[GitHub] guacamole-manual pull request #91: GUACAMOLE-540: Document configuration for...

[mike-jumper]

Github user mike-jumper commented on a diff in the pull request:

    https://github.com/apache/guacamole-manual/pull/91#discussion_r203228459
  
    --- Diff: src/chapters/reverse-proxy.xml ---
    @@ -45,6 +45,99 @@
                 you will be creating connections that have Cyrillic, Chinese, 
Japanese, or other
                 non-Latin characters in their names or parameter values, this 
attribute is
                 required.</para>
    +        <section xml:id="tomcat-remote-ip">
    +            <title>Setting up the Remote IP Valve</title>
    +            <para>By default, when Tomcat is behind a reverse proxy, the 
remote IP address of the
    +                client that it sees is that of the proxy rather than the 
original client.  In order
    +                to allow applications hosted within Tomcat, like 
Guacmaole, to see the actual IP
    +                address of the client, you have to configure both the 
reverse proxy and Tomcat.</para>
    +            <para>Because the remote IP address in Guacamole is used for 
auditing of user logins and
    +                connections and could potentially be used for 
authentication, it is important that you
    +                are either in direct control of the proxy server or you 
explicitly trust it.  Passing
    +                the remote IP address is done using the 
<code>X-Forwarded-For</code> header, and,
    +                as with most HTTP headers, attackers can attempt to spoof 
this header in order to
    +                manipulate the behavior of the web server, gain 
unauthorized access to the system,
    +                or attempt to disguise the host or IP address they are 
coming from.</para>
    +            <para>One final caveat: This may not work as expected if there 
are other upstream proxy
    +                servers between your reverse proxy and the clients access 
Guacamole.  Other proxies
    +                or firewalls can mask the IP address of the client, and if 
the configuration of
    +                those is not within your control you may end up with 
multiple clients appearing to
    +                come from the same IP address or host.  Make sure you take 
this into account when
    +                configuring the system and looking at the data 
provided.</para>
    +            <para>Configuring Tomcat to pass through the remote IP address 
provided by the reverse
    +                proxy in the <code>X-Forwarded-For</code> header requires 
the configuration of what
    +                Tomcat calls a Valve.  In this case, it is the 
<code>RemoteIpValve</code> and is
    +                configured in the <filename>conf/server.xml</filename> 
file, in the
    +                <code>&lt;Host/></code>section:</para>
    --- End diff --
    
    It's a little odd to refer to a section by its closing tag.


---