Thank you very much for the guidance! It is very helpful, and I will rethink about my original approach.
Thanks, Yang > On Dec 10, 2019, at 09:56, Mike Jumper <[email protected]> wrote: > > On Mon, Dec 9, 2019 at 5:44 PM Yang Yang <[email protected]> wrote: > Hi Nick, > > I am working to build a portal for users, with all connections categorized > and presented in our own style. Also, as you suggested, I am using the Header > authentication module in combination with the JDBC module; however, rather > than getting all end users registered to guacamole client, I am looking to > access guacamole with a dedicated account for all end users. I have a proxy > (nginx) in front of the guacamole client, and the proxy set the > authentication header for all end users. > > I wouldn't recommend doing what you have in mind. Users should have access > only to the connections they are specifically allowed to access, with that > authorization validated by Guacamole. What you describe would bypass that by > considering each user to be identical, and users would be able to access the > resources of other users. Attempting to hide the home screen while hoping > that users will not guess / attempt to guess other connections is not a > secure approach. > > Ideally, I am looking to change the anchor for clients > (/#/client/<encoded_connection_id>) to a query string > (?client=encoded_connection_id), so that I can handle the URL with nginx. Is > this possible? > > You should let Guacamole handle the authorization that it is designed to > handle rather than try to write around it and move things elsewhere. Options > would be writing your own extension which dynamically pulls the connections > available to each user by querying whatever internal system you already have > in place, writing your own application which does only what you need (see > below), or using an extension which allows you to push the contents of user > sessions. I wrote an example accomplishing the latter some time ago as part > of my day job: > > https://github.com/glyptodon/guacamole-auth-json > <https://github.com/glyptodon/guacamole-auth-json> > > If not, can I just remove the home module? > > You can write your own web application powered by the same core APIs: > > http://guacamole.apache.org/doc/gug/writing-you-own-guacamole-app.html > <http://guacamole.apache.org/doc/gug/writing-you-own-guacamole-app.html> > https://github.com/apache/guacamole-client/tree/master/doc/guacamole-example > <https://github.com/apache/guacamole-client/tree/master/doc/guacamole-example> > > Again, I strongly caution against what you've described and suggest you > rethink your approach. The basis of what you're doing equates to disabling > authentication and authorization, which is something you should never do: > > http://guacamole.apache.org/faq/#disable-auth > <http://guacamole.apache.org/faq/#disable-auth> > > - Mike >
