Hello All,
We are using Guacamole auth-header extension and needed some way to
sanitize http_auth_header.
So I've created a simple AuthHeaderValve for Tomcat that does it.
It checks if http_auth_header is present in the request, and denies access
if it didn't come from allowed source(s). If http-auth-header is not
present in the request, it does nothing. Allowed sources are specified in
/etc/tomcat/server.xml (it uses the same allow/deny syntax as other Tomcat
standard valves).
Eg: <Valve className="com.vtbcapital.guacamole.AuthHeaderValve"
allow="10\.1\.1\.1|10\.2\.2\.2" />
Java code is basically as simple as:
public final class AuthHeaderValve extends RequestFilterValve {
@Override
public void invoke(Request request, Response response) throws
IOException, ServletException {
HttpServletRequest req = request.getRequest();
if (req.getHeader("http-auth-header") != null)
process(req.getRemoteAddr(), request, response);
else
getNext().invoke(request, response);
}
}
Maybe someone finds it helpful.
Guacamole documentation states that it's necessary to sanitize
http_auth_header, but does not suggest how to do it.
Maybe it's worth including this feature in Guacamole (not necessarily as a
valve, but in some other way).
We are also using Nginx as a reverse proxy, so I've performed sanitization
at Nginx too.
Nginx config is as simple as:
# Remove http-auth-header if it does not come from allowed source
geo $psa {
10.1.1.1 yes;
10.2.2.2 yes;
default no;
}
map $psa $sanitized_auth_header {
"yes" $http_http_auth_header;
"no" "";
}
server {
...
location / {
proxy_pass http://HOSTNAME:8080/guacamole/;
...
proxy_set_header http-auth-header $sanitized_auth_header;
}
}
Kind regards,
Grigory Trenin
