Re: guacd with SSL
Hi Mike, thanks for your reply. Communication between the web user on tomcat is already done. I was able to configure the reverse proxy in apache without any problems. Now I want to do the configuration even between Tomcat and quacd. I put the option in properties: guacd-ssl: true I restarted tomcat I started quacd with the line: / usr / local / sbin / guacd -f -C /etc/httpd/certs/remoto-final.pem -K /etc/pki/tls/certs/remoto-key.pem -L debug & Log error guacd[14818]: Unable to set up SSL/TLS: SSL accept failed The certificates that I am informing in guacd are the same ones that I used for the tomcat ssl web What can I be wrong? Thanks Henri Em dom., 5 de jul. de 2020 às 20:13, Mike Jumper escreveu: > First, if you are trying to set up SSL/TLS in front of the web > application, this is not the way. This affects only the (internal) > communication between Tomcat and guacd. > > Assuming this is indeed what you're looking for (you are trying to encrypt > the internal, non-user-facing communication between Tomcat and guacd), did > you set the corresponding properties in guacamole.properties? When > encrypting communication between Tomcat and guacd, both ends need to be > configured for this: > > > https://guacamole.apache.org/doc/gug/configuring-guacamole.html#initial-setup > > If you are just looking to encrypt the user-facing side of things, you > don't need to do any of this. You should instead look to set up Apache or > Nginx as a reverse proxy to provide SSL termination in front of Tomcat: > > https://guacamole.apache.org/doc/gug/proxying-guacamole.html > > - Mike > > On Sun, Jul 5, 2020, 16:07 Henri Alves de Godoy > wrote: > >> I promise it's my last question for today ;-) >> >> When I put the certificate settings in guacd, I have in the log: >> >> Jul 5 20:00:34 guacd[14248]: Guacamole proxy daemon (guacd) version >> 1.2.0 started >> Jul 5 20:00:34 guacd[14248]: Communication will require SSL/TLS. >> Jul 5 20:00:34 guacd[14248]: Using PEM keyfile >> /etc/pki/tls/certs/cert-key.pem >> Jul 5 20:00:34 guacd[14248]: Using certificate file >> /etc/httpd/certs/cert-final.pem >> Jul 5 20:00:34 guacd[14248]: Listening on host 127.0.0.1, port 4822 >> >> However when establishing a connection to Windows via RDP, I can't. and >> appears in the log: >> >> guacd[14248]: ERROR:Unable to set up SSL/TLS: SSL accept failed >> guacd[14248]: ERROR:Unable to set up SSL/TLS: SSL accept failed >> guacd[14248]: ERROR:Unable to set up SSL/TLS: SSL accept failed >> >> Any tips on what might be happening? >> >> Thank you >> >> -- >> Henri Alves Godoy >> Tecnologia da Informação e Comunicação >> Faculdade de Ciências Aplicadas - FCA >> Universidade Estadual de Campinas - UNICAMP >> Fone: (19) 3701-6682 >> > -- -- Henri Alves Godoy Tecnologia da Informação e Comunicação Faculdade de Ciências Aplicadas - FCA Universidade Estadual de Campinas - UNICAMP Fone: (19) 3701-6682
Re: guacd with SSL
First, if you are trying to set up SSL/TLS in front of the web application, this is not the way. This affects only the (internal) communication between Tomcat and guacd. Assuming this is indeed what you're looking for (you are trying to encrypt the internal, non-user-facing communication between Tomcat and guacd), did you set the corresponding properties in guacamole.properties? When encrypting communication between Tomcat and guacd, both ends need to be configured for this: https://guacamole.apache.org/doc/gug/configuring-guacamole.html#initial-setup If you are just looking to encrypt the user-facing side of things, you don't need to do any of this. You should instead look to set up Apache or Nginx as a reverse proxy to provide SSL termination in front of Tomcat: https://guacamole.apache.org/doc/gug/proxying-guacamole.html - Mike On Sun, Jul 5, 2020, 16:07 Henri Alves de Godoy wrote: > I promise it's my last question for today ;-) > > When I put the certificate settings in guacd, I have in the log: > > Jul 5 20:00:34 guacd[14248]: Guacamole proxy daemon (guacd) version 1.2.0 > started > Jul 5 20:00:34 guacd[14248]: Communication will require SSL/TLS. > Jul 5 20:00:34 guacd[14248]: Using PEM keyfile > /etc/pki/tls/certs/cert-key.pem > Jul 5 20:00:34 guacd[14248]: Using certificate file > /etc/httpd/certs/cert-final.pem > Jul 5 20:00:34 guacd[14248]: Listening on host 127.0.0.1, port 4822 > > However when establishing a connection to Windows via RDP, I can't. and > appears in the log: > > guacd[14248]: ERROR:Unable to set up SSL/TLS: SSL accept failed > guacd[14248]: ERROR:Unable to set up SSL/TLS: SSL accept failed > guacd[14248]: ERROR:Unable to set up SSL/TLS: SSL accept failed > > Any tips on what might be happening? > > Thank you > > -- > Henri Alves Godoy > Tecnologia da Informação e Comunicação > Faculdade de Ciências Aplicadas - FCA > Universidade Estadual de Campinas - UNICAMP > Fone: (19) 3701-6682 >
guacd with SSL
I promise it's my last question for today ;-) When I put the certificate settings in guacd, I have in the log: Jul 5 20:00:34 guacd[14248]: Guacamole proxy daemon (guacd) version 1.2.0 started Jul 5 20:00:34 guacd[14248]: Communication will require SSL/TLS. Jul 5 20:00:34 guacd[14248]: Using PEM keyfile /etc/pki/tls/certs/cert-key.pem Jul 5 20:00:34 guacd[14248]: Using certificate file /etc/httpd/certs/cert-final.pem Jul 5 20:00:34 guacd[14248]: Listening on host 127.0.0.1, port 4822 However when establishing a connection to Windows via RDP, I can't. and appears in the log: guacd[14248]: ERROR:Unable to set up SSL/TLS: SSL accept failed guacd[14248]: ERROR:Unable to set up SSL/TLS: SSL accept failed guacd[14248]: ERROR:Unable to set up SSL/TLS: SSL accept failed Any tips on what might be happening? Thank you -- Henri Alves Godoy Tecnologia da Informação e Comunicação Faculdade de Ciências Aplicadas - FCA Universidade Estadual de Campinas - UNICAMP Fone: (19) 3701-6682
Re: Websocket messages
That's right, Nick. I upgraded to Tomcat to 8.5.57 and the messages stopped. No errors displayed. I conclude then that this was what was missing. Thanks again. Henri Em dom., 5 de jul. de 2020 às 16:25, Nick Couchman escreveu: > On Sun, Jul 5, 2020 at 3:14 PM Henri Alves de Godoy > wrote: > >> Hi Nick, >> >> The tomcat version is Apache Tomcat/7.0.76. >> >> > I can't remember, but this version of Tomcat may not support WebSockets, > or at least may not be compatible with Guacamole's implementation of it. > You might try a later version and see if that resolves the issue. > > >> The web console does not show any message, as the RDP connection with >> Windows 10 is occurring without error. I can login without problems. >> >> > You'll have to check the Network tab of the developer console and see what > status code is received when it tries to open the websocket. > > >> But from what it shows in the log, it's happening without websockets. >> >> I also put the option on guacamole.properties >> >> enable-websocket: true >> > > This isn't a valid option and will have no effect. > > -Nick > >> -- -- Henri Alves Godoy Tecnologia da Informação e Comunicação Faculdade de Ciências Aplicadas - FCA Universidade Estadual de Campinas - UNICAMP Fone: (19) 3701-6682
Re: Websocket messages
Hi Nick, The tomcat version is Apache Tomcat/7.0.76. The web console does not show any message, as the RDP connection with Windows 10 is occurring without error. I can login without problems. But from what it shows in the log, it's happening without websockets. I also put the option on guacamole.properties enable-websocket: true Thanks ! Henri Em dom., 5 de jul. de 2020 às 16:06, Nick Couchman escreveu: > On Sun, Jul 5, 2020 at 2:57 PM Henri Alves de Godoy > wrote: > >> >> Hi all, >> >> I need help with the websocket >> >> I did the apache 2.4.43 configuration correctly from mod_proxy_wstunnel.so >> >> >> > But I still receive the message :server: 15: 52: 23.715 >> [http-bio-8443-exec-16] INFO o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet >> - Using HTTP tunnel (not WebSocket). Performance may be sub-optimal. >> >> > What version of Tomcat are you running? > > >> I don't know what I'm missing anymore. What can it be ? >> > > You should look in your web browser console to see what messages it is > displaying when it tries to open the websocket connection. > > >> >> Is there a sensitive difference in using the websocket or not? >> >> > If you can possibly get WebSockets working you will likely have a lot > better experience. It will certainly work without it, but will likely be > noticeably better with it. > > -Nick > >> -- -- Henri Alves Godoy Tecnologia da Informação e Comunicação Faculdade de Ciências Aplicadas - FCA Universidade Estadual de Campinas - UNICAMP Fone: (19) 3701-6682
Re: Websocket messages
On Sun, Jul 5, 2020 at 2:57 PM Henri Alves de Godoy wrote: > > Hi all, > > I need help with the websocket > > I did the apache 2.4.43 configuration correctly from mod_proxy_wstunnel.so > > > But I still receive the message :server: 15: 52: 23.715 > [http-bio-8443-exec-16] INFO o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet > - Using HTTP tunnel (not WebSocket). Performance may be sub-optimal. > > What version of Tomcat are you running? > I don't know what I'm missing anymore. What can it be ? > You should look in your web browser console to see what messages it is displaying when it tries to open the websocket connection. > > Is there a sensitive difference in using the websocket or not? > > If you can possibly get WebSockets working you will likely have a lot better experience. It will certainly work without it, but will likely be noticeably better with it. -Nick >
Websocket messages
Hi all, I need help with the websocket I did the apache 2.4.43 configuration correctly from mod_proxy_wstunnel.so But I still receive the message :server: 15: 52: 23.715 [http-bio-8443-exec-16] INFO o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not WebSocket). Performance may be sub-optimal. I don't know what I'm missing anymore. What can it be ? Is there a sensitive difference in using the websocket or not? Follow conf: Order allow,deny Allow from all ProxyPass http://server:8080/guacamole/ flushpackets=on ProxyPassReverse http://server:8080/guacamole/ Order allow,deny Allow from all ProxyPass ws://server:8080/guacamole/websocket-tunnel ProxyPassReverse ws://server:8080/guacamole/websocket-tunnel Thank you ! -- Henri Alves Godoy Tecnologia da Informação e Comunicação Faculdade de Ciências Aplicadas - FCA Universidade Estadual de Campinas - UNICAMP Fone: (19) 3701-6682
FW:
Hello, I migrated from guacamole-1.0.0 to guacamole-1.2.0 on Ubuntu 18.04. But my remoteapp on Windows server 2019, is getting disconnected as soon as I click/move the mouse over the remote app. I did the following steps 1. Ensure all required dependencies are in place for 1.2.0 sudo apt install -y libcairo2-dev libjpeg-turbo8-dev libpng-dev libtool-bin libossp-uuid-dev Note: It did not accept libpng12-dev as per guacamole manual sudo apt install -y libavcodec-dev libavformat-dev libavutil-dev libswscale-dev freerdp2-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev libpulse-dev libssl-dev libvorbis-dev libwebp-dev 2. stop tomcat and guacd 3. remove existing guacamole-server directory sudo rm -r /etc/guacamole-server-1.0.0 4. Install guacamole server 1.2.0 in /etc/ sudo tar -xzf guacamole-server-1.2.0.tar.gz cd guacamole-server-1.2.0/ sudo./configure --with-init-dir=/etc/init.d sudo make sudo make install sudo ldconfig sudo update-rc.d guacd defaults 5. Remove guacamole.war and guacamole/ from /var/lib/tomcat8/webapps 6. Copy guacamole.war to tomcat8 cp guacamole-1.2.0.war /var/lib/tomcat8/webapps/guacamole.war 7. Restart tomcat8 and guacd Tomcat8 logs: Sun Jul 05 18:19:25 IST 2020 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification. WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by org.apache.ibatis.ognl.OgnlRuntime (file:/etc/guacamole/extensions/guacamole-auth-jdbc-mysql-1.2.0.jar) to method java.util.Collections$EmptySet.isEmpty() WARNING: Please consider reporting this to the maintainers of org.apache.ibatis.ognl.OgnlRuntime WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release 18:19:35.948 [http-nio-8080-exec-3] INFO o.a.g.r.auth.AuthenticationService - User "username" successfully authenticated from 45.127.44.89. Sun Jul 05 18:19:36 IST 2020 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification. 18:19:37.431 [http-nio-8080-exec-1] INFO o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole". 18:19:38.401 [http-nio-8080-exec-3] INFO o.a.g.tunnel.TunnelRequestService - User "username" connected to connection "1". 18:19:57.172 [Thread-4] INFO o.a.g.tunnel.TunnelRequestService - User "username" disconnected from connection "1". Duration: 18768 milliseconds Error in syslog guacd[10659]: segfault at 7f3488003e20 ip 7f3488003e20 sp 7f3476141d48 error 15 Please suggest where I could have gone wrong. Thanks in advance -Tushar -- **Disclaimer:* This message and any attachment may contain confidential, proprietary information and is intended only for the individual named. If you are not the original intended recipient and have erroneously received this message, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Hitachi MGRM Net E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Hitachi MGRM Net therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. Hitachi MGRM Net Ltd, C - 6/5, Safdarjung Development Area, New Delhi - 110016, India* * * *'Please consider the environment before printing this e-mail'.*
