guacamole reverse proxy

Tue, 21 Jan 2020 02:28:35 -0800 

Hi,

I configured Apache HTTPD to reverse proxy Guacamole. I'm running 
guacamole-client with another name (changed the war file).

# ls /var/lib/tomcat-9-hman/webapps/
sg  sg.war  ROOT

I want client browsers to simply open https://sg.mydomain.org to access the 
Guacamole portal.

This seems to work fine:

<VirtualHost *:443>
        ServerName sg.mydomain.org
        ErrorLog /var/log/apache2/rprox_ssl_sg_error_log
        # LogLevel debug

        <Location />
             Require all granted
            ProxyPass http://localhost:8080/sg/ flushpackets=on
            ProxyPassReverse http://localhost:8080/sg/
            ProxyPassReverseCookiePath /guacamole/ /
        </Location>

        <Location /websocket-tunnel>
            Require all granted
            ProxyPass ws://localhost:8080/sg/websocket-tunnel
            ProxyPassReverse ws://localhost:8080/sg/websocket-tunnel
        </Location>

I'm not sure though about the ProxyPassReverseCookiePath parameters. Should it 
be /sg/ / in my case instead of the above?

Also, the Guacamole manual does not mention how to connect to a backend server 
with https if it wasn't in localhost. Well, here's a "working" config snippet 
with the backend as https:

<VirtualHost *:443>
        ServerName sg.mydomain.org

        <Location />
            Require all granted
            ProxyPass https://localhost:8443/sg/ flushpackets=on
            ProxyPassReverse https://localhost:8443/sg/
            ProxyPassReverseCookiePath /guacamole/ /
        </Location>

        <Location /websocket-tunnel>
            Require all granted
            ProxyPass ws://localhost:8443/sg/websocket-tunnel
            ProxyPassReverse ws://localhost:8443/sg/websocket-tunnel
        </Location>

        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerName off

The Tomcat configuration for the https bit is:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
            <Certificate certificateKeyFile="/etc/ssl/tomcat/server.key"
                         certificateFile="/etc/ssl/tomcat/server.crt"
                         certificateChainFile="/etc/ssl/CA-MYORG/cacert.pem"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

The http bit is:

    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               URIEncoding="UTF-8"
               redirectPort="8443" />

Do you see anything you would advise against (except of course for the 
SSLProxyCheckPeerName directive)?

Should I copy the parameters below to the "8443" connector?
               connectionTimeout="20000"
               URIEncoding="UTF-8"

Vieri

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to