benrubson commented on a change in pull request #489:
URL: https://github.com/apache/guacamole-client/pull/489#discussion_r493027390
##########
File path: guacamole-docker/bin/start.sh
##########
@@ -762,6 +822,11 @@ fi
set_property "guacd-hostname" "$GUACD_HOSTNAME"
set_property "guacd-port" "$GUACD_PORT"
+# Set up Tomcat RemoteIPValve
+if [ -n "$GUACAMOLE_PROXY_ALLOWED_IPS_REGEX" ]; then
Review comment:
Let's mimic the `TOTP_ENABLED` option :
```suggestion
if [ "$REMOTE_IP_VALVE_ENABLED" = "true" ]; then
```
So that we are not enforced to overwrite the default Tomcat value.
##########
File path: guacamole-docker/bin/start.sh
##########
@@ -683,6 +683,66 @@ END
ln -s /opt/guacamole/cas/guacamole-auth-*.jar "$GUACAMOLE_EXT"
}
+##
+## Sets up Tomcat's remote IP valve that allows gathering the remote IP
+## from headers set by a remote proxy
+##
+enable_remote_ip_valve() {
+ # Check the required variables
+ if [ -z "$GUACAMOLE_PROXY_ALLOWED_IPS_REGEX" ]; then
+ cat <<END
+FATAL: Missing required environment variables
+-------------------------------------------------------------------------------
+If using the Tomcat RemoteIPValve preseed, you must provide each of the
+following environment variables:
+
+ GUACAMOLE_PROXY_ALLOWED_IPS_REGEX The regex of addresses allowed to set
+ the remote IP of the client via
+ transmission of specific headers
+END
+ exit 1
+ fi
+
+ # Set reasonable defaults if optional variables have not been provided
+ if [ -z "$GUACAMOLE_PROXY_IP_HEADER" ]; then
+ GUACAMOLE_PROXY_IP_HEADER='X-Forwarded-For'
+ echo "Defaulted RemoteIPValve IP header to: $GUACAMOLE_PROXY_IP_HEADER"
+ fi
+ if [ -z "$GUACAMOLE_PROXY_PROTOCOL_HEADER" ]; then
+ GUACAMOLE_PROXY_PROTOCOL_HEADER='X-Forwarded-Proto'
+ echo "Defaulted RemoteIPValve protocol header to:
$GUACAMOLE_PROXY_PROTOCOL_HEADER"
+ fi
+ if [ -z "$GUACAMOLE_PROXY_BY_HEADER" ]; then
+ GUACAMOLE_PROXY_BY_HEADER='X-Forwarded-By'
+ echo "Defaulted RemoteIPValve source header to:
$GUACAMOLE_PROXY_BY_HEADER"
+ fi
+
+ # Build the new Tomcat configuration
+ cat > /tmp/valve.xml <<EOF
+ <Valve className="org.apache.catalina.valves.RemoteIpValve"
+ internalProxies="$GUACAMOLE_PROXY_ALLOWED_IPS_REGEX"
+ remoteIpHeader="$GUACAMOLE_PROXY_IP_HEADER"
+ remoteIpProxiesHeader="$GUACAMOLE_PROXY_BY_HEADER"
+ protocolHeader="$GUACAMOLE_PROXY_PROTOCOL_HEADER" />
+EOF
+
+ # Get the line where the Host configuration ends
+ LINEN=$(grep -n '</Host>' /usr/local/tomcat/conf/server.xml | cut -d ':'
-f 1)
+
+ # Split the file in 2 around the Host configuration
+ head -n "$(( LINEN - 1 ))" < /usr/local/tomcat/conf/server.xml >
/tmp/head.xml
+ tail -n "+$LINEN" < /usr/local/tomcat/conf/server.xml > /tmp/tail.xml
+
+ # Reassemble the file
+ cat /tmp/head.xml /tmp/valve.xml /tmp/tail.xml >
/usr/local/tomcat/conf/server.xml
+
+ # Cleanup
+ rm -f \
+ /tmp/head.xml \
+ /tmp/tail.xml \
+ /tmp/valve.xml
+}
+
Review comment:
Let's replace the whole `enable_remote_ip_valve` function with the
following :
```
enable_remote_ip_valve() {
sed -i "s|^\(\(\s\)\+\)</Host>|\1\2\2<Valve \
className=\"org.apache.catalina.valves.RemoteIpValve\" \
${GUACAMOLE_PROXY_ALLOWED_IPS_REGEX:+internalProxies=\"$GUACAMOLE_PROXY_ALLOWED_IPS_REGEX\"}
\
${GUACAMOLE_PROXY_IP_HEADER:+remoteIpHeader=\"$GUACAMOLE_PROXY_IP_HEADER\"} \
${GUACAMOLE_PROXY_BY_HEADER:+remoteIpProxiesHeader=\"$GUACAMOLE_PROXY_BY_HEADER\"}
\
${GUACAMOLE_PROXY_PROTOCOL_HEADER:+protocolHeader=\"$GUACAMOLE_PROXY_PROTOCOL_HEADER\"}
\
/>\n\n\1</Host>|" \
/usr/local/tomcat/conf/server.xml
}
```
It has several advantages :
- we update the `server.xml` file inplace, without several temporary files ;
- we keep the safe valve options [default
values](https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/RemoteIpValve.html)
if they are not enforced by the user.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
