Re: Guacamole websockets issues
I should note that this only seems to happen (frequently) with VNC connections. I have RDP connection, and an SSH connection to the same host as the VNC connection that does not seem to time out, at least not within the 30-40 minutes of testing I’ve done, just the VNC connection, which can happen anywhere between 5-10 minutes after starting the connection. From: Justin Gauthier Reply-To: "user@guacamole.apache.org" Date: Tuesday, August 20, 2019 at 9:29 PM To: "user@guacamole.apache.org" Subject: Guacamole websockets issues Hello, I am running Guacamole in Kubernetes (using this helm chart https://github.com/Just-Insane/apache-guacamole-helm-chart). I am using the nginx ingress for ingress into the Guacamole frontend. Which uses Guacamole 1.0.0 docker container. I am getting some websocket timeout errors: 01:11:08.155 [http-nio-8080-exec-10] INFO o.a.g.tunnel.TunnelRequestService - User "justin" connected to connection "2". 01:11:08.234 [http-nio-8080-exec-1] INFO o.a.g.tunnel.TunnelRequestService - User "justin" disconnected from connection "2". Duration: 78 milliseconds Exception in thread "Thread-166" java.lang.IllegalStateException: Message will not be sent because the WebSocket session has been closed at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.writeMessagePart(WsRemoteEndpointImplBase.java:424) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendMessageBlock(WsRemoteEndpointImplBase.java:309) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendMessageBlock(WsRemoteEndpointImplBase.java:250) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendString(WsRemoteEndpointImplBase.java:191) at org.apache.tomcat.websocket.WsRemoteEndpointBasic.sendText(WsRemoteEndpointBasic.java:37) at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.sendInstruction(GuacamoleWebSocketTunnelEndpoint.java:152) at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.access$200(GuacamoleWebSocketTunnelEndpoint.java:53) at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint$2.run(GuacamoleWebSocketTunnelEndpoint.java:253) The nginx ingress does support websockets by default, but their timeouts are set to 60 seconds. https://kubernetes.github.io/ingress-nginx/user-guide/miscellaneous/#websockets which I have resolved, by setting the timeouts on both suggested options to 3600. There does not seem to be any specific reason (or time duration) after which the connection is closed, and there is nothing that would cause the connection between the guacamole frontend and guacd to close prematurely. When the connection fails, clicking the reconnect button on the prompt sometimes succeeds, however it usually fails. I have noticed that doing a hard reload of the tab seems to fix the issue for a little while. Experience tells me that this is likely going to be an issue with the nginx setup, but if anyone else has other suggestions, I am interested in hearing them. Thanks, Justin
Guacamole websockets issues
Hello, I am running Guacamole in Kubernetes (using this helm chart https://github.com/Just-Insane/apache-guacamole-helm-chart). I am using the nginx ingress for ingress into the Guacamole frontend. Which uses Guacamole 1.0.0 docker container. I am getting some websocket timeout errors: 01:11:08.155 [http-nio-8080-exec-10] INFO o.a.g.tunnel.TunnelRequestService - User "justin" connected to connection "2". 01:11:08.234 [http-nio-8080-exec-1] INFO o.a.g.tunnel.TunnelRequestService - User "justin" disconnected from connection "2". Duration: 78 milliseconds Exception in thread "Thread-166" java.lang.IllegalStateException: Message will not be sent because the WebSocket session has been closed at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.writeMessagePart(WsRemoteEndpointImplBase.java:424) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendMessageBlock(WsRemoteEndpointImplBase.java:309) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendMessageBlock(WsRemoteEndpointImplBase.java:250) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendString(WsRemoteEndpointImplBase.java:191) at org.apache.tomcat.websocket.WsRemoteEndpointBasic.sendText(WsRemoteEndpointBasic.java:37) at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.sendInstruction(GuacamoleWebSocketTunnelEndpoint.java:152) at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.access$200(GuacamoleWebSocketTunnelEndpoint.java:53) at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint$2.run(GuacamoleWebSocketTunnelEndpoint.java:253) The nginx ingress does support websockets by default, but their timeouts are set to 60 seconds. https://kubernetes.github.io/ingress-nginx/user-guide/miscellaneous/#websockets which I have resolved, by setting the timeouts on both suggested options to 3600. There does not seem to be any specific reason (or time duration) after which the connection is closed, and there is nothing that would cause the connection between the guacamole frontend and guacd to close prematurely. When the connection fails, clicking the reconnect button on the prompt sometimes succeeds, however it usually fails. I have noticed that doing a hard reload of the tab seems to fix the issue for a little while. Experience tells me that this is likely going to be an issue with the nginx setup, but if anyone else has other suggestions, I am interested in hearing them. Thanks, Justin
Re: Looping with Guacamole+Keycloak
That’s awesome, you should add a PR for this to the Guacamole GitHub so it can
be reviewed and hopefully merged into the next release.
Regards,
Justin
From: Yang Yang
Sent: Thursday, May 30, 2019 2:09:30 AM
To: user@guacamole.apache.org
Cc: mjum...@apache.org; Justin Gauthier; Kevin Martin
Subject: Re: Looping with Guacamole+Keycloak
Hello,
I solved this issue by making a small change to two files for the openid
extension and rebuild it:
~/guacamole-client-1.0.0/extensions/guacamole-auth-openid/src/main/resources/config/openidConfig.js
~/guacamole-client-1.0.0/extensions/guacamole-auth-openid/target/classes/config/openidConfig.js
/**
* Config block which augments the existing routing, providing special handling
* for the "id_token=" fragments provided by OpenID Connect.
*/
angular.module('index').config(['$routeProvider',
function indexRouteConfig($routeProvider) {
// Transform "/#/id_token=..." to "/#/?id_token=…"
--$routeProvider.when('/id_token=:response', {
++ $routeProvider.when(‘/_token=:response', {
template : '',
controller : ['$location', function reroute($location) {
var params = $location.path().substring(1);
$location.url('/');
$location.search(params);
}]
});
}]);
On May 29, 2019, at 21:01, Yang Yang
mailto:yy8...@icloud.com>> wrote:
Hello,
I am playing with Guacamole 1.0.0 and Keycloak 6.0.1. Following the
configuration Justin posted in this thread
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/OpenID-KeyCloak-td5345.html,
I ran into the same problem, can someone help?
When accessing Guacamole, I will be redirected to Keycloak login page, and then
will be in a loop after typing in valid username/password. Attached are two
images presenting two HTTP requests captured from a typical loop.
Thanks,
Yang
Re: OpenID / KeyCloak
I believe mine are both in VMs, but I have a test implementation with both containerized that I can try to get working. Give me a few hours to try that out and I’ll get back to you. From: kmartin Sent: Tuesday, April 16, 2019 8:45 AM To: user@guacamole.apache.org Subject: Re: OpenID / KeyCloak Thanks a lot Justin. Unfortunately i have similar keycloak config. My Guacamole and Keycloack are containers . You too ? -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: OpenID-Connect HTTP 500
Hey Nick,
Thanks for the response!
I suspected as much, unfortunately I am unsure why it’s not seeing the token.
Like I said, I don’t have anything else that uses OpenID to test the setup.
Hopefully Mike is able to assist when he gets a chance.
Thanks again for the help, it’s greatly appreciated.
From: Nick Couchman <nick.e.couch...@gmail.com>
Sent: Friday, February 9, 2018 8:40:25 AM
To: user@guacamole.apache.org
Subject: Re: OpenID-Connect HTTP 500
On Thu, Feb 8, 2018 at 11:37 PM, Justin Gauthier
<jus...@justin-tech.com<mailto:jus...@justin-tech.com>> wrote:
The response paylode is: {"message":"Invalid
login.","translatableMessage":{"key":"Invalid
login.","variables":null},"statusCode":null,"expected":[{"name":"id_tok
en","type":"GUAC_OPENID_TOKEN","authorizationURI":"https://keycloak.jus
tin-tech.com/auth/realms/Justin-Tech/protocol/openid-
connect/auth?scope=openid+email+profile_type=id_token_i
d=guacamole_uri=https%3A%2F%2Fguacamole.justin-<http://tin-tech.com/auth/realms/Justin-Tech/protocol/openid-
connect/auth?scope=openid+email+profile_type=id_token_i
d=guacamole_uri=https%3A%2F%2Fguacamole.justin->
tech.com<http://tech.com>%2F=e1s34a0epan04mre7qduhpnrho"}],"type":"INVALID_CREDENT
IALS"}
I also see a GET for https://guacamole.justin-tech.com/#session_state=b
1988d87-4a4d-4539-a186-1d2ef58aca04_token=[TOKEN]
policy=1518147539
Mike can probably provide more precise information, but my guess is that there
is something about the response being sent back to the Guacamole Session that
Guacamole is unhappy about - either it isn't seeing the id_token parameter when
it expects to, or it's in a format it doesn't expect, or something like that.
I've not used Guacamole with OIDC, so I'm not going to be of very much help,
here.
-Nick
Re: OpenID-Connect HTTP 500
I should also note that when in the redirect loop, I can see that the
usual URL of https://guacamole.justin-tech.com/#/ is showing as both ht
tps://guacamole.justin-tech.com/#session. and https://guacamole.justin-
tech.com/#/session.
Thanks again,
Justin
On Thu, 2018-02-08 at 23:37 -0500, Justin Gauthier wrote:
> I have been able to get the redirect from Guacamole to Keycloak to
> work, however, once I login to keycloak, and get redirected back to
> Guacamole, I get put into a redirect loop. It does not look like
> Guacamole is reading the token_id from the URL, and this is causing
> it
> to report invalid credentials, and refreshing.
>
> In nginx I see the following in the access log:
>
>
> 10.0.1.203 - - [08/Feb/2018:23:14:51 -0500] "GET /auth/realms/Justin-
> Tech/protocol/openid-
> connect/auth?scope=openid+email+profile_type=id_token
> _i
> d=guacamole_uri=https%3A%2F%2Fguacamole.justin-
> tech.com%2F=a7tk6oajbm14p4aa5icuad0c60 HTTP
>
>
> With each refresh it is getting a new nonce token.
>
> Additionally, I can see the id_token in the Guacamole URL, as well as
> a
> session state and not-before-policy.
>
> In the POST to https://guacamole.justin-tech.com/api/tokens, I am
> seeing an Invalid login response, with key: invalid login.
>
> It is expecting name: id_token, type: GUAC_OPENID_TOKEN, and an
> authorizationURI: https://keycloak.justin-tech.com/auth/realms/Justin
> -T
> ech/protocol/openid-
> connect/auth?scope=openid+email+profile_type=id_token
> _i
> d=guacamole_uri=https%3A%2F%2Fguacamole.justin-
> tech.com%2F=e1s34a0epan04mre7qduhpnrho, type:
> INVALID_CREDENTIALS.
>
> The response paylode is: {"message":"Invalid
> login.","translatableMessage":{"key":"Invalid
> login.","variables":null},"statusCode":null,"expected":[{"name":"id_t
> ok
> en","type":"GUAC_OPENID_TOKEN","authorizationURI":"https://keycloak.j
> us
> tin-tech.com/auth/realms/Justin-Tech/protocol/openid-
> connect/auth?scope=openid+email+profile_type=id_token
> _i
> d=guacamole_uri=https%3A%2F%2Fguacamole.justin-
> tech.com%2F=e1s34a0epan04mre7qduhpnrho"}],"type":"INVALID_CREDE
> NT
> IALS"}
>
> I also see a GET for https://guacamole.justin-tech.com/#session_state
> =b
> 1988d87-4a4d-4539-a186-1d2ef58aca04_token=[TOKEN]
> policy=1518147539
>
> I am seeing the following in the localhost_access_logs:
>
> 10.0.60.20 - - [08/Feb/2018:23:18:01 -0500] "GET
> /guacamole/api/patches
> HTTP/1.1" 200 352
> 10.0.60.20 - - [08/Feb/2018:23:18:01 -0500] "POST
> /guacamole/api/tokens
> HTTP/1.1" 403 477
>
> and here are the logs from catalina.log
>
> Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> INFO: Webjars resource requested: /META-
> INF/resources/webjars/jquery/2.1.3/dist/jquery.min.js
> Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> INFO: Webjars resource requested: /META-
> INF/resources/webjars/angular/1.3.16/angular.min.js
> Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> INFO: Webjars resource requested: /META-
> INF/resources/webjars/lodash/2.4.1/dist/lodash.min.js
> Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> INFO: Webjars resource requested: /META-
> INF/resources/webjars/angular-
> cookies/1.3.16/angular-cookies.min.js
> Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> INFO: Webjars resource requested: /META-
> INF/resources/webjars/angular-
> route/1.3.16/angular-route.min.js
> Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> INFO: Webjars resource requested: /META-
> INF/resources/webjars/angular-
> touch/1.3.16/angular-touch.min.js
> Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> INFO: Webjars resource requested: /META-
> INF/resources/webjars/messageformat/1.0.2/messageformat.min.js
> Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> INFO: Webjars resource requested: /META-
> INF/resources/webjars/angular-
> translate/2.8.0/angular-translate.min.js
> Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> INFO: Webjars resource requested: /META-
> INF/resources/webjars/angular-
> translate-interpolation-messageformat/2.8.0/angular-translate-
> interpolation-messageformat.min.js
> Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet
> INFO: Webjars resource requested: /META-
> INF/resources/webjars/angular-
> translate-loader-static-files/2.8.0/angular-translate-loader-static-
> files.min.js
> Feb 08, 2018 11:27:40 PM org.webjar
Re: OpenID-Connect HTTP 500
Nick,
I have completed that step, however now I am in an redirect loop.
Once I get home I'll take a look at the logs and provide that information.
Thanks for the help,
Justin
From: Nick Couchman <vn...@apache.org>
Sent: Thursday, February 8, 2018 11:27:05 AM
To: user@guacamole.apache.org
Subject: Re: OpenID-Connect HTTP 500
On Thu, Feb 8, 2018 at 10:00 AM, Justin Gauthier
<jus...@justin-tech.com<mailto:jus...@justin-tech.com>> wrote:
Hello everyone,
I have discovered that I had a the openid-redirect-uri incorrectly
specified. That issue has now been resolved, and I get a login screen
now.
Now, when I get that login screen, I can login with credentials stored
in the postgres database, but I do not get redirected to Keycloak. I
see a 403 message with the following information:
{"message":"Invalid login","translatableMessage":{"key":"Invalid
login","variables":null},"statusCode":null,"expected":[{"name":"usernam
e","type":"USERNAME"},{"name":"password","type":"PASSWORD"}],"type":"IN
VALID_CREDENTIALS"}
My understanding is that Guacamole should be redirecting me to Keycloak
to authenticate, and then I should be redirected back to Guacamole with
the authentication token, and it would not ask for the username and
password?
Justin,
Authentication extensions are loaded in alphabetical order, which means the
OpenID extension is being loaded (and evaluated) after the JDBC extension. I
suggest that you rename the OpenID extension to something that will force it to
load first - when I do this with modules, I usually prefix a number on to them.
For example, in the GUACAMOLE_HOME/extensions folder, instead of installing it
as "gaucamole-auth-openid-0.9.14.jar, install it as
"guacamole-auth-0-openid-0.9.14.jar" - the -0 before the -openid will cause it
to be loaded and evaluated prior to the -jdbc JAR, and perhaps allow the
redirect to happen properly.
Regards,
Nick
