Re: How to get client IP address ?

[Stephan von Krawczynski]

Really, people talking about security and mentioning firewall in terms of
securing a service have not done their homework. Else they should have
understood that the most vital part in security is securing services as an
immanent part of their design by using a libwrap approach or an authentication
of user/ip tuples.
Why not use firewall for that? Because it burns cpu resources looking in
_every_ packet instead of the ones meant for the service to be secured.
The XXX from openssh - just to give an example - removed the libwrap code (few
lines) in favour of telling people to use keys. For me it is pretty obvious
that this can only be done if you want to open up backdoors that cannot make
it through libwrap for its code simpleness. It is obvious that people really
having to deal with security like router vendors weren't quite of the same
opinion. Take a look at a mikrotik config to mention a good example and see
how they in fact implemented a libwrap type of immanent service security for
every service in the box.
Use IP filters when needed, but don't pipe all your traffic through a (cpu
driven) firewall, because you only hurt the performance.
Therefore your statement that a good job was done here cannot be held up,
because they completely failed to even think about the client ip.
No matter what you want to do with it in the end.

--
Regards,
Stephan


On Fri, 26 Apr 2024 14:20:09 -0700
Sean Hulbert  wrote:

> Its easy when you know how!
> 
> Guacamole is very well thought out Mike and team have done an 
> exceptional job, however we customize guacamole to do what we want it to 
> do, strip out the code not used, then harden it with FIPS140-2, I merely 
> gave examples of what you could do, beside you should be using some type 
> of SIEM anyways as part of your security posture.  I hope you find what 
> you are looking for.
> 
> 
> 
> *Thank You*
> Sean Hulbert
> *Founder / CEO*
> 
> 
> *Security Centric Inc.*
> A Cybersecurity Virtualization Enablement Company
> /StormCloud Gov, Protected CUI Environment!/
> 
> 
> Industry's most secure virtual desktops!
> 
> 
> */FedRAMP MIL4 in process (RAR)/*
> System Award Management
> *CAGE: 8AUV4*
> *SAM ID: UMJLJ8A7BMT3*
> 
> AFCEA San Francisco Chapter President
> If you have heard of a hacker by name, he/she has failed, fear the 
> hacker you haven’t heard of!
> 
> CONFIDENTIALITY NOTICE: This communication with its contents may contain 
> confidential and/or legally privileged information. It is solely for the 
> use of the intended recipient(s). Unauthorized interception, review, use 
> or disclosure is prohibited and may violate applicable laws including 
> the Electronic Communications Privacy Act. If you are not the intended 
> recipient, please contact the sender and destroy all copies of the 
> communication. Content within this email communication is not legally 
> binding as a contract and no promises are guaranteed unless in a formal 
> contract outside this email communication.
> 
> igitur qui desiderat pacem, praeparet bellum!!!
> 
> Epitoma Rei Militaris
> 
> On 4/26/2024 2:02 PM, Stephan von Krawczynski wrote:
> > You are aware that the talk is about a piece of information (IP) the basic
> > service (indeed apache) has naturally.
> > Your explanation alone shows how broken by design the thing is. You need a
> > logfile, a database, a script and a layer 7 firewall for obtaining an IP?
> > And then you call it easy. Gimme a break...
> >
> >
> > On Fri, 26 Apr 2024 10:51:01 -0700
> > Sean Hulbert  wrote:
> >  
> >> This is easy,
> >>
> >> 1. Use a SIEM on the NGINX or Apache log files set your trigger to look
> >> for the api token.
> >>
> >> 2. Parse the log file directly using bash awk sed if fi else then pull
> >> the IP address
> >>
> >> 3. Create a new table in the Guacamole database then add a variable to
> >> the connection info page, take option 2 and inject the IP to the new
> >> table to be displayed.
> >>
> >> 4. Put a Layer 7 firewall in front of the Guacamole system and capture
> >> all data streams to and from (assuming this is external use).
> >>
> >>
> >>
> >> *Thank You*
> >> Sean Hulbert
> >> *Founder / CEO*
> >>
> >>
> >> *Security Centric Inc.*
> >> A Cybersecurity Virtualization Enablement Company
> >> /StormCloud Gov, Protected CUI Environment!/
> >>
> >>
> >> Industry's most secure virtual desktops!
> >>
> >>
> >> */FedRAMP MIL4 in process (RAR)/*
> >> System Award Management
> >> *CAGE: 8AUV4*
> >> *SAM ID: UMJLJ8A7BMT3*
> >>
> >> AFCEA San Francisco Chapter President
> >> If you have heard of a hacker by name, he/she has failed, fear the
> >> hacker you haven’t heard of!
> >>
> >> CONFIDENTIALITY NOTICE: This communication with its contents may contain
> >> confidential and/or legally privileged information. It is solely for the
> >> use of the intended recipient(s). Unauthorized interception, review, use
> >> or disclosure is prohibited and may violate applicable laws including
> >> the Electronic Communications Privacy Act. If 

Re: How to get client IP address ?

[Sean Hulbert]

Its easy when you know how!

Guacamole is very well thought out Mike and team have done an 
exceptional job, however we customize guacamole to do what we want it to 
do, strip out the code not used, then harden it with FIPS140-2, I merely 
gave examples of what you could do, beside you should be using some type 
of SIEM anyways as part of your security posture.  I hope you find what 
you are looking for.




*Thank You*
Sean Hulbert
*Founder / CEO*


*Security Centric Inc.*
A Cybersecurity Virtualization Enablement Company
/StormCloud Gov, Protected CUI Environment!/


Industry's most secure virtual desktops!


*/FedRAMP MIL4 in process (RAR)/*
System Award Management
*CAGE: 8AUV4*
*SAM ID: UMJLJ8A7BMT3*

AFCEA San Francisco Chapter President
If you have heard of a hacker by name, he/she has failed, fear the 
hacker you haven’t heard of!


CONFIDENTIALITY NOTICE: This communication with its contents may contain 
confidential and/or legally privileged information. It is solely for the 
use of the intended recipient(s). Unauthorized interception, review, use 
or disclosure is prohibited and may violate applicable laws including 
the Electronic Communications Privacy Act. If you are not the intended 
recipient, please contact the sender and destroy all copies of the 
communication. Content within this email communication is not legally 
binding as a contract and no promises are guaranteed unless in a formal 
contract outside this email communication.


igitur qui desiderat pacem, praeparet bellum!!!

Epitoma Rei Militaris

On 4/26/2024 2:02 PM, Stephan von Krawczynski wrote:

You are aware that the talk is about a piece of information (IP) the basic
service (indeed apache) has naturally.
Your explanation alone shows how broken by design the thing is. You need a
logfile, a database, a script and a layer 7 firewall for obtaining an IP?
And then you call it easy. Gimme a break...


On Fri, 26 Apr 2024 10:51:01 -0700
Sean Hulbert  wrote:


This is easy,

1. Use a SIEM on the NGINX or Apache log files set your trigger to look
for the api token.

2. Parse the log file directly using bash awk sed if fi else then pull
the IP address

3. Create a new table in the Guacamole database then add a variable to
the connection info page, take option 2 and inject the IP to the new
table to be displayed.

4. Put a Layer 7 firewall in front of the Guacamole system and capture
all data streams to and from (assuming this is external use).



*Thank You*
Sean Hulbert
*Founder / CEO*


*Security Centric Inc.*
A Cybersecurity Virtualization Enablement Company
/StormCloud Gov, Protected CUI Environment!/


Industry's most secure virtual desktops!


*/FedRAMP MIL4 in process (RAR)/*
System Award Management
*CAGE: 8AUV4*
*SAM ID: UMJLJ8A7BMT3*

AFCEA San Francisco Chapter President
If you have heard of a hacker by name, he/she has failed, fear the
hacker you haven’t heard of!

CONFIDENTIALITY NOTICE: This communication with its contents may contain
confidential and/or legally privileged information. It is solely for the
use of the intended recipient(s). Unauthorized interception, review, use
or disclosure is prohibited and may violate applicable laws including
the Electronic Communications Privacy Act. If you are not the intended
recipient, please contact the sender and destroy all copies of the
communication. Content within this email communication is not legally
binding as a contract and no promises are guaranteed unless in a formal
contract outside this email communication.

igitur qui desiderat pacem, praeparet bellum!!!

Epitoma Rei Militaris

On 4/26/2024 6:10 AM, Nick Couchman wrote:

On Fri, Apr 26, 2024 at 6:47 AM Molina de la Iglesia, Manuel
  wrote:

 Hello,

 After following the provided documentation, I cannot find a
 solution to get the real client IP.

 I have my application (PHP) on the same Guacamole Server, this
 application gets the user token:

 image.png

 The Tomcat log (after use the following pattern on the server.xml
 valve) I use: %{x-forwarded-for}i %l %u %t %r %s %b

 The log is OK (display the user IP)

 image.png


This does not look like the Tomcat log, this looks like a log for
httpd or Nginx, which means *that* is getting your client IP address.
Do you have your Proxy configured to pass the X-Forwarded-For header
through to Tomcat?

-Nick
  



-
To unsubscribe, e-mail:user-unsubscr...@guacamole.apache.org
For additional commands, e-mail:user-h...@guacamole.apache.org

Re: How to get client IP address ?

[Stephan von Krawczynski]

You are aware that the talk is about a piece of information (IP) the basic
service (indeed apache) has naturally.
Your explanation alone shows how broken by design the thing is. You need a
logfile, a database, a script and a layer 7 firewall for obtaining an IP?
And then you call it easy. Gimme a break...


On Fri, 26 Apr 2024 10:51:01 -0700
Sean Hulbert  wrote:

> This is easy,
> 
> 1. Use a SIEM on the NGINX or Apache log files set your trigger to look 
> for the api token.
> 
> 2. Parse the log file directly using bash awk sed if fi else then pull 
> the IP address
> 
> 3. Create a new table in the Guacamole database then add a variable to 
> the connection info page, take option 2 and inject the IP to the new 
> table to be displayed.
> 
> 4. Put a Layer 7 firewall in front of the Guacamole system and capture 
> all data streams to and from (assuming this is external use).
> 
> 
> 
> *Thank You*
> Sean Hulbert
> *Founder / CEO*
> 
> 
> *Security Centric Inc.*
> A Cybersecurity Virtualization Enablement Company
> /StormCloud Gov, Protected CUI Environment!/
> 
> 
> Industry's most secure virtual desktops!
> 
> 
> */FedRAMP MIL4 in process (RAR)/*
> System Award Management
> *CAGE: 8AUV4*
> *SAM ID: UMJLJ8A7BMT3*
> 
> AFCEA San Francisco Chapter President
> If you have heard of a hacker by name, he/she has failed, fear the 
> hacker you haven’t heard of!
> 
> CONFIDENTIALITY NOTICE: This communication with its contents may contain 
> confidential and/or legally privileged information. It is solely for the 
> use of the intended recipient(s). Unauthorized interception, review, use 
> or disclosure is prohibited and may violate applicable laws including 
> the Electronic Communications Privacy Act. If you are not the intended 
> recipient, please contact the sender and destroy all copies of the 
> communication. Content within this email communication is not legally 
> binding as a contract and no promises are guaranteed unless in a formal 
> contract outside this email communication.
> 
> igitur qui desiderat pacem, praeparet bellum!!!
> 
> Epitoma Rei Militaris
> 
> On 4/26/2024 6:10 AM, Nick Couchman wrote:
> > On Fri, Apr 26, 2024 at 6:47 AM Molina de la Iglesia, Manuel 
> >  wrote:
> >
> > Hello,
> >
> > After following the provided documentation, I cannot find a
> > solution to get the real client IP.
> >
> > I have my application (PHP) on the same Guacamole Server, this
> > application gets the user token:
> >
> > image.png
> >
> > The Tomcat log (after use the following pattern on the server.xml
> > valve) I use: %{x-forwarded-for}i %l %u %t %r %s %b
> >
> > The log is OK (display the user IP)
> >
> > image.png
> >
> >
> > This does not look like the Tomcat log, this looks like a log for 
> > httpd or Nginx, which means *that* is getting your client IP address. 
> > Do you have your Proxy configured to pass the X-Forwarded-For header 
> > through to Tomcat?
> >
> > -Nick
> >  



-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: How to get client IP address ?

[Sean Hulbert]

This is easy,

1. Use a SIEM on the NGINX or Apache log files set your trigger to look 
for the api token.


2. Parse the log file directly using bash awk sed if fi else then pull 
the IP address


3. Create a new table in the Guacamole database then add a variable to 
the connection info page, take option 2 and inject the IP to the new 
table to be displayed.


4. Put a Layer 7 firewall in front of the Guacamole system and capture 
all data streams to and from (assuming this is external use).




*Thank You*
Sean Hulbert
*Founder / CEO*


*Security Centric Inc.*
A Cybersecurity Virtualization Enablement Company
/StormCloud Gov, Protected CUI Environment!/


Industry's most secure virtual desktops!


*/FedRAMP MIL4 in process (RAR)/*
System Award Management
*CAGE: 8AUV4*
*SAM ID: UMJLJ8A7BMT3*

AFCEA San Francisco Chapter President
If you have heard of a hacker by name, he/she has failed, fear the 
hacker you haven’t heard of!


CONFIDENTIALITY NOTICE: This communication with its contents may contain 
confidential and/or legally privileged information. It is solely for the 
use of the intended recipient(s). Unauthorized interception, review, use 
or disclosure is prohibited and may violate applicable laws including 
the Electronic Communications Privacy Act. If you are not the intended 
recipient, please contact the sender and destroy all copies of the 
communication. Content within this email communication is not legally 
binding as a contract and no promises are guaranteed unless in a formal 
contract outside this email communication.


igitur qui desiderat pacem, praeparet bellum!!!

Epitoma Rei Militaris

On 4/26/2024 6:10 AM, Nick Couchman wrote:
On Fri, Apr 26, 2024 at 6:47 AM Molina de la Iglesia, Manuel 
 wrote:


Hello,

After following the provided documentation, I cannot find a
solution to get the real client IP.

I have my application (PHP) on the same Guacamole Server, this
application gets the user token:

image.png

The Tomcat log (after use the following pattern on the server.xml
valve) I use: %{x-forwarded-for}i %l %u %t %r %s %b

The log is OK (display the user IP)

image.png


This does not look like the Tomcat log, this looks like a log for 
httpd or Nginx, which means *that* is getting your client IP address. 
Do you have your Proxy configured to pass the X-Forwarded-For header 
through to Tomcat?


-Nick

Re: How to get client IP address ?

[Nick Couchman]

On Fri, Apr 26, 2024 at 6:47 AM Molina de la Iglesia, Manuel
 wrote:

> Hello,
>
> After following the provided documentation, I cannot find a solution to
> get the real client IP.
>
> I have my application (PHP) on the same Guacamole Server, this application
> gets the user token:
>
> [image: image.png]
>
> The Tomcat log (after use the following pattern on the server.xml valve) I
> use: %{x-forwarded-for}i %l %u %t %r %s %b
>
> The log is OK (display the user IP)
>
> [image: image.png]
>
>
This does not look like the Tomcat log, this looks like a log for httpd or
Nginx, which means *that* is getting your client IP address. Do you have
your Proxy configured to pass the X-Forwarded-For header through to Tomcat?

-Nick

>

Re: How to get client IP address ?

[Molina de la Iglesia, Manuel]

Hello,

After following the provided documentation, I cannot find a solution to get
the real client IP.

I have my application (PHP) on the same Guacamole Server, this application
gets the user token:

[image: image.png]

The Tomcat log (after use the following pattern on the server.xml valve) I
use: %{x-forwarded-for}i %l %u %t %r %s %b

The log is OK (display the user IP)

[image: image.png]

But guacamole log still display the application IP (that on this case runs
on the same server)

[image: image.png]
Any suggestions?
Thanks

*Manel Molina*

*manuel.molina-de-la-igle...@veolia.com
*

*Dirección de Ciberseguridad*

Ciutat de L’Aigua (D38)

Paseo de la Zona Franca, 48
08038 Barcelona / España

www.veolia.com





El lun, 22 abr 2024 a las 4:35, Nick Couchman () escribió:

> On Sun, Apr 21, 2024 at 5:18 PM Ivanmarcus 
> wrote:
>
>> Stephan,
>>
>> Having been around here for a while I'd be very surprised to find code
>> contributions simply 'ignored'. If you look at Guacamole's development
>> history I think you'd see that contributions are welcomed, and where
>> they address a need and/or fit the project well they are incorporated.
>>
>> Naturally there would be discussion, and it *may* be that some
>> contributions are not [immediately] accepted, however they would not be
>> discarded out of hand for no reason. Perhaps this has been your
>> experience of other projects but please don't anticipate it here.
>>
>>
> Yes, completely agree. There is definitely scrutiny of changes and
> discussion around it, and a rather robust review process. So, while changes
> will not be discarded out of hand, for no reason, they will also not be
> blindly accepted.
>
>
>> Otherwise it's my view (and clearly that of many others) that Guacamole
>> is not a 'mediocre' product. It has its flaws and no doubt could be
>> improved, but being derogatory about something is not especially
>> productive and rarely a good way to effect change.
>>
>> Thus I wonder if you might spend a little time looking closely at
>> Guacamole's development and how/why it works the way it does presently?
>> As an active project with good interaction and hard working developers,
>> input from experienced coders would be gratefully received. However I
>> suggest the usual way to go about changing something is first to become
>> involved, become 'known' by your contributions, to gain better knowledge
>> of the issues and direction facing the project, and thence be able to
>> effect positive and cohesive change...
>>
>>
> +1
>
> I would love to see the community of active contributors, both developers
> and supporters on the mailing list, grow to include a greater number and
> more diverse population.
>
> -Nick
>

Re: How to get client IP address ?

[Nick Couchman]

On Sun, Apr 21, 2024 at 5:18 PM Ivanmarcus 
wrote:

> Stephan,
>
> Having been around here for a while I'd be very surprised to find code
> contributions simply 'ignored'. If you look at Guacamole's development
> history I think you'd see that contributions are welcomed, and where
> they address a need and/or fit the project well they are incorporated.
>
> Naturally there would be discussion, and it *may* be that some
> contributions are not [immediately] accepted, however they would not be
> discarded out of hand for no reason. Perhaps this has been your
> experience of other projects but please don't anticipate it here.
>
>
Yes, completely agree. There is definitely scrutiny of changes and
discussion around it, and a rather robust review process. So, while changes
will not be discarded out of hand, for no reason, they will also not be
blindly accepted.


> Otherwise it's my view (and clearly that of many others) that Guacamole
> is not a 'mediocre' product. It has its flaws and no doubt could be
> improved, but being derogatory about something is not especially
> productive and rarely a good way to effect change.
>
> Thus I wonder if you might spend a little time looking closely at
> Guacamole's development and how/why it works the way it does presently?
> As an active project with good interaction and hard working developers,
> input from experienced coders would be gratefully received. However I
> suggest the usual way to go about changing something is first to become
> involved, become 'known' by your contributions, to gain better knowledge
> of the issues and direction facing the project, and thence be able to
> effect positive and cohesive change...
>
>
+1

I would love to see the community of active contributors, both developers
and supporters on the mailing list, grow to include a greater number and
more diverse population.

-Nick

Re: How to get client IP address ?

[Ivanmarcus]

Stephan,

Having been around here for a while I'd be very surprised to find code 
contributions simply 'ignored'. If you look at Guacamole's development 
history I think you'd see that contributions are welcomed, and where 
they address a need and/or fit the project well they are incorporated.


Naturally there would be discussion, and it *may* be that some 
contributions are not [immediately] accepted, however they would not be 
discarded out of hand for no reason. Perhaps this has been your 
experience of other projects but please don't anticipate it here.


Otherwise it's my view (and clearly that of many others) that Guacamole 
is not a 'mediocre' product. It has its flaws and no doubt could be 
improved, but being derogatory about something is not especially 
productive and rarely a good way to effect change.


Thus I wonder if you might spend a little time looking closely at 
Guacamole's development and how/why it works the way it does presently?
As an active project with good interaction and hard working developers, 
input from experienced coders would be gratefully received. However I 
suggest the usual way to go about changing something is first to become 
involved, become 'known' by your contributions, to gain better knowledge 
of the issues and direction facing the project, and thence be able to 
effect positive and cohesive change...



On 22/04/24 08:06, Stephan von Krawczynski wrote:

You may get/see some patch from me to achieve what I want to do with guacamole,
and I expect it to be ignored. I take it as documented then and it may help
further readers along their way.
Often people deny to see how they can make a very good product out of their
mediocre one, unfortunately.


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: How to get client IP address ?

[Stephan von Krawczynski]

On Sun, 21 Apr 2024 07:12:36 -0400
Nick Couchman  wrote:

> I'll keep this response shorter.
> 
> It seems unlikely we're going to come to an understanding or agreement on
> how Guacamole should be implemented. The great thing is that Guacamole is
> open source, and it sounds like you have some software development
> experience, so you can fork the source code and modify it to suit your
> needs and design philosophy, and even contribute that code back to the
> community, if you're so inclined.
> 
> -Nick

You're right in that manner that I am not the type of guy that stops what he
is doing only because code is in the way.
Still you should be aware that I am not forking such a monster only to change
few lines of code in it.
You may get/see some patch from me to achieve what I want to do with guacamole,
and I expect it to be ignored. I take it as documented then and it may help
further readers along their way.
Often people deny to see how they can make a very good product out of their 
mediocre one, unfortunately. 

-- 
Regards,
Stephan


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: How to get client IP address ?

[Stephan von Krawczynski]

Hi Joachim,

I fail to see how your application invalidates my request for a minimal
reorganisation of the whole authentication setup.
My basic criticism is not that guacamole can do something (or a lot of things)
itself. I am only not seeing a basic design that allows _simple_ setups as
well as extensions not seen today.
All I am telling is I would very much prefer a simple interface that parts the
core guacamole from such extensions (of authentication or your type) in a way
that the most basic function (user authentication) can be done in the most
simple way. And although everything is very complex now even Nick seems unable
to portray a simple way to authenticate a n-tuple (username,pw,ip). And I
might well assume he knows guacamole very indepth.

-- 
Regards,
Stephan



On Sun, 21 Apr 2024 08:16:54 +0200
"Joachim Lindenberg"  wrote:

> Hi Stephan,
> I´d agree if authentication were the only goal of the API. However it also
> allows to authorize users, and to provide (including create) configuration
> data entirely not in the standard database. I visualized that capability and
> how I use it in
> https://software.lindenberg.one/backup/en/documentation/guacamole-integration.
> I am not telling it cannot be done differently, but asking just for
> authentication is too limiting. Regards, Joachim
> 
> -Ursprüngliche Nachricht-
> Von: Stephan von Krawczynski  
> Gesendet: Sonntag, 21. April 2024 00:16
> An: user@guacamole.apache.org
> Betreff: Re: How to get client IP address ?
> 
> On Sat, 20 Apr 2024 15:52:58 -0400
> Nick Couchman  wrote:
> 
> > >
> > >
> > > > I believe the issue that Stephan is describing is that, when the 
> > > > user  
> > > logs  
> > > > in to Guacamole, and the remote LDAP server that is authenticating 
> > > > the  
> > > user  
> > > > logs a client IP address, it should log the IP address of the 
> > > > browser  
> > > (far  
> > > > end client) and not the IP address of the Guacamole Client 
> > > > (tomcat)  
> > > system.
> > > > I'm just trying to get clarity from Stephan on whether this is 
> > > > what he's actually trying to do and why.
> > > >
> > > > -Nick  
> > >
> > > Yes, Nick, you are exactly on the right track here. And I am really 
> > > not in a logging question, but truely in the authentication process 
> > > where I want to know the far end client.
> > >
> > >
> > After looking at this a bit more, I cannot find a way, at least in the 
> > Apache LDAP API that we use, to configure a client IP or send any sort 
> > of a message that will pass that information through to the client, so 
> > I'm not sure how feasible this actually is. RADIUS uas the NAS IP 
> > designed specifically for this type of scenario, but I'm not finding 
> > any sort of feature similar to NAS IP that allows for this kind of
> > messaging.
> > 
> > -Nick  
> 
> Hello Nick,
> 
> first of all, thank you for looking into the issue. So please let me ask
> this as a real question and no offence. Why does the project _at all_ use a
> rather complicated API for authentication instead of "outsourcing" the
> function into a simple called hook (call it a script), and let this
> implement the wanted api to ldap, mysql, radius or just about anything that
> might be needed. Still in the end an authentication is no more than giving
> parameters (like username, password, or client ip or whatever the caller
> (i.e. guacamole) has) and getting the simple answer: yes (authenticated) or
> no (login failed). If you cut off the whole process at this point the whole
> story gets a lot more flexible, as anyone can then implement his needed hook
> (script) for his needs. You may then distribute such hooks inside the
> project for standard APIs like ldap or the like - or leave it to the users
> to make/find their own. To me, designing (and coding) software since the
> 1980s, this is a pretty clear design decision to be taken.
> 
> Regards,
> Stephan
> 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
> 
> 
> 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
> 


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: How to get client IP address ?

[Nick Couchman]

I'll keep this response shorter.

It seems unlikely we're going to come to an understanding or agreement on
how Guacamole should be implemented. The great thing is that Guacamole is
open source, and it sounds like you have some software development
experience, so you can fork the source code and modify it to suit your
needs and design philosophy, and even contribute that code back to the
community, if you're so inclined.

-Nick

On Sun, Apr 21, 2024 at 3:55 AM Stephan von Krawczynski 
wrote:

> On Sat, 20 Apr 2024 21:38:20 -0400
> Nick Couchman  wrote:
>
> > >
> > > Hello Nick,
> > >
> > > first of all, thank you for looking into the issue. So please let me
> ask
> > > this
> > > as a real question and no offence.
> > >
> >
> > None taken, perfectly fine to ask this.
> >
> >
> > > Why does the project _at all_ use a rather complicated API for
> > > authentication
> > > instead of "outsourcing" the function into a simple called hook (call
> it a
> > > script), and let this implement the wanted api to ldap, mysql, radius
> or
> > > just
> > > about anything that might be needed.
> >
> >
> > This is what we already do. Yes, the entire web-based application works
> > through a REST API, but, on the back-end, we take the REST API calls and
> > feed them, through a set of standard interfaces, to a back-end
> > authentication mechanism. The back-end authentication mechanisms are
> > standardized, interchangeable and stackable - you can use one or more in
> > combination, or you can write your own. The mechanisms can also
> "decorate"
> > other ones, so that you can use a back-end mechanism (like JDBC), but
> > extend its functionality to do something else.
> >
> >
> > > Still in the end an authentication is no
> > > more than giving parameters (like username, password, or client ip or
> > > whatever the caller (i.e. guacamole) has) and getting the simple
> answer:
> > > yes
> > > (authenticated) or no (login failed).
> > >
> >
> > This is really what the REST API does - it allows the front-end web
> > application to 1) receive a list of requirements from the back-end
> > authentication mechanism, 2) provide those requirements, either
> > automatically (client IP) or by user input (username and password), 3)
> get
> > an answer about whether authentication has succeeded or not, and 4)
> receive
> > and process data that the client has been authorized to receive (in our
> > case, connections, connection groups, users, groups, etc.).
> >
> >
> > > If you cut off the whole process at this point the whole story gets a
> lot
> > > more
> > > flexible, as anyone can then implement his needed hook (script) for his
> > > needs.
> > >
> >
> > As mentioned above, this is exactly how it works with the authentication
> > extensions.
> >
> >
> > > You may then distribute such hooks inside the project for standard APIs
> > > like
> > > ldap or the like - or leave it to the users to make/find their own.
> > >
> >
> > Yep, and Guacamole's design allows for exactly this - and the REST API
> does
> > not get in the way of that, in fact, it makes it possible to do that
> > without having to change the front-end web application at all.
> >
> > Also, none of the things you've mentioned actually address the issue
> you've
> > originally raised - no matter what method you use to communicate between
> > the web browser and the server, you still need to be able to provide the
> > data you're interested in providing - IP address, username, and password
> -
> > to the authentication system (LDAP you specifically mentioned). Unless
> your
> > solution is to have the client authenticate to LDAP directly and then
> > somehow tell the server that it is authenticated - which has a lot of
> > security risks to it (how does the server know to trust the client when
> it
> > says it authenticated successfully?) - I don't know of a way, with *LDAP*
> > specifically, to have the client IP address be part of the authentication
> > process, regardless of the language (PHP, ldapsearch, Java/JSP,
> > CGI/Perl...etc.). RADIUS, as a protocol, has those things built into it -
> > the NAS IP field within a RADIUS authentication request allows you to
> pass
> > the client IP on to the RADIUS server and then allow the RADIUS server to
> > make a determination about authentication success or failure based on
> that
> > in combination with the other information asked and provided (RADIUS
> > secret, username, password, one-time-password, etc.).
> >
> > So does Kerberos - in fact, Kerberos actually does exactly what is
> > mentioned above - establishes a trusted relationship between KDC,
> > Server/Service, and Client, such that the client can authenticate and
> then
> > reliably tell the server that it should trust the client because they
> share
> > information that makes it trustworthy. And so Kerberos also has a way of
> > factoring the client system into the authentication process, in addition
> to
> > the username and password. At some point I will probably 

Re: How to get client IP address ?

[Stephan von Krawczynski]

On Sat, 20 Apr 2024 21:38:20 -0400
Nick Couchman  wrote:

> >
> > Hello Nick,
> >
> > first of all, thank you for looking into the issue. So please let me ask
> > this
> > as a real question and no offence.
> >  
> 
> None taken, perfectly fine to ask this.
> 
> 
> > Why does the project _at all_ use a rather complicated API for
> > authentication
> > instead of "outsourcing" the function into a simple called hook (call it a
> > script), and let this implement the wanted api to ldap, mysql, radius or
> > just
> > about anything that might be needed.  
> 
> 
> This is what we already do. Yes, the entire web-based application works
> through a REST API, but, on the back-end, we take the REST API calls and
> feed them, through a set of standard interfaces, to a back-end
> authentication mechanism. The back-end authentication mechanisms are
> standardized, interchangeable and stackable - you can use one or more in
> combination, or you can write your own. The mechanisms can also "decorate"
> other ones, so that you can use a back-end mechanism (like JDBC), but
> extend its functionality to do something else.
> 
> 
> > Still in the end an authentication is no
> > more than giving parameters (like username, password, or client ip or
> > whatever the caller (i.e. guacamole) has) and getting the simple answer:
> > yes
> > (authenticated) or no (login failed).
> >  
> 
> This is really what the REST API does - it allows the front-end web
> application to 1) receive a list of requirements from the back-end
> authentication mechanism, 2) provide those requirements, either
> automatically (client IP) or by user input (username and password), 3) get
> an answer about whether authentication has succeeded or not, and 4) receive
> and process data that the client has been authorized to receive (in our
> case, connections, connection groups, users, groups, etc.).
> 
> 
> > If you cut off the whole process at this point the whole story gets a lot
> > more
> > flexible, as anyone can then implement his needed hook (script) for his
> > needs.
> >  
> 
> As mentioned above, this is exactly how it works with the authentication
> extensions.
> 
> 
> > You may then distribute such hooks inside the project for standard APIs
> > like
> > ldap or the like - or leave it to the users to make/find their own.
> >  
> 
> Yep, and Guacamole's design allows for exactly this - and the REST API does
> not get in the way of that, in fact, it makes it possible to do that
> without having to change the front-end web application at all.
> 
> Also, none of the things you've mentioned actually address the issue you've
> originally raised - no matter what method you use to communicate between
> the web browser and the server, you still need to be able to provide the
> data you're interested in providing - IP address, username, and password -
> to the authentication system (LDAP you specifically mentioned). Unless your
> solution is to have the client authenticate to LDAP directly and then
> somehow tell the server that it is authenticated - which has a lot of
> security risks to it (how does the server know to trust the client when it
> says it authenticated successfully?) - I don't know of a way, with *LDAP*
> specifically, to have the client IP address be part of the authentication
> process, regardless of the language (PHP, ldapsearch, Java/JSP,
> CGI/Perl...etc.). RADIUS, as a protocol, has those things built into it -
> the NAS IP field within a RADIUS authentication request allows you to pass
> the client IP on to the RADIUS server and then allow the RADIUS server to
> make a determination about authentication success or failure based on that
> in combination with the other information asked and provided (RADIUS
> secret, username, password, one-time-password, etc.).
> 
> So does Kerberos - in fact, Kerberos actually does exactly what is
> mentioned above - establishes a trusted relationship between KDC,
> Server/Service, and Client, such that the client can authenticate and then
> reliably tell the server that it should trust the client because they share
> information that makes it trustworthy. And so Kerberos also has a way of
> factoring the client system into the authentication process, in addition to
> the username and password. At some point I will probably take a crack at a
> Kerberos extension or configuration that does this, which also allows for
> doing very seamless authentication with no need for entering credentials if
> you're already logged into a client where you have a valid Kerberos ticket.
> 
> If you're also just looking for a way to factor a client IP address into
> the authentication process, but it doesn't have to be linked directly to
> the username or password, there are ways to do that, as well:
> * Have a front-end proxy or Web Application Firewall filter based on IP
> address.
> * The 1.6.0 version of Guacamole Client will have an extension that allows
> for banning IP addresses that repeatedly fail 

Re: How to get client IP address ?

[Nick Couchman]

>
> Hello Nick,
>
> first of all, thank you for looking into the issue. So please let me ask
> this
> as a real question and no offence.
>

None taken, perfectly fine to ask this.


> Why does the project _at all_ use a rather complicated API for
> authentication
> instead of "outsourcing" the function into a simple called hook (call it a
> script), and let this implement the wanted api to ldap, mysql, radius or
> just
> about anything that might be needed.


This is what we already do. Yes, the entire web-based application works
through a REST API, but, on the back-end, we take the REST API calls and
feed them, through a set of standard interfaces, to a back-end
authentication mechanism. The back-end authentication mechanisms are
standardized, interchangeable and stackable - you can use one or more in
combination, or you can write your own. The mechanisms can also "decorate"
other ones, so that you can use a back-end mechanism (like JDBC), but
extend its functionality to do something else.


> Still in the end an authentication is no
> more than giving parameters (like username, password, or client ip or
> whatever the caller (i.e. guacamole) has) and getting the simple answer:
> yes
> (authenticated) or no (login failed).
>

This is really what the REST API does - it allows the front-end web
application to 1) receive a list of requirements from the back-end
authentication mechanism, 2) provide those requirements, either
automatically (client IP) or by user input (username and password), 3) get
an answer about whether authentication has succeeded or not, and 4) receive
and process data that the client has been authorized to receive (in our
case, connections, connection groups, users, groups, etc.).


> If you cut off the whole process at this point the whole story gets a lot
> more
> flexible, as anyone can then implement his needed hook (script) for his
> needs.
>

As mentioned above, this is exactly how it works with the authentication
extensions.


> You may then distribute such hooks inside the project for standard APIs
> like
> ldap or the like - or leave it to the users to make/find their own.
>

Yep, and Guacamole's design allows for exactly this - and the REST API does
not get in the way of that, in fact, it makes it possible to do that
without having to change the front-end web application at all.

Also, none of the things you've mentioned actually address the issue you've
originally raised - no matter what method you use to communicate between
the web browser and the server, you still need to be able to provide the
data you're interested in providing - IP address, username, and password -
to the authentication system (LDAP you specifically mentioned). Unless your
solution is to have the client authenticate to LDAP directly and then
somehow tell the server that it is authenticated - which has a lot of
security risks to it (how does the server know to trust the client when it
says it authenticated successfully?) - I don't know of a way, with *LDAP*
specifically, to have the client IP address be part of the authentication
process, regardless of the language (PHP, ldapsearch, Java/JSP,
CGI/Perl...etc.). RADIUS, as a protocol, has those things built into it -
the NAS IP field within a RADIUS authentication request allows you to pass
the client IP on to the RADIUS server and then allow the RADIUS server to
make a determination about authentication success or failure based on that
in combination with the other information asked and provided (RADIUS
secret, username, password, one-time-password, etc.).

So does Kerberos - in fact, Kerberos actually does exactly what is
mentioned above - establishes a trusted relationship between KDC,
Server/Service, and Client, such that the client can authenticate and then
reliably tell the server that it should trust the client because they share
information that makes it trustworthy. And so Kerberos also has a way of
factoring the client system into the authentication process, in addition to
the username and password. At some point I will probably take a crack at a
Kerberos extension or configuration that does this, which also allows for
doing very seamless authentication with no need for entering credentials if
you're already logged into a client where you have a valid Kerberos ticket.

If you're also just looking for a way to factor a client IP address into
the authentication process, but it doesn't have to be linked directly to
the username or password, there are ways to do that, as well:
* Have a front-end proxy or Web Application Firewall filter based on IP
address.
* The 1.6.0 version of Guacamole Client will have an extension that allows
for banning IP addresses that repeatedly fail authentication. This can be
done, today, using something like fail2ban, but it'll be a bit more
integrated and easy with the extension.
* Write another authentication extension that either allows or disallows
authentication based on IP address or CIDR range.
* The 

Re: How to get client IP address ?

[Stephan von Krawczynski]

On Sat, 20 Apr 2024 15:52:58 -0400
Nick Couchman  wrote:

> >
> >  
> > > I believe the issue that Stephan is describing is that, when the user  
> > logs  
> > > in to Guacamole, and the remote LDAP server that is authenticating the  
> > user  
> > > logs a client IP address, it should log the IP address of the browser  
> > (far  
> > > end client) and not the IP address of the Guacamole Client (tomcat)  
> > system.  
> > > I'm just trying to get clarity from Stephan on whether this is what he's
> > > actually trying to do and why.
> > >
> > > -Nick  
> >
> > Yes, Nick, you are exactly on the right track here. And I am really not in
> > a
> > logging question, but truely in the authentication process where I want to
> > know the far end client.
> >
> >  
> After looking at this a bit more, I cannot find a way, at least in the
> Apache LDAP API that we use, to configure a client IP or send any sort of a
> message that will pass that information through to the client, so I'm not
> sure how feasible this actually is. RADIUS uas the NAS IP designed
> specifically for this type of scenario, but I'm not finding any sort of
> feature similar to NAS IP that allows for this kind of messaging.
> 
> -Nick

Hello Nick,

first of all, thank you for looking into the issue. So please let me ask this
as a real question and no offence.
Why does the project _at all_ use a rather complicated API for authentication
instead of "outsourcing" the function into a simple called hook (call it a
script), and let this implement the wanted api to ldap, mysql, radius or just
about anything that might be needed. Still in the end an authentication is no
more than giving parameters (like username, password, or client ip or
whatever the caller (i.e. guacamole) has) and getting the simple answer: yes
(authenticated) or no (login failed).
If you cut off the whole process at this point the whole story gets a lot more
flexible, as anyone can then implement his needed hook (script) for his needs.
You may then distribute such hooks inside the project for standard APIs like
ldap or the like - or leave it to the users to make/find their own.
To me, designing (and coding) software since the 1980s, this is a pretty clear
design decision to be taken.

Regards,
Stephan

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: How to get client IP address ?

[Nick Couchman]

>
>
> > I believe the issue that Stephan is describing is that, when the user
> logs
> > in to Guacamole, and the remote LDAP server that is authenticating the
> user
> > logs a client IP address, it should log the IP address of the browser
> (far
> > end client) and not the IP address of the Guacamole Client (tomcat)
> system.
> > I'm just trying to get clarity from Stephan on whether this is what he's
> > actually trying to do and why.
> >
> > -Nick
>
> Yes, Nick, you are exactly on the right track here. And I am really not in
> a
> logging question, but truely in the authentication process where I want to
> know the far end client.
>
>
After looking at this a bit more, I cannot find a way, at least in the
Apache LDAP API that we use, to configure a client IP or send any sort of a
message that will pass that information through to the client, so I'm not
sure how feasible this actually is. RADIUS uas the NAS IP designed
specifically for this type of scenario, but I'm not finding any sort of
feature similar to NAS IP that allows for this kind of messaging.

-Nick

Re: How to get client IP address ?

[Stephan von Krawczynski]

On Thu, 18 Apr 2024 10:18:03 -0400
Nick Couchman  wrote:

> I believe the issue that Stephan is describing is that, when the user logs
> in to Guacamole, and the remote LDAP server that is authenticating the user
> logs a client IP address, it should log the IP address of the browser (far
> end client) and not the IP address of the Guacamole Client (tomcat) system.
> I'm just trying to get clarity from Stephan on whether this is what he's
> actually trying to do and why.
> 
> -Nick

Yes, Nick, you are exactly on the right track here. And I am really not in a
logging question, but truely in the authentication process where I want to
know the far end client.

-- 
Regards,
Stephan

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: How to get client IP address ?

[Stephan von Krawczynski]

On Thu, 18 Apr 2024 09:47:21 -0400
Nick Couchman  wrote:

> On Thu, Apr 18, 2024 at 8:24 AM Stephan von Krawczynski 
> wrote:
> 
> > Hello all,
> >
> > I have a setup of guacamole where the user authentication is done by ldap
> > (openldap slapd). Is there an easy way to hand the client IP over to ldap
> > bind
> > requests?
> >
> >  
> Maybe you can provide a little more detail on what you're trying to
> accomplish? I'm sure it's possible, but probably not without modifications
> to the code. Also, it'd be interesting to know why this is a desired or
> required configuration?
> 
> -Nick

Hello Nick,

think of the client IP as a kind of trigger to allow or deny certain
authentication procedures. "Username"/"PW" tuple is a bit weak for a nowadays
authentication, maybe you should expect more parameters in the future.
I think one should be able to select from these inside the authenticator - be
it ldap or even a simple script provided with an array of parameters answering
yes or no in the end as exit code.

-- 
Regards,
Stephan


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: How to get client IP address ?

[Nick Couchman]

On Thu, Apr 18, 2024 at 10:00 AM Molina de la Iglesia, Manuel
 wrote:

> Hi,
>
> Similar situation, I have an application that authenticates the user, the
> a connection ID and "build" the URL with the token that is where the user
> goes. The IP that appears on the log is the address of the server where the
> intermediate application is.
>
>
I think this is a different issue - what you're describing is that the IP
address that is logged for a user login or connection within Guacamole is
the IP address of either the proxy (Nginx, httpd, etc.) or the Guacamole
Client system, rather than the actual client (browser) IP address. This is
covered in the manual under this section:

https://guacamole.apache.org/doc/gug/reverse-proxy.html#setting-up-the-remote-ip-valve

I believe the issue that Stephan is describing is that, when the user logs
in to Guacamole, and the remote LDAP server that is authenticating the user
logs a client IP address, it should log the IP address of the browser (far
end client) and not the IP address of the Guacamole Client (tomcat) system.
I'm just trying to get clarity from Stephan on whether this is what he's
actually trying to do and why.

-Nick

>

Re: How to get client IP address ?

[Molina de la Iglesia, Manuel]

Hi,

Similar situation, I have an application that authenticates the user, the a
connection ID and "build" the URL with the token that is where the user
goes. The IP that appears on the log is the address of the server where the
intermediate application is.

Any suggestions?
Thanks

*Manel Molina*

*manuel.molina-de-la-igle...@veolia.com
*

*Dirección de Ciberseguridad*

Ciutat de L’Aigua (D38)

Paseo de la Zona Franca, 48
08038 Barcelona / España

www.veolia.com





El jue, 18 abr 2024 a las 15:50, Nick Couchman ()
escribió:

> On Thu, Apr 18, 2024 at 8:24 AM Stephan von Krawczynski <
> skraw...@ithnet.com> wrote:
>
>> Hello all,
>>
>> I have a setup of guacamole where the user authentication is done by ldap
>> (openldap slapd). Is there an easy way to hand the client IP over to ldap
>> bind
>> requests?
>>
>>
> Maybe you can provide a little more detail on what you're trying to
> accomplish? I'm sure it's possible, but probably not without modifications
> to the code. Also, it'd be interesting to know why this is a desired or
> required configuration?
>
> -Nick
>

Re: How to get client IP address ?

[Nick Couchman]

On Thu, Apr 18, 2024 at 8:24 AM Stephan von Krawczynski 
wrote:

> Hello all,
>
> I have a setup of guacamole where the user authentication is done by ldap
> (openldap slapd). Is there an easy way to hand the client IP over to ldap
> bind
> requests?
>
>
Maybe you can provide a little more detail on what you're trying to
accomplish? I'm sure it's possible, but probably not without modifications
to the code. Also, it'd be interesting to know why this is a desired or
required configuration?

-Nick

Re: How to get client ip address on guacamole

[Mike Jumper]

On Fri, May 31, 2019 at 8:29 PM Manoj Patil  wrote:

> Ok
> Is there any way to pass this ip to xrdp session on linux
>

No, I don't believe so. For Windows RDP, yes, but I'm not sure about XRDP.

For Windows RDP, I think the best option would be the "CLIENTNAME"
environment variable, set via Guacamole's "client-name" parameter. It
matches the semantics of what you're looking for, and would be easy to use
if supported:

http://guacamole.apache.org/doc/gug/configuring-guacamole.html#rdp-session-settings

... but I don't believe XRDP supports this. The next best alternative would
be some sort of custom static virtual channel (SVC), which Guacamole also
supports for RDP:

http://guacamole.apache.org/doc/gug/configuring-guacamole.html#rdp-device-redirection
(see the "static-channels" parameter)

... but I don't believe XRDP supports this either.

It is possible that XRDP does have this support and I'm just not familiar
enough with current XRDP. If the XRDP folks have a similar mailing list,
forum, etc., I'd recommend reaching out to them.

- Mike

Re: How to get client ip address on guacamole

[Manoj Patil]

Ok
Is there any way to pass this ip to xrdp session on linux

On Fri, 31 May 2019, 23:39 Mike Jumper  On Fri, May 31, 2019 at 10:46 AM Manoj Patil 
> wrote:
>
>> Means I am not catch actual client ip address is it right.
>>
>> If any ideas to catch this client lan ip address and pass through the
>> xrdp session.
>>
>
> As far as your server is concerned, the WAN IP of the firewall *is* the
> client IP address. There is no other client IP address outside that
> firewall. The LAN address is strictly local and only has meaning inside the
> firewalled network. It will not be visible nor usable outside that local
> network. No external service will be able to report the user's IP address
> as anything but the WAN IP of their NAT'ing firewall.
>
> - Mike
>
>

Re: How to get client ip address on guacamole

[Mike Jumper]

On Fri, May 31, 2019 at 10:46 AM Manoj Patil  wrote:

> Means I am not catch actual client ip address is it right.
>
> If any ideas to catch this client lan ip address and pass through the xrdp
> session.
>

As far as your server is concerned, the WAN IP of the firewall *is* the
client IP address. There is no other client IP address outside that
firewall. The LAN address is strictly local and only has meaning inside the
firewalled network. It will not be visible nor usable outside that local
network. No external service will be able to report the user's IP address
as anything but the WAN IP of their NAT'ing firewall.

- Mike

Re: How to get client ip address on guacamole

[Manoj Patil]

Means I am not catch actual client ip address is it right.

If any ideas to catch this client lan ip address and pass through the xrdp
session.

On Fri, 31 May 2019, 19:55 Mike Jumper  On Thu, May 30, 2019 at 8:52 PM Manoj Patil  wrote:
>
>> Dear Mike,
>>
>> In my case firewall is not perform NAT. means NAT not configured in
>> firewall.
>>
>
> If:
>
> 1) A user with IP address X is connecting behind some sort of firewall
> device (router?).
> 2) The firewall itself has a WAN port with its own IP address Y (in your
> case 223.196.84.130)
> 3) When the user connects to a web application, that web application sees
> IP address Y, not X
> 4) Communication between the server and Y is transparently rerouted
> internally to X by the firewall
>
> then the firewall is performing NAT.
>
> Does the above not describe what your firewall is doing?
>
> - Mike
>
>

Re: How to get client ip address on guacamole

[Mike Jumper]

On Thu, May 30, 2019 at 8:52 PM Manoj Patil  wrote:

> Dear Mike,
>
> In my case firewall is not perform NAT. means NAT not configured in
> firewall.
>

If:

1) A user with IP address X is connecting behind some sort of firewall
device (router?).
2) The firewall itself has a WAN port with its own IP address Y (in your
case 223.196.84.130)
3) When the user connects to a web application, that web application sees
IP address Y, not X
4) Communication between the server and Y is transparently rerouted
internally to X by the firewall

then the firewall is performing NAT.

Does the above not describe what your firewall is doing?

- Mike

Re: How to get client ip address on guacamole

[Manoj Patil]

Dear Mike,

In my case firewall is not perform NAT. means NAT not configured in firewall. 

> On 31-May-2019, at 12:00 AM, Mike Jumper  wrote:
> 
> On Mon, May 27, 2019 at 11:43 PM Manoj Patil  > wrote:
> hi,
> 
> i am done all the setting as per document but it shows the Firewalll WAN ip 
> not machine local ip address
> 
> If the firewall in question is performing network address translation (NAT), 
> then this is really all that can be expected. The IP address visible to 
> servers on the internet will only be the WAN IP of the router. It is 
> (thankfully) not possible for a server to see past NAT. As far as your server 
> is concerned, that WAN IP address is the correct address of the client.
> 
> 
> my server.xml setting
> ...
> 
> Assuming those addresses are correct for your reverse proxy, your server.xml 
> looks fine.
> 
> My nginx setting is——
> ...
> 
> Your Nginx configuration looks fine as well.
>  
> 
> Username  Start time  DurationConnection name Remote 
> host
> samho
>   2019-05-28 12:07:55 0 seconds   samta_ho223.196.84.130
> 
> The above is a public IP. If the above public IP is that of a firewall in 
> front of your user (not your reverse proxy), then this is the behavior 
> expected. You are not going to be able to determine the internal IP of a user 
> behind a firewall performing NAT. You will only be able to determine the IP 
> of the machine actually connecting to your reverse proxy, which in this case 
> would be the WAN port of the router.
> 
> - Mike
> 

Re: How to get client ip address on guacamole

[Mike Jumper]

On Mon, May 27, 2019 at 11:43 PM Manoj Patil  wrote:

> hi,
>
> i am done all the setting as per document but it shows the Firewalll WAN
> ip not machine local ip address
>

If the firewall in question is performing network address translation
(NAT), then this is really all that can be expected. The IP address visible
to servers on the internet will only be the WAN IP of the router. It is
(thankfully) not possible for a server to see past NAT. As far as your
server is concerned, that WAN IP address is the correct address of the
client.


> my server.xml setting
> ...
>

Assuming those addresses are correct for your reverse proxy, your
server.xml looks fine.

My nginx setting is——
> ...
>

Your Nginx configuration looks fine as well.


>
> Username Start time Duration Connection name Remote host
> samho
> 2019-05-28 12:07:55 0 seconds samta_ho 223.196.84.130
>

The above is a public IP. If the above public IP is that of a firewall in
front of your user (not your reverse proxy), then this is the behavior
expected. You are not going to be able to determine the internal IP of a
user behind a firewall performing NAT. You will only be able to determine
the IP of the machine actually connecting to your reverse proxy, which in
this case would be the WAN port of the router.

- Mike

Re: How to get client ip address on guacamole

[Manoj Patil]

Please reply

On Wed, 29 May 2019, 09:05 Manoj Patil  Sorry for that message is resend multiple times for intruption in network.
>
> I am done all setting as per you provided document but it shows firewall
> ip not client lan ip . what I am done wrong . please give me the resolution.
>
> Also how I pass this ip to xrdp session
>
> On Tue, 28 May 2019, 22:31 Mike Jumper 
>> Manoj, please stop resending the same message every few hours.
>>
>> - Mike
>>
>>
>> On Tue, May 28, 2019 at 2:58 AM Manoj Patil 
>> wrote:
>>
>>>
>>>
>>> Begin forwarded message:
>>>
>>> *From: *Manoj Patil 
>>> *Subject: **Re: How to get client ip address on guacamole*
>>> *Date: *28 May 2019 at 12:13:18 PM IST
>>> *To: *user@guacamole.apache.org
>>>
>>> hi,
>>>
>>> i am done all the setting as per document but it shows the Firewalll WAN
>>> ip not machine local ip address
>>>
>>> my server.xml setting
>>>
>>> >>
>>> internalProxies="192\.168\.80\.162|172\.16\.20\.37"
>>>
>>> remoteIpHeader="x-forwarded-for"
>>>
>>> remoteIpProxiesHeader="x-forwarded-by"
>>>
>>> protocolHeader="x-forwarded-proto"
>>>
>>> protocolHeaderHttpsValue="https" />
>>> >>
>>> showReport="false"
>>>
>>> showServerInfo="false"/>
>>>
>>>
>>> My nginx setting is——
>>>
>>> server {
>>>
>>> listen 80;
>>> listen [::]:80;
>>> server_name gucserver;
>>> return 301 https://$server_name$request_uri;
>>>
>>>
>>> location /acecbs/ {
>>> proxy_pass http://192.168.80.162:8080/guacamole/;
>>> proxy_buffering off;
>>> proxy_http_version 1.1;
>>> proxy_set_header X-Forwarded-Host $host;
>>> proxy_set_header X-Forwarded-Server $host;
>>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>>> proxy_set_header Upgrade $http_upgrade;
>>> proxy_set_header Connection $http_connection;
>>> proxy_cookie_path /guacamole/ /acecbs/;
>>> access_log off;
>>> }
>>>
>>>
>>> Username Start time Duration Connection name Remote host
>>> samho
>>> 2019-05-28 12:07:55 0 seconds samta_ho 223.196.84.130
>>> samho
>>> 2019-05-28 12:07:49 0 seconds samta_ho 223.196.84.130
>>> samho
>>> 2019-05-28 12:07:37 0 seconds samta_ho 223.196.84.130
>>> samho
>>> 2019-05-28 11:37:15 28 seconds samta_ho 223.196.84.130
>>>
>>> On 26-May-2019, at 11:24 PM, Mike Jumper  wrote:
>>>
>>> On Sun, May 26, 2019, 10:14 Manoj Patil  wrote:
>>>
>>>> Dear,
>>>>
>>>> I see the history tab and table  but in that remote host it display the
>>>> firewall ip not actual machine ip and i want actual machine ip.
>>>>
>>>
>>>> i used Guacamole(tomcat+nginix)+x!rdp(linux host).
>>>>
>>>
>>>
>>> http://guacamole.apache.org/doc/gug/proxying-guacamole.html#tomcat-remote-ip
>>>
>>>
>>>
>>>

Re: How to get client ip address on guacamole

[Manoj Patil]

Sorry for that message is resend multiple times for intruption in network.

I am done all setting as per you provided document but it shows firewall ip
not client lan ip . what I am done wrong . please give me the resolution.

Also how I pass this ip to xrdp session

On Tue, 28 May 2019, 22:31 Mike Jumper  Manoj, please stop resending the same message every few hours.
>
> - Mike
>
>
> On Tue, May 28, 2019 at 2:58 AM Manoj Patil  wrote:
>
>>
>>
>> Begin forwarded message:
>>
>> *From: *Manoj Patil 
>> *Subject: **Re: How to get client ip address on guacamole*
>> *Date: *28 May 2019 at 12:13:18 PM IST
>> *To: *user@guacamole.apache.org
>>
>> hi,
>>
>> i am done all the setting as per document but it shows the Firewalll WAN
>> ip not machine local ip address
>>
>> my server.xml setting
>>
>> >
>> internalProxies="192\.168\.80\.162|172\.16\.20\.37"
>>
>> remoteIpHeader="x-forwarded-for"
>>
>> remoteIpProxiesHeader="x-forwarded-by"
>>
>> protocolHeader="x-forwarded-proto"
>>
>> protocolHeaderHttpsValue="https" />
>> > showReport="false"
>>
>> showServerInfo="false"/>
>>
>>
>> My nginx setting is——
>>
>> server {
>>
>> listen 80;
>> listen [::]:80;
>> server_name gucserver;
>> return 301 https://$server_name$request_uri;
>>
>>
>> location /acecbs/ {
>> proxy_pass http://192.168.80.162:8080/guacamole/;
>> proxy_buffering off;
>> proxy_http_version 1.1;
>> proxy_set_header X-Forwarded-Host $host;
>> proxy_set_header X-Forwarded-Server $host;
>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>> proxy_set_header Upgrade $http_upgrade;
>> proxy_set_header Connection $http_connection;
>> proxy_cookie_path /guacamole/ /acecbs/;
>> access_log off;
>> }
>>
>>
>> Username Start time Duration Connection name Remote host
>> samho
>> 2019-05-28 12:07:55 0 seconds samta_ho 223.196.84.130
>> samho
>> 2019-05-28 12:07:49 0 seconds samta_ho 223.196.84.130
>> samho
>> 2019-05-28 12:07:37 0 seconds samta_ho 223.196.84.130
>> samho
>> 2019-05-28 11:37:15 28 seconds samta_ho 223.196.84.130
>>
>> On 26-May-2019, at 11:24 PM, Mike Jumper  wrote:
>>
>> On Sun, May 26, 2019, 10:14 Manoj Patil  wrote:
>>
>>> Dear,
>>>
>>> I see the history tab and table  but in that remote host it display the
>>> firewall ip not actual machine ip and i want actual machine ip.
>>>
>>
>>> i used Guacamole(tomcat+nginix)+x!rdp(linux host).
>>>
>>
>>
>> http://guacamole.apache.org/doc/gug/proxying-guacamole.html#tomcat-remote-ip
>>
>>
>>
>>

Re: How to get client ip address on guacamole

[Mike Jumper]

Manoj, please stop resending the same message every few hours.

- Mike


On Tue, May 28, 2019 at 2:58 AM Manoj Patil  wrote:

>
>
> Begin forwarded message:
>
> *From: *Manoj Patil 
> *Subject: **Re: How to get client ip address on guacamole*
> *Date: *28 May 2019 at 12:13:18 PM IST
> *To: *user@guacamole.apache.org
>
> hi,
>
> i am done all the setting as per document but it shows the Firewalll WAN
> ip not machine local ip address
>
> my server.xml setting
>
> 
> internalProxies="192\.168\.80\.162|172\.16\.20\.37"
>
> remoteIpHeader="x-forwarded-for"
>
> remoteIpProxiesHeader="x-forwarded-by"
>
> protocolHeader="x-forwarded-proto"
>
> protocolHeaderHttpsValue="https" />
>  showReport="false"
>
> showServerInfo="false"/>
>
>
> My nginx setting is——
>
> server {
>
> listen 80;
> listen [::]:80;
> server_name gucserver;
> return 301 https://$server_name$request_uri;
>
>
> location /acecbs/ {
> proxy_pass http://192.168.80.162:8080/guacamole/;
> proxy_buffering off;
> proxy_http_version 1.1;
> proxy_set_header X-Forwarded-Host $host;
> proxy_set_header X-Forwarded-Server $host;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection $http_connection;
> proxy_cookie_path /guacamole/ /acecbs/;
> access_log off;
> }
>
>
> Username Start time Duration Connection name Remote host
> samho
> 2019-05-28 12:07:55 0 seconds samta_ho 223.196.84.130
> samho
> 2019-05-28 12:07:49 0 seconds samta_ho 223.196.84.130
> samho
> 2019-05-28 12:07:37 0 seconds samta_ho 223.196.84.130
> samho
> 2019-05-28 11:37:15 28 seconds samta_ho 223.196.84.130
>
> On 26-May-2019, at 11:24 PM, Mike Jumper  wrote:
>
> On Sun, May 26, 2019, 10:14 Manoj Patil  wrote:
>
>> Dear,
>>
>> I see the history tab and table  but in that remote host it display the
>> firewall ip not actual machine ip and i want actual machine ip.
>>
>
>> i used Guacamole(tomcat+nginix)+x!rdp(linux host).
>>
>
>
> http://guacamole.apache.org/doc/gug/proxying-guacamole.html#tomcat-remote-ip
>
>
>
>

Re: How to get client ip address on guacamole

[Manoj Patil]

hi,

i am done all the setting as per document but it shows the Firewalll WAN ip not 
machine local ip address

my server.xml setting





My nginx setting is——

server {

listen 80;
listen [::]:80;
server_name gucserver;
return 301 https://$server_name$request_uri;


location /acecbs/ {
proxy_pass http://192.168.80.162:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_cookie_path /guacamole/ /acecbs/;
access_log off;
}


UsernameStart time  DurationConnection name Remote 
host
samho
2019-05-28 12:07:55 0 seconds   samta_ho223.196.84.130
samho
2019-05-28 12:07:49 0 seconds   samta_ho223.196.84.130
samho
2019-05-28 12:07:37 0 seconds   samta_ho223.196.84.130
samho
2019-05-28 11:37:15 28 seconds  samta_ho223.196.84.130

> On 26-May-2019, at 11:24 PM, Mike Jumper  wrote:
> 
> On Sun, May 26, 2019, 10:14 Manoj Patil  > wrote:
> Dear,
> 
> I see the history tab and table  but in that remote host it display the 
> firewall ip not actual machine ip and i want actual machine ip.
> 
> i used Guacamole(tomcat+nginix)+x!rdp(linux host).
> 
> http://guacamole.apache.org/doc/gug/proxying-guacamole.html#tomcat-remote-ip 
> 
> 

Re: How to get client ip address on guacamole

[Mike Jumper]

On Sun, May 26, 2019, 10:14 Manoj Patil  wrote:

> Dear,
>
> I see the history tab and table  but in that remote host it display the
> firewall ip not actual machine ip and i want actual machine ip.
>

> i used Guacamole(tomcat+nginix)+x!rdp(linux host).
>

http://guacamole.apache.org/doc/gug/proxying-guacamole.html#tomcat-remote-ip

Re: How to get client ip address on guacamole

[Manoj Patil]

Dear,

I see the history tab and table  but in that remote host it display the 
firewall ip not actual machine ip and i want actual machine ip.

i used Guacamole(tomcat+nginix)+x!rdp(linux host).

please see screen shot



> On 26-May-2019, at 8:55 PM, Manoj Patil  wrote:
> 
> Yes I want to required to get client ip address at xrdp server
> 
> My scenario is
> 
> Both Guacamole and X11rdp are installed on same server and I want to get 
> client up on that server
> 
> On Sun, 26 May 2019, 16:33 Nick Couchman   wrote:
> On Sun, May 26, 2019 at 3:03 AM Manoj Patil  > wrote:
> we used linux Xrdp through Guacamole and the security reason we catch client 
> visited  ip and stored in my database and after i am only allowed to visit a 
> specific  ip.
> 
> 
> Guacamole already captures this information for you - if you use the JDBC 
> module, Guacamole captures connection history records.  It isn't clear from 
> your question whether you need it within a specific place on the XRDP side of 
> the connection, but if all you need is to know when a certain user/IP 
> establishes a connection, it is already contained in the Guacamole database.
> 
> http://guacamole.apache.org/doc/gug/administration.html#connection-history 
> 
> 
> -Nick

Re: How to get client ip address on guacamole

[Manoj Patil]

Yes I want to required to get client ip address at xrdp server

My scenario is

Both Guacamole and X11rdp are installed on same server and I want to get
client up on that server

On Sun, 26 May 2019, 16:33 Nick Couchman  On Sun, May 26, 2019 at 3:03 AM Manoj Patil  wrote:
>
>> we used linux Xrdp through Guacamole and the security reason we catch
>> client visited  ip and stored in my database and after i am only allowed to
>> visit a specific  ip.
>>
>>
> Guacamole already captures this information for you - if you use the JDBC
> module, Guacamole captures connection history records.  It isn't clear from
> your question whether you need it within a specific place on the XRDP side
> of the connection, but if all you need is to know when a certain user/IP
> establishes a connection, it is already contained in the Guacamole database.
>
> http://guacamole.apache.org/doc/gug/administration.html#connection-history
>
> -Nick
>

Re: How to get client ip address on guacamole

[Nick Couchman]

On Sun, May 26, 2019 at 3:03 AM Manoj Patil  wrote:

> we used linux Xrdp through Guacamole and the security reason we catch
> client visited  ip and stored in my database and after i am only allowed to
> visit a specific  ip.
>
>
Guacamole already captures this information for you - if you use the JDBC
module, Guacamole captures connection history records.  It isn't clear from
your question whether you need it within a specific place on the XRDP side
of the connection, but if all you need is to know when a certain user/IP
establishes a connection, it is already contained in the Guacamole database.

http://guacamole.apache.org/doc/gug/administration.html#connection-history

-Nick

Re: How to get client ip address on guacamole

[Manoj Patil]

we used linux Xrdp through Guacamole and the security reason we catch client 
visited  ip and stored in my database and after i am only allowed to visit a 
specific  ip.

Please give me solution.

 

> On 26-May-2019, at 11:41 AM, Manoj Patil  wrote:
> 
> Beacaue of we have launch a application from X11rdp and we know who is used 
> this application and how many times this ip is visited .
> 
> please help me in that and give me code to get ip address.
> 
> 
> 
>> On 26-May-2019, at 11:38 AM, Mike Jumper > > wrote:
>> 
>> On Sat, May 25, 2019, 22:35 Manoj Patil > > wrote:
>> Hi Everyone,
>> 
>> Sorry to post a Noob question here. I was evaluating Guacamole for one of
>> the requirements we have to rdp into remote machine and was able to setup
>> client and Server and do the rdp to both Windows and Linux machines.
>> 
>> Now I am taking it to next level. I  catch or get a client ip address and 
>> pass to xrdp session
>> 
>> through guacamole+x11rdp.
>> 
>> Can you describe the high-level need behind this? Why do you need the client 
>> IP address within XRDP?
>> 
>> This would be doable with normal Windows RDP leveraging a static virtual 
>> channel, or perhaps through passing the GUAC_CLIENT_ADDRESS token:
>> 
>> http://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens
>>  
>> 
>> 
>> Much of this will depend on how you intend to expose the address within 
>> XRDP, and on whether XRDP supports the the parts of the RDP protocol that 
>> could allow it. I suspect it may not.
>> 
>> - Mike
>> 
> 

Re: How to get client ip address on guacamole

[Manoj Patil]

Beacaue of we have launch a application from X11rdp and we know who is used 
this application and how many times this ip is visited .

please help me in that and give me code to get ip address.



> On 26-May-2019, at 11:38 AM, Mike Jumper  wrote:
> 
> On Sat, May 25, 2019, 22:35 Manoj Patil  > wrote:
> Hi Everyone,
> 
> Sorry to post a Noob question here. I was evaluating Guacamole for one of
> the requirements we have to rdp into remote machine and was able to setup
> client and Server and do the rdp to both Windows and Linux machines.
> 
> Now I am taking it to next level. I  catch or get a client ip address and 
> pass to xrdp session
> 
> through guacamole+x11rdp.
> 
> Can you describe the high-level need behind this? Why do you need the client 
> IP address within XRDP?
> 
> This would be doable with normal Windows RDP leveraging a static virtual 
> channel, or perhaps through passing the GUAC_CLIENT_ADDRESS token:
> 
> http://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens
>  
> 
> 
> Much of this will depend on how you intend to expose the address within XRDP, 
> and on whether XRDP supports the the parts of the RDP protocol that could 
> allow it. I suspect it may not.
> 
> - Mike
> 

Re: How to get client ip address on guacamole

[Mike Jumper]

On Sat, May 25, 2019, 22:35 Manoj Patil  wrote:

> Hi Everyone,
>
> Sorry to post a Noob question here. I was evaluating Guacamole for one of
> the requirements we have to rdp into remote machine and was able to setup
> client and Server and do the rdp to both Windows and Linux machines.
>
> Now I am taking it to next level. I  catch or get a client ip address and
> pass to xrdp session
>
> through guacamole+x11rdp.
>

Can you describe the high-level need behind this? Why do you need the
client IP address within XRDP?

This would be doable with normal Windows RDP leveraging a static virtual
channel, or perhaps through passing the GUAC_CLIENT_ADDRESS token:

http://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens

Much of this will depend on how you intend to expose the address within
XRDP, and on whether XRDP supports the the parts of the RDP protocol that
could allow it. I suspect it may not.

- Mike