On Mon, Dec 9, 2019 at 5:44 PM Yang Yang <[email protected]> wrote:
> Hi Nick, > > I am working to build a portal for users, with all connections categorized > and presented in our own style. Also, as you suggested, I am using the > Header authentication module in combination with the JDBC module; however, > rather than getting all end users registered to guacamole client, I am > looking to access guacamole with a dedicated account for all end users. I > have a proxy (nginx) in front of the guacamole client, and the proxy set > the authentication header for all end users. > I wouldn't recommend doing what you have in mind. Users should have access only to the connections they are specifically allowed to access, with that authorization validated by Guacamole. What you describe would bypass that by considering each user to be identical, and users would be able to access the resources of other users. Attempting to hide the home screen while hoping that users will not guess / attempt to guess other connections is not a secure approach. Ideally, I am looking to change the anchor for clients > (/#/client/<encoded_connection_id>) to a query string > (?client=encoded_connection_id), so that I can handle the URL with nginx. > Is this possible? > You should let Guacamole handle the authorization that it is designed to handle rather than try to write around it and move things elsewhere. Options would be writing your own extension which dynamically pulls the connections available to each user by querying whatever internal system you already have in place, writing your own application which does only what you need (see below), or using an extension which allows you to push the contents of user sessions. I wrote an example accomplishing the latter some time ago as part of my day job: https://github.com/glyptodon/guacamole-auth-json If not, can I just remove the home module? > You can write your own web application powered by the same core APIs: http://guacamole.apache.org/doc/gug/writing-you-own-guacamole-app.html https://github.com/apache/guacamole-client/tree/master/doc/guacamole-example Again, I strongly caution against what you've described and suggest you rethink your approach. The basis of what you're doing equates to disabling authentication and authorization, which is something you should never do: http://guacamole.apache.org/faq/#disable-auth - Mike
