On Wed, May 8, 2019 at 10:44 AM Michael Barkdoll <[email protected]> wrote:
> Alright, first sorry for all the noise on this thread. I believe I have > uncovered a bug and I'm going to proceed with opening a bug report. > No worries at all - that's what the mailing list is for! > > Concerning the reverse proxy, I think I now have a better understanding > into my issues, I was a bit new to load-balancers so I'm sure this made > some peoples ears bleed... I think I now at least have the reverse proxy > working properly. > > Concerning client remote ip not being provided from the nginx reverse > proxy to the tomcat instance my issue was that : > > 1. tomcat's server.xml might require hard coded ip addresses for the > RemoteIpValue internalProxies field for load balancing. > Note: I am able to specify a range of ip addresses with some wildcard > syntax to support multiple nginx reverse proxy load balancers. > > Yes, you do have to specify the IP address(es) of the Nginx proxy servers that are going to be talking to Tomcat. I can't remember what the valid syntax is for that field, but I would imagine it supports both ranges and individual IPs. There is some documentation on it, here: http://guacamole.apache.org/doc/gug/proxying-guacamole.html#tomcat-remote-ip > > 1. My tomcat cataline.out warning about remoteIpProxiesHeader was due > to that value being for an Apache reverse proxy server not an nginx. > The documentation could be made more clear here on the apache > guacamole website. I might try to open something to request it to be > changed. > Also, I modified the server.xml values to something more appropriate > for nginx reverse proxy load balancing below. > Most Notable: I added a proxiesHeader="x-forwarded-by" to "hold the > list of proxies that have been processed in the incoming remoteIpHeader" > source: > > https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/RemoteIpValve.html > > I believe this is all documented in the page I mentioned, above, which includes the proxiesHeaders you mention, there. If the documentation can be made more clear we'd be glad for that feedback, or a pull request to clean it up. > > 1. The trustedProxies="nginx" is likely optional, nginx dns resolves > to my nginx reverse proxy so I added it just in case the 10.0.0.0/8 > didn't catch it. > > > My server.xml addition: > <Valve className="org.apache.catalina.valves.RemoteIpValve" > internalProxies="10\.\d{1,3}\.\d{1,3}\.\d{1,3}" > remoteIpHeader="x-forwarded-for" > *proxiesHeader="x-forwarded-by"* > trustedProxies="nginx" > protocolHeader="x-forwarded-proto" /> > > The following has the conflcting apache server.xml addition: > https://guacamole.apache.org/doc/gug/proxying-guacamole.html > <Valve className="org.apache.catalina.valves.RemoteIpValve" > internalProxies="127.0.0.1" > remoteIpHeader="x-forwarded-for" > *remoteIpProxiesHeader="x-forwarded-by"* > protocolHeader="x-forwarded-proto" /> > > > My goal was to have multiple nginx reverse proxy load balancers and > multiple tomcat guacamole-client containers running, but it looks like that > isn't support inside the apache guacamole-client side. I'm basing that > assumption on the fact that when my nginx reverse proxy sent some clients > to one tomcat server and some to another, when a client opened a connection > to a connection group that was of type balancing they both were connected > to the same vm. So, from my point of view I'm thinking they're not > programmed to support multiple instances of guacamole-client running in a > balancing connection group, if someone can verify that it would be > appreciated. > Yeah, there is definitely some work to be done on the Guacamole side for full HA support. You *can* point multiple Nginx servers at multiple Tomcat systems running Guacamole client; however, Guacamole Client currently does not have a way to synchronize client sessions across multiple instances of Guacamole Client, so there's no way to have it such that one Guacamole Client session will show the remote connections from the others. I started working on this a few months ago but didn't make much progress. Maybe I'll dig that work back up... > > Therefore, I've now switched to only using one apache guacamole-client > tomcat instance behind the nginx reverse proxy. > Probably a good idea until we sort out what might be going on, here :-). > > *Possible bug:* > However, I still have the same issue that I was previously describing with > users test, test2, test3 and connection group cg1 and virtual machines with > xrdp connections called s1, s2. > > Essentially, > > test can connect get a session with cg1's s1. > test2 can connect get a session with cg1's s2. > test2 can disconnect from cg1's s2. > test3 can connect get a session with cg1's s2. > test2 can disconnect from cg1's s2. > test2 can connect get a session with cg1's s2. > > Now if test closes the session with cg's s1, test3 is unable to use it > unless the logout and back in to the guacamole instance. Since, I only > have one guacamole instance and the remote ip address are now populating in > the tomcat instance, I believe this is indeed a bug. > > Here is the catalina.out with debugging enabled: > https://gist.github.com/michaelbarkdoll/9e9f46974a0870ea6d6200cc5c1229c5 > > Screenshot of Remote host being provided properly. > [image: Selection_999(2259).png] > > Here are all of my updated configuration files: > > https://github.com/michaelbarkdoll/guacamole-reverse-proxy-nginx/blob/master/nginx.conf > > https://github.com/michaelbarkdoll/guacamole-client/blob/jira/234/server.xml > > Cool - I'll try to take a look at the log entries and see if I can spot anything. It sounds like maybe there's some sort of timeout issue with the connect/disconnect where the active session is kept open for longer than it actually needs to be, or something along those lines. We'll see. -Nick
