On Tue, Jan 7, 2020 at 3:15 AM Vieri <[email protected]> wrote:
> > > On Sunday, January 5, 2020, 4:16:46 PM GMT+1, Nick Couchman < > [email protected]> wrote: > > > > Mostly that Guacamole is designed to be a web-based remote desktop > client, not a full VPN client, and we're interested in keeping the > > scope contained. > > Understandable. However, I'm still not sure how the commercial product I > mentioned earlier does it. Even though the provider mentions "SSL-VPN" in > its on-line guide, I doubt it can be a "real" VPN client as it would imply > admin privs on the client (supposedly, nothing is supposed to be run as > root/admin). So that's why I'm wondering (cannot confirm it yet) if the > provider has implemented some sort of HTML to image rendering, or if it's > "merely" a redirection to a reverse proxy. Obviously it's hard to know exactly what the commercial product is using - could be something open source (happens quite frequently), but also could be something the wrote themselves. And, no, there is no VPN Client - that is, indeed, the point of such web-based "SSL VPN" portals - that you don't have to have the client. > If that were the case then I already have my Apache HTTP service > configured for reverse proxy (I also have a few Squid instances for other > HTTP services). So sure, I could merely "extend" Guacamole to display URL > connection objects when the user logs in, alongside RDP, telnet, ssh and > VNC connections. The problem I'm facing is that for some reason I don't > fully share, I am asked to create a single portal and a single URL, eg. > https://guac.domain.org/ from which the users can then connect to > whichever internal service. Since I've managed to configure fully > functional reverse proxies with Apache HTTP (but had redirection issues > with Squid), I would need to use at least a different port or domain. I > guess what I really need to do is learn how to configure a reverse proxy > with Apache Tomcat and try to use the same port for that. It would look > something like this: > > https://guac.domain.org/proxy1 -> internal HTTP service 1 > > https://guac.domain.org/proxy2 -> internal HTTP service 2 > > https://guac.domain.org/proxy3 -> internal HTTP service 3 > > and so no. > And of course, https://guac.domain.org/ would have to be the guacamole > web client. > I think you've recently figured out how to do this :-). You should also be able to configure something like Nginx such that you could do: https://guac.domain.org/proxy?uri=https%3A%2F%2Fmy.super.secret.server.local%2Fpath Obviously if you provide that kind of functionality you want to be very careful that 1) you're authenticating users properly, and 2) that you limit what URLs and paths people can try to access from that server such that sensitive sites, data, etc., are not exposed outside the boundaries of your network. > > I'm new to Apache Tomcat so I guess I have a lot of homework to do. > > > First, i share your desire to do as much as possible with Open Source > software, and I routinely have to fight the battle of why to stick > > with open source rather than spending money on a commercial product. > > It's not just a question of money. It is also because OSS is extremely > flexible, and usually adapts faster and better. Customization is the key. > Sure, development can be a bit chaotic sometimes (à la freerdp lib...), but > I guess that's part of the fun. > > I totally agree. -Nick
