Re: Guacamole websockets issues
I should note that this only seems to happen (frequently) with VNC connections. I have RDP connection, and an SSH connection to the same host as the VNC connection that does not seem to time out, at least not within the 30-40 minutes of testing I’ve done, just the VNC connection, which can happen anywhere between 5-10 minutes after starting the connection. From: Justin Gauthier Reply-To: "user@guacamole.apache.org" Date: Tuesday, August 20, 2019 at 9:29 PM To: "user@guacamole.apache.org" Subject: Guacamole websockets issues Hello, I am running Guacamole in Kubernetes (using this helm chart https://github.com/Just-Insane/apache-guacamole-helm-chart). I am using the nginx ingress for ingress into the Guacamole frontend. Which uses Guacamole 1.0.0 docker container. I am getting some websocket timeout errors: 01:11:08.155 [http-nio-8080-exec-10] INFO o.a.g.tunnel.TunnelRequestService - User "justin" connected to connection "2". 01:11:08.234 [http-nio-8080-exec-1] INFO o.a.g.tunnel.TunnelRequestService - User "justin" disconnected from connection "2". Duration: 78 milliseconds Exception in thread "Thread-166" java.lang.IllegalStateException: Message will not be sent because the WebSocket session has been closed at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.writeMessagePart(WsRemoteEndpointImplBase.java:424) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendMessageBlock(WsRemoteEndpointImplBase.java:309) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendMessageBlock(WsRemoteEndpointImplBase.java:250) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendString(WsRemoteEndpointImplBase.java:191) at org.apache.tomcat.websocket.WsRemoteEndpointBasic.sendText(WsRemoteEndpointBasic.java:37) at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.sendInstruction(GuacamoleWebSocketTunnelEndpoint.java:152) at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.access$200(GuacamoleWebSocketTunnelEndpoint.java:53) at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint$2.run(GuacamoleWebSocketTunnelEndpoint.java:253) The nginx ingress does support websockets by default, but their timeouts are set to 60 seconds. https://kubernetes.github.io/ingress-nginx/user-guide/miscellaneous/#websockets which I have resolved, by setting the timeouts on both suggested options to 3600. There does not seem to be any specific reason (or time duration) after which the connection is closed, and there is nothing that would cause the connection between the guacamole frontend and guacd to close prematurely. When the connection fails, clicking the reconnect button on the prompt sometimes succeeds, however it usually fails. I have noticed that doing a hard reload of the tab seems to fix the issue for a little while. Experience tells me that this is likely going to be an issue with the nginx setup, but if anyone else has other suggestions, I am interested in hearing them. Thanks, Justin
Guacamole websockets issues
Hello, I am running Guacamole in Kubernetes (using this helm chart https://github.com/Just-Insane/apache-guacamole-helm-chart). I am using the nginx ingress for ingress into the Guacamole frontend. Which uses Guacamole 1.0.0 docker container. I am getting some websocket timeout errors: 01:11:08.155 [http-nio-8080-exec-10] INFO o.a.g.tunnel.TunnelRequestService - User "justin" connected to connection "2". 01:11:08.234 [http-nio-8080-exec-1] INFO o.a.g.tunnel.TunnelRequestService - User "justin" disconnected from connection "2". Duration: 78 milliseconds Exception in thread "Thread-166" java.lang.IllegalStateException: Message will not be sent because the WebSocket session has been closed at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.writeMessagePart(WsRemoteEndpointImplBase.java:424) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendMessageBlock(WsRemoteEndpointImplBase.java:309) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendMessageBlock(WsRemoteEndpointImplBase.java:250) at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendString(WsRemoteEndpointImplBase.java:191) at org.apache.tomcat.websocket.WsRemoteEndpointBasic.sendText(WsRemoteEndpointBasic.java:37) at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.sendInstruction(GuacamoleWebSocketTunnelEndpoint.java:152) at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.access$200(GuacamoleWebSocketTunnelEndpoint.java:53) at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint$2.run(GuacamoleWebSocketTunnelEndpoint.java:253) The nginx ingress does support websockets by default, but their timeouts are set to 60 seconds. https://kubernetes.github.io/ingress-nginx/user-guide/miscellaneous/#websockets which I have resolved, by setting the timeouts on both suggested options to 3600. There does not seem to be any specific reason (or time duration) after which the connection is closed, and there is nothing that would cause the connection between the guacamole frontend and guacd to close prematurely. When the connection fails, clicking the reconnect button on the prompt sometimes succeeds, however it usually fails. I have noticed that doing a hard reload of the tab seems to fix the issue for a little while. Experience tells me that this is likely going to be an issue with the nginx setup, but if anyone else has other suggestions, I am interested in hearing them. Thanks, Justin
Re: Looping with Guacamole+Keycloak
That’s awesome, you should add a PR for this to the Guacamole GitHub so it can be reviewed and hopefully merged into the next release. Regards, Justin From: Yang Yang Sent: Thursday, May 30, 2019 2:09:30 AM To: user@guacamole.apache.org Cc: mjum...@apache.org; Justin Gauthier; Kevin Martin Subject: Re: Looping with Guacamole+Keycloak Hello, I solved this issue by making a small change to two files for the openid extension and rebuild it: ~/guacamole-client-1.0.0/extensions/guacamole-auth-openid/src/main/resources/config/openidConfig.js ~/guacamole-client-1.0.0/extensions/guacamole-auth-openid/target/classes/config/openidConfig.js /** * Config block which augments the existing routing, providing special handling * for the "id_token=" fragments provided by OpenID Connect. */ angular.module('index').config(['$routeProvider', function indexRouteConfig($routeProvider) { // Transform "/#/id_token=..." to "/#/?id_token=…" --$routeProvider.when('/id_token=:response', { ++ $routeProvider.when(‘/_token=:response', { template : '', controller : ['$location', function reroute($location) { var params = $location.path().substring(1); $location.url('/'); $location.search(params); }] }); }]); On May 29, 2019, at 21:01, Yang Yang mailto:yy8...@icloud.com>> wrote: Hello, I am playing with Guacamole 1.0.0 and Keycloak 6.0.1. Following the configuration Justin posted in this thread http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/OpenID-KeyCloak-td5345.html, I ran into the same problem, can someone help? When accessing Guacamole, I will be redirected to Keycloak login page, and then will be in a loop after typing in valid username/password. Attached are two images presenting two HTTP requests captured from a typical loop. Thanks, Yang
Re: OpenID / KeyCloak
I believe mine are both in VMs, but I have a test implementation with both containerized that I can try to get working. Give me a few hours to try that out and I’ll get back to you. From: kmartin Sent: Tuesday, April 16, 2019 8:45 AM To: user@guacamole.apache.org Subject: Re: OpenID / KeyCloak Thanks a lot Justin. Unfortunately i have similar keycloak config. My Guacamole and Keycloack are containers . You too ? -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: OpenID-Connect HTTP 500
Hey Nick, Thanks for the response! I suspected as much, unfortunately I am unsure why it’s not seeing the token. Like I said, I don’t have anything else that uses OpenID to test the setup. Hopefully Mike is able to assist when he gets a chance. Thanks again for the help, it’s greatly appreciated. From: Nick Couchman <nick.e.couch...@gmail.com> Sent: Friday, February 9, 2018 8:40:25 AM To: user@guacamole.apache.org Subject: Re: OpenID-Connect HTTP 500 On Thu, Feb 8, 2018 at 11:37 PM, Justin Gauthier <jus...@justin-tech.com<mailto:jus...@justin-tech.com>> wrote: The response paylode is: {"message":"Invalid login.","translatableMessage":{"key":"Invalid login.","variables":null},"statusCode":null,"expected":[{"name":"id_tok en","type":"GUAC_OPENID_TOKEN","authorizationURI":"https://keycloak.jus tin-tech.com/auth/realms/Justin-Tech/protocol/openid- connect/auth?scope=openid+email+profile_type=id_token_i d=guacamole_uri=https%3A%2F%2Fguacamole.justin-<http://tin-tech.com/auth/realms/Justin-Tech/protocol/openid- connect/auth?scope=openid+email+profile_type=id_token_i d=guacamole_uri=https%3A%2F%2Fguacamole.justin-> tech.com<http://tech.com>%2F=e1s34a0epan04mre7qduhpnrho"}],"type":"INVALID_CREDENT IALS"} I also see a GET for https://guacamole.justin-tech.com/#session_state=b 1988d87-4a4d-4539-a186-1d2ef58aca04_token=[TOKEN] policy=1518147539 Mike can probably provide more precise information, but my guess is that there is something about the response being sent back to the Guacamole Session that Guacamole is unhappy about - either it isn't seeing the id_token parameter when it expects to, or it's in a format it doesn't expect, or something like that. I've not used Guacamole with OIDC, so I'm not going to be of very much help, here. -Nick
Re: OpenID-Connect HTTP 500
I should also note that when in the redirect loop, I can see that the usual URL of https://guacamole.justin-tech.com/#/ is showing as both ht tps://guacamole.justin-tech.com/#session. and https://guacamole.justin- tech.com/#/session. Thanks again, Justin On Thu, 2018-02-08 at 23:37 -0500, Justin Gauthier wrote: > I have been able to get the redirect from Guacamole to Keycloak to > work, however, once I login to keycloak, and get redirected back to > Guacamole, I get put into a redirect loop. It does not look like > Guacamole is reading the token_id from the URL, and this is causing > it > to report invalid credentials, and refreshing. > > In nginx I see the following in the access log: > > > 10.0.1.203 - - [08/Feb/2018:23:14:51 -0500] "GET /auth/realms/Justin- > Tech/protocol/openid- > connect/auth?scope=openid+email+profile_type=id_token > _i > d=guacamole_uri=https%3A%2F%2Fguacamole.justin- > tech.com%2F=a7tk6oajbm14p4aa5icuad0c60 HTTP > > > With each refresh it is getting a new nonce token. > > Additionally, I can see the id_token in the Guacamole URL, as well as > a > session state and not-before-policy. > > In the POST to https://guacamole.justin-tech.com/api/tokens, I am > seeing an Invalid login response, with key: invalid login. > > It is expecting name: id_token, type: GUAC_OPENID_TOKEN, and an > authorizationURI: https://keycloak.justin-tech.com/auth/realms/Justin > -T > ech/protocol/openid- > connect/auth?scope=openid+email+profile_type=id_token > _i > d=guacamole_uri=https%3A%2F%2Fguacamole.justin- > tech.com%2F=e1s34a0epan04mre7qduhpnrho, type: > INVALID_CREDENTIALS. > > The response paylode is: {"message":"Invalid > login.","translatableMessage":{"key":"Invalid > login.","variables":null},"statusCode":null,"expected":[{"name":"id_t > ok > en","type":"GUAC_OPENID_TOKEN","authorizationURI":"https://keycloak.j > us > tin-tech.com/auth/realms/Justin-Tech/protocol/openid- > connect/auth?scope=openid+email+profile_type=id_token > _i > d=guacamole_uri=https%3A%2F%2Fguacamole.justin- > tech.com%2F=e1s34a0epan04mre7qduhpnrho"}],"type":"INVALID_CREDE > NT > IALS"} > > I also see a GET for https://guacamole.justin-tech.com/#session_state > =b > 1988d87-4a4d-4539-a186-1d2ef58aca04_token=[TOKEN] > policy=1518147539 > > I am seeing the following in the localhost_access_logs: > > 10.0.60.20 - - [08/Feb/2018:23:18:01 -0500] "GET > /guacamole/api/patches > HTTP/1.1" 200 352 > 10.0.60.20 - - [08/Feb/2018:23:18:01 -0500] "POST > /guacamole/api/tokens > HTTP/1.1" 403 477 > > and here are the logs from catalina.log > > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/jquery/2.1.3/dist/jquery.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/angular/1.3.16/angular.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/lodash/2.4.1/dist/lodash.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/angular- > cookies/1.3.16/angular-cookies.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/angular- > route/1.3.16/angular-route.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/angular- > touch/1.3.16/angular-touch.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/messageformat/1.0.2/messageformat.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/angular- > translate/2.8.0/angular-translate.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/angular- > translate-interpolation-messageformat/2.8.0/angular-translate- > interpolation-messageformat.min.js > Feb 08, 2018 11:27:40 PM org.webjars.servlet.WebjarsServlet doGet > INFO: Webjars resource requested: /META- > INF/resources/webjars/angular- > translate-loader-static-files/2.8.0/angular-translate-loader-static- > files.min.js > Feb 08, 2018 11:27:40 PM org.webjar
Re: OpenID-Connect HTTP 500
Nick, I have completed that step, however now I am in an redirect loop. Once I get home I'll take a look at the logs and provide that information. Thanks for the help, Justin From: Nick Couchman <vn...@apache.org> Sent: Thursday, February 8, 2018 11:27:05 AM To: user@guacamole.apache.org Subject: Re: OpenID-Connect HTTP 500 On Thu, Feb 8, 2018 at 10:00 AM, Justin Gauthier <jus...@justin-tech.com<mailto:jus...@justin-tech.com>> wrote: Hello everyone, I have discovered that I had a the openid-redirect-uri incorrectly specified. That issue has now been resolved, and I get a login screen now. Now, when I get that login screen, I can login with credentials stored in the postgres database, but I do not get redirected to Keycloak. I see a 403 message with the following information: {"message":"Invalid login","translatableMessage":{"key":"Invalid login","variables":null},"statusCode":null,"expected":[{"name":"usernam e","type":"USERNAME"},{"name":"password","type":"PASSWORD"}],"type":"IN VALID_CREDENTIALS"} My understanding is that Guacamole should be redirecting me to Keycloak to authenticate, and then I should be redirected back to Guacamole with the authentication token, and it would not ask for the username and password? Justin, Authentication extensions are loaded in alphabetical order, which means the OpenID extension is being loaded (and evaluated) after the JDBC extension. I suggest that you rename the OpenID extension to something that will force it to load first - when I do this with modules, I usually prefix a number on to them. For example, in the GUACAMOLE_HOME/extensions folder, instead of installing it as "gaucamole-auth-openid-0.9.14.jar, install it as "guacamole-auth-0-openid-0.9.14.jar" - the -0 before the -openid will cause it to be loaded and evaluated prior to the -jdbc JAR, and perhaps allow the redirect to happen properly. Regards, Nick