Re: New user, Debian HowTo, some suggestions

[Nick Couchman]

On Thu, Feb 1, 2018 at 3:36 PM, Fabián Rodríguez 
wrote:

> Hello,
>
> Many thanks for this software, it's proving very useful and I am happy I
> was able to replace other similar proprietary software in a particular
> situation I was dealing with.
>
> I'd like to suggest some improvements, I preferred no to use the bug
> tracker yet for this. Here is my short list:
>

Yeah, but if you have requests for improvements, they should go into JIRA.


>
>- In Settings > Users > $USER > Permissions, I'd like to be able to
>set two extra permissions:
>- access sessions History tab
>   - access Active Sessions tab
>
> Can you explain why you think it is useful to have these as separate
permissions?  I guess I can see this for auditing, perhaps, if you want
users that have the ability to only audit connections and connection
history, but I'm curious what your use-case is.


>
>- When using the filter to find connections, I'd like to see which
>Group they belong to (if any). Sometimes I have connections with the same
>name in different groups, the current filtering results don't show group
>membership
>
>
That's because the idea of "groups" is not implemented at all in Guacamole
right now.  There is a current JIRA issue, already, for adding groups to
Guacamole.  See:

https://issues.apache.org/jira/browse/GUACAMOLE-220


>
>- Timezone for each user should be the same as the server's by default
>(or have an option to use the same as the server's)
>- When clicking on a group checkbox, the selection should also include
>all members of the group, either checking or unchecking all boxes. I have
>some large groups (40+ connections) and it would be faster to be able to
>include/exclude all connections in any given group.
>
> This also already has a JIRA issue - I'm not sure that I agree that
checking a top-level box should result in all children being checked -
there are situations where you want to, for example, assign permissions to
a user to access a connection group (load-balanced, maybe) but not give
them any access to the underlying connections.  I do agree that there needs
to be a way to select all children more easily than you can right now.  See:

https://issues.apache.org/jira/browse/GUACAMOLE-181


>- Selecting a connection in a group is not enough to give access, the
>group also needs to be checked which is not obvious (perhaps it should be
>automatic)
>
> This depends on what you're trying to do, but see the point above.  This
behavior is intentional.

>
>
> My recent setup of Guacamole on a Debian server wasn't easy as the
> packages are outdated and some manual configuration was required.
>
> I've shared my notes for Debian server installation here if anyone is
> interested:
>
> https://wiki.debian.org/Guacamole
>

Cool :-).

-Nick

New user, Debian HowTo, some suggestions

[Fabián Rodríguez]

Hello,

Many thanks for this software, it's proving very useful and I am happy I
was able to replace other similar proprietary software in a particular
situation I was dealing with.

I'd like to suggest some improvements, I preferred no to use the bug
tracker yet for this. Here is my short list:

  * In Settings > Users > $USER > Permissions, I'd like to be able to
set two extra permissions:
  o access sessions History tab
  o access Active Sessions tab
  * When using the filter to find connections, I'd like to see which
Group they belong to (if any). Sometimes I have connections with the
same name in different groups, the current filtering results don't
show group membership
  * Timezone for each user should be the same as the server's by default
(or have an option to use the same as the server's)
  * When clicking on a group checkbox, the selection should also include
all members of the group, either checking or unchecking all boxes. I
have some large groups (40+ connections) and it would be faster to
be able to include/exclude all connections in any given group.
  * Selecting a connection in a group is not enough to give access, the
group also needs to be checked which is not obvious (perhaps it
should be automatic)

My recent setup of Guacamole on a Debian server wasn't easy as the
packages are outdated and some manual configuration was required.

I've shared my notes for Debian server installation here if anyone is
interested:

https://wiki.debian.org/Guacamole

Any comments for improvement are most welcome. The goal was to use as
much as Debian provides in terms of official packages and long term use
(and support). I took the opportunity to file a few bug reports in Debian.

Cheers,

F.

-- 
Fabián Rodríguez
http://debian.magicfab.ca

Re: guacamole behind haproxy

[Nick Couchman]

On Thu, Feb 1, 2018 at 7:06 AM, StephenDart  wrote:

> Has anyone got a successful config for haproxy to enable guacamole
> I have a haproxy instance doing ssl offload and reverse proxy, passsing
> /guacamole to the server at x.x.x.x:8080/guacamole
> I can get to the login page and login successfully, but when presenting a
> session, it will produce a 404 after the session is created and a few
> tunnel
> reads, then the session will disconnect.
>
> If directly connected to the guacamole server (bypassing haproxy), i can
> successfully get a session and it is maintained, so something within
> haproxy
> is I presume timing the session out.
> Does anyone run haproxy in front of guacamole and have a config they can
> share or suggest what options are required to allow guacamole to work
> successfully?
>
> I have tried using 0.9.13 and 0.9.14 of guacamole
> Haproxy i have tried 1.6 and 1.7
> with options:
> http-server-close
> timeout tunnel 3600s
> timeout connect 300s
> timeout client 300s
>

You might want to post your full HAProxy configuration; however, it's
important to keep in mind that HTTP is a stateless protocol.  So, no matter
what your timeout options, here, if you don't configure HAProxy for
persistence or session stickiness, each HTTP connection that the web
browser makes has the potential to get redirected to a different back-end
server.  This is likely the reason that you're seeing weird behavior, like
the 404 errors and such, because the initial request gets forwarded to one
back-end server, then the follow-up requests move on to other servers.

This is probably more a question for the HAProxy forums, but I believe
HAProxy supports hash tables of various types that can (attempt to) keep
track of the client and make sure that the requests from the client go on
to the same back-end server.  Because Guacamole Client does not currently
implement any session tracking across multiple Tomcat instances or servers,
you'll need to configure HAProxy appropriately.

-Nick

guacamole behind haproxy

[StephenDart]

Has anyone got a successful config for haproxy to enable guacamole
I have a haproxy instance doing ssl offload and reverse proxy, passsing
/guacamole to the server at x.x.x.x:8080/guacamole
I can get to the login page and login successfully, but when presenting a
session, it will produce a 404 after the session is created and a few tunnel
reads, then the session will disconnect.

If directly connected to the guacamole server (bypassing haproxy), i can
successfully get a session and it is maintained, so something within haproxy
is I presume timing the session out. 
Does anyone run haproxy in front of guacamole and have a config they can
share or suggest what options are required to allow guacamole to work
successfully?

I have tried using 0.9.13 and 0.9.14 of guacamole
Haproxy i have tried 1.6 and 1.7
with options: 
http-server-close
timeout tunnel 3600s
timeout connect 300s
timeout client 300s


200 https://DOMAIN/guacamole/tunnel?connect
200
https://DOMAIN/guacamole/tunnel?read:3b0980ce-262f-4c21-a30e-76e7a2ad4f94:0
200
https://DOMAIN/guacamole/api/session/tunnels/3b0980ce-262f-4c21-a30e-76e7a2ad4f94/activeConnection/connection/sharingProfiles?token=9861B2605E85032EFA752E4EDAEC47DA8C3570E07FF9D3CD6AD92B2C2AF07309
200
https://DOMAIN/guacamole/tunnel?read:3b0980ce-262f-4c21-a30e-76e7a2ad4f94:1
*404
https://DOMAIN/guacamole/tunnel?write:3b0980ce-262f-4c21-a30e-76e7a2ad4f94*
200 https://DOMAIN/guacamole/api/tokens






--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/