Grigory,
Thanks!
It sounds like your set up is similar to the setup I'm working with.
I'm curious: when you connect to your server, do you see an error in the
console log? The error I see is:
Failed to load resource: the server responded with a status of 404 ().
When I click on it, I see this:
{"message":"Session not associated with authentication provider
\"header\".","translatableMessage":{"key":"Session not associated with
authentication provider
\"header\".","variables":null},"statusCode":null,"expected":null,"type":"NOT_FOUND"}
Do you see this?
Anyone else? Any idea what this means? Should I be concerned?
________________________________
From: Grigory Trenin <[email protected]>
Sent: Wednesday, July 1, 2020 5:49 AM
To: [email protected] <[email protected]>
Subject: Sanitize http_auth_header
Hello All,
We are using Guacamole auth-header extension and needed some way to sanitize
http_auth_header.
So I've created a simple AuthHeaderValve for Tomcat that does it.
It checks if http_auth_header is present in the request, and denies access if
it didn't come from allowed source(s). If http-auth-header is not present in
the request, it does nothing. Allowed sources are specified in
/etc/tomcat/server.xml (it uses the same allow/deny syntax as other Tomcat
standard valves).
Eg: <Valve className="com.vtbcapital.guacamole.AuthHeaderValve"
allow="10\.1\.1\.1|10\.2\.2\.2" />
Java code is basically as simple as:
public final class AuthHeaderValve extends RequestFilterValve {
@Override
public void invoke(Request request, Response response) throws IOException,
ServletException {
HttpServletRequest req = request.getRequest();
if (req.getHeader("http-auth-header") != null)
process(req.getRemoteAddr(), request, response);
else
getNext().invoke(request, response);
}
}
Maybe someone finds it helpful.
Guacamole documentation states that it's necessary to sanitize
http_auth_header, but does not suggest how to do it.
Maybe it's worth including this feature in Guacamole (not necessarily as a
valve, but in some other way).
We are also using Nginx as a reverse proxy, so I've performed sanitization at
Nginx too.
Nginx config is as simple as:
# Remove http-auth-header if it does not come from allowed source
geo $psa {
10.1.1.1 yes;
10.2.2.2 yes;
default no;
}
map $psa $sanitized_auth_header {
"yes" $http_http_auth_header;
"no" "";
}
server {
...
location / {
proxy_pass
http://HOSTNAME:8080/guacamole/<https://urldefense.proofpoint.com/v2/url?u=http-3A__HOSTNAME-3A8080_guacamole_&d=DwMFaQ&c=4rZ6NPIETe-LE5i2KBR4rw&r=fxSFLPNU1Ux4LFqjXt9N_Q&m=Kq_XD1YgGfP1MK3kpWRd5K7PvqhyySldZ-NpCTu40dQ&s=urwdheKrkAJwGM1X8DHvGPqY-YLxEQwI_ctTfR7P-bE&e=>;
...
proxy_set_header http-auth-header $sanitized_auth_header;
}
}
Kind regards,
Grigory Trenin
