mike-jumper commented on a change in pull request #95:
URL: https://github.com/apache/guacamole-website/pull/95#discussion_r750526964
##########
File path: faq.md
##########
@@ -262,6 +262,15 @@ method for X11, which is too complex. This is not
necessary, though - as far as
performance is concerned, there is an X.Org driver for Guacamole currently
under development which achieves the same goal (see above).
+### I would like to access web pages via Guacamole. Can you add support for
HTTP(s)? {#support-http}
+No. Guacamole is designed to be a remote desktop client, and the goal is not
+to provide a complete remote access solution (VPN, Proxy, Zero-Trust, etc.).
There
+are many existing services available for VPN, Reverse Proxy, and the like, and
Guacamole
+can complement these solutions by providing a remote desktop component to those
Review comment:
I think this may be a bit too narrow.
Guacamole _is_ designed and intended to be a complete remote access
solution, and is particularly well-suited to Zero-Trust and taking the place of
what would traditionally involve a VPN given its built-in access controls and
authn/authz layer. Wherever a VPN would have previously been used to allow
remote access, Guacamole should serve as a much better alternative. If the view
is narrowed to just looking at Guacamole as a remote desktop client (which does
tend to happen given how the Guacamole project started), the access management
aspects of the platform end up being missed. Those aspects are a major feature
that set Guacamole apart in a great way.
The specific sticky point is whether remote access extends all the way to
non-desktop resources like a web application, to which our stance has been: no,
to protect access to an internal web application, you should use a reverse
proxy and becoming a general reverse proxy is out of scope for the Guacamole
project.
So:
* Generalized reverse proxy for HTTP resources? No.
* Better choice than a VPN (or similar) for remote access? Absolutely.
Current things that we can point users to with respect to providing this
sort of access are:
* Leverage an existing feature like RemoteApp to provide access to a browser
via Guacamole.
* Leverage features of an existing reverse proxy (like Nginx and its
`auth_request`) to delegate authentication to Guacamole.
Of course, the fact that we support general protected access to individual
native applications via RemoteApp could be argued to support that general
protected access to individual _web_ applications is also in scope, so we could
consider ... just changing our minds on this.
Given how frequently this is requested and the fact that we support
RemoteApp, I occasionally wonder whether we may be wrong to exclude access to
webapps from the concept of remote access.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
