[guacamole-client] 01/01: GUACAMOLE-1005: Merge Docker support for configuring RemoteIPValve.

Wed, 27 Jul 2022 23:42:24 -0700 

This is an automated email from the ASF dual-hosted git repository.

mjumper pushed a commit to branch staging/1.5.0
in repository https://gitbox.apache.org/repos/asf/guacamole-client.git

commit fed176def6ee5df9309a01f1d1fd660f071cf9fe
Merge: ef9afb0c7 65074cb1e
Author: Mike Jumper <[email protected]>
AuthorDate: Wed Jul 27 23:42:11 2022 -0700

    GUACAMOLE-1005: Merge Docker support for configuring RemoteIPValve.

 Dockerfile                    |  6 ++++-
 guacamole-docker/bin/start.sh | 57 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+), 1 deletion(-)

diff --cc guacamole-docker/bin/start.sh
index b172d5e25,c13d2407d..c9d205b58
--- a/guacamole-docker/bin/start.sh
+++ b/guacamole-docker/bin/start.sh
@@@ -910,14 -708,59 +910,66 @@@ associate_json() 
      # Add required .jar files to GUACAMOLE_EXT
      ln -s /opt/guacamole/json/guacamole-auth-*.jar "$GUACAMOLE_EXT"
  }
+ ##
+ ## Sets up Tomcat's remote IP valve that allows gathering the remote IP
+ ## from headers set by a remote proxy
+ ## Upstream documentation: 
https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/RemoteIpValve.html
+ ##
+ enable_remote_ip_valve() {
+     # Add <Valve> element
+     xmlstarlet edit --inplace \
+         --insert '/Server/Service/Engine/Host/*' --type elem -n Valve \
+         --insert '/Server/Service/Engine/Host/Valve[not(@className)]' --type 
attr -n className -v org.apache.catalina.valves.RemoteIpValve \
+         $CATALINA_BASE/conf/server.xml
+ 
+     # Allowed IPs
+     if [ -z "$PROXY_ALLOWED_IPS_REGEX" ]; then
+         echo "Using default Tomcat allowed IPs regex"
+     else
+         xmlstarlet edit --inplace \
+             --insert 
'/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.RemoteIpValve"]'
 \
+             --type attr -n internalProxies -v "$PROXY_ALLOWED_IPS_REGEX" \
+             $CATALINA_BASE/conf/server.xml
+     fi
+ 
+     # X-Forwarded-For
+     if [ -z "$PROXY_IP_HEADER" ]; then
+         echo "Using default Tomcat proxy IP header"
+     else
+         xmlstarlet edit --inplace \
+             --insert 
"/Server/Service/Engine/Host/Valve[@className='org.apache.catalina.valves.RemoteIpValve']"
 \
+             --type attr -n remoteIpHeader -v "$PROXY_IP_HEADER" \
+             $CATALINA_BASE/conf/server.xml
+     fi
+ 
+     # X-Forwarded-Proto
+     if [ -z "$PROXY_PROTOCOL_HEADER" ]; then
+         echo "Using default Tomcat proxy protocol header"
+     else
+         xmlstarlet edit --inplace \
+             --insert 
"/Server/Service/Engine/Host/Valve[@className='org.apache.catalina.valves.RemoteIpValve']"
 \
+             --type attr -n protocolHeader -v "$PROXY_PROTOCOL_HEADER" \
+             $CATALINA_BASE/conf/server.xml
+     fi
+ 
+     # X-Forwarded-By
+     if [ -z "$PROXY_BY_HEADER" ]; then
+         echo "Using default Tomcat proxy forwarded by header"
+     else
+         xmlstarlet edit --inplace \
+             --insert 
"/Server/Service/Engine/Host/Valve[@className='org.apache.catalina.valves.RemoteIpValve']"
 \
+             --type attr -n remoteIpProxiesHeader -v "$PROXY_BY_HEADER" \
+             $CATALINA_BASE/conf/server.xml
+     fi
+ }
  
 +##
 +## Adds api-session-timeout to guacamole.properties
 +##
 +associate_apisessiontimeout() {
 +    set_optional_property "api-session-timeout" "$API_SESSION_TIMEOUT"
 +}
 +
  ##
  ## Starts Guacamole under Tomcat, replacing the current process with the
  ## Tomcat process. As the current process will be replaced, this MUST be the

Reply via email to