On Thu, Jan 28, 2021 at 12:59 PM Gerardo <[email protected]> wrote:
> Hi, > Im interested on create a new protocol for guacamole to browse sites on > the inside (an intranet for example). > > This has been proposed or requested several times, and, as a project, we've decided not to try to add HTTP and/or HTTPS support to Guacamole. There are two reasons for this: 1) We've chosen to focus our effort on Guacamole as a Remote Desktop client, and not as a general VPN solution. 2) There are already other products out there that handle the proxying of HTTP(S) requests, which is essentially what would be done. Nginx is a good example - it can be configured to allow you to pass a URL as a query parameter that it will dynamically proxy for you. This doesn't mean you can't try to do it yourself if you're so inclined, just that we've decided not to integrate it into the Guacamole project at this point in time. any idea how to do that.? i must create a new protocol for the guacd or > just exist some like that.? > > Well...sort of. It's actually a little more complex than this. Guacamole is both a couple of pieces of software (Guacamole Client and Guacamole Server, or guacd), but it is also a protocol. The Guacamole protocol has been designed with remote desktop use cases in mind - so, it is designed to efficiently carry things like image data, keystrokes, mouse clicks, files, and audio, and the like, as efficiently as possible between a web browser and remote server. There is some amount of ability to encapsulate arbitrary (blob) data between the browser and the remote server, but the most common use cases for this are to enable things like audio data and file transfers for remote desktop sessions, and not as a general way to tunnel data between a client and a server. If you wanted to add HTTP(S) support, you'd need to implement the relevant stuff on the guacd side, yes, but you'd also need to figure out in what parts of the Guacamole protocol you would try to encapsulate the data, and then how you'd translate that on the client-side. Again, that's not to say that you couldn't do something like encapsulate HTTP(S) requests within the Guacamole protocol, just that it may not be the most efficient way to accomplish that, and that more efficient ways to handle HTTP(S) traffic (reverse proxies, like Nginx) already exist. There are many more details that can be discussed here in terms of how you would accomplish this, but I figured I'd start with the basic challenges (as I see them, anyway) without going into the weeds too much. the idea is give a single site browsing instead all the desktop to browse > that site. Yes, and this is frequently the request that comes up when this type of request comes through, and it makes perfect sense. I've been in positions in the past where I wanted to provide a complete, browser-only solution for remote access, and I can completely understand wanting to have a single pane of glass for users to log into. There are a couple of things to think about that may help you achieve something close to this with Guacamole: - There are other projects/products out there that integrate Guacamole into them that may provide this. The one I know of off the top of my head is eGroupWare - I've no experience actually using it (at least, not recently), but I know they integrate Guacamole protocol features into it along with several other GroupWare/Backoffice type things. Might be worth checking out. - Using a SSO provider with Guacamole and some other reverse proxy can take care of a lot of this. If you have CAS, OpenID, or SAML, users can sign in to a single place, and then be logged into Guacamole, and you can use that same SSO login to control access to a reverse proxy (like Nginx), which would allow for a more seamless experience. It may not be the perfect one-stop-shop you're looking for, but will be better than asking users to go log in to multiple places multiple times. I particularly like CAS for SSO, because it's freely-available, supports a wide variety of SSO protocols (CAS, SAML, Oauth/OpenID), but also because the ClearPass functionality on it allows you to provide the $GUAC_PASSWORD token through to remote desktop connections, which makes the SSO experience even more seamless. - As sciUser mentioned in his reply to this thread, you could also use some sort of back-end remote server and publish nothing but a full-screen web browser through Guacamole that has the page(s) you want to forward. This requires some additional server compute, but keeps you from having to do any modification of guacd, Guacamole Client, and/or the Guacamole protocol to accomplish it, and leverages the existing functionality and strengths of Guacamole as a remote desktop platform. -Nick
