
|
||||
$ curl -A 'Mozilla/5.0 ... Safari/537.36' https://rmm.azcomputerguru.com/install/WEST-MEADOW-9025/linux
|
||||
# GuruRMM Agent Installer
|
||||
# Site: Main Office (WEST-MEADOW-9025)
|
||||
HTTP 200
|
||||
```
|
||||
|
||||
Platform enumeration (with browser UA so CF doesn't block):
|
||||
|
||||
| Path | Result |
|
||||
|------|--------|
|
||||
| `/install/WEST-MEADOW-9025/linux` | 200 (script) |
|
||||
| `/install/WEST-MEADOW-9025/windows` | 200 |
|
||||
| `/install/WEST-MEADOW-9025/macos` | 404 |
|
||||
| `/install/WEST-MEADOW-9025/darwin` | 404 |
|
||||
| `/install/WEST-MEADOW-9025/mac` | 404 |
|
||||
| `/install/WEST-MEADOW-9025/osx` | 404 |
|
||||
| `/install/WEST-MEADOW-9025/apple` | 404 |
|
||||
|
||||
## Message for Mike
|
||||
|
||||
Two GuruRMM items for you:
|
||||
|
||||
### 1. Build the macOS agent + installer route (Sylvia is blocked)
|
||||
|
||||
Sylvia (Main Office / `WEST-MEADOW-9025`) needs an agent on her Mac mini. There is no macOS target today. Scope:
|
||||
|
||||
- Rust agent built for `aarch64-apple-darwin` (Apple Silicon) and `x86_64-apple-darwin` (Intel)
|
||||
- Server route: `/install/<site>/macos` returning either a shell installer (parity with linux) or a signed `.pkg`
|
||||
- LaunchDaemon for service supervision (mac equivalent of the systemd unit on Linux)
|
||||
- Apple Developer ID signing + notarization so Gatekeeper doesn't block install on a stock Mac. Without notarization, every user has to right-click→Open or pop System Settings → Privacy & Security to allow it. Painful at scale.
|
||||
- Install path convention: `/usr/local/gururmm` (or `/opt/gururmm` for parity with Linux, but `/usr/local` is more macOS-native)
|
||||
|
||||
If notarization is too much work for v1, a shell-script installer that builds from a code-signed binary still works for mom-and-pop deployments, just expects user to right-click→Open the first time.
|
||||
|
||||
### 2. Cloudflare bot challenge is blocking the install one-liner
|
||||
|
||||
Independent of the macOS work, the Linux/Windows install commands documented in the dashboard don't work as written today. Bare `curl` is being challenged by CF. Three fixes (pick one):
|
||||
|
||||
- **Server-side, recommended:** Cloudflare WAF rule to skip bot fight mode on `(http.request.uri.path matches "^/install/")`. That's the cleanest — install commands stay copy-pasteable.
|
||||
- Page Rule: Security Level "Essentially Off" for `/install/*`.
|
||||
- Document the UA flag in the install command: `curl -fsSL -A 'Mozilla/5.0 ...'` — but that's a bandage, every user hits it.
|
||||
|
||||
I'd go with the WAF skip. The endpoint already requires a valid site code so we're not exposing anything new by removing the bot check on it.
|
||||
|
||||
## Howard follow-ups
|
||||
|
||||
- [ ] Sylvia's Mac mini: diagnose slowness / low-memory popups separately (this session) — not enrollment-related.
|
||||
- [ ] Once Mike ships the macOS agent, return to Sylvia for enrollment.
|
||||
|
||||
## Artifacts
|
||||
|
||||
None — diagnosis was all live curl probes, no persistent state.
|
||||
Reference in New Issue
Block a user