Hi,
I have a functioning deployment of Guacamole 1.4 with matching extensions
for LDAP and JDBC-MYSQL behind a NGINX proxy for SSL. All appears to work
fine. When I configure and deploy the DUO plugin authentication breaks.
If I remove the NGINX proxy and attach to Tomcat directly, DUO secondary
authentication works. Does anybody know of any document I could study for
guidance on fixing my NGINX configuration?
My current config is:
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name taurus3.augie.edu;
server_tokens off;
ssl_certificate guacamole.crt;
ssl_certificate_key guacamole.key;
ssl_ciphers
'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384';
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
add_header Referrer-Policy "no-referrer";
add_header Strict-Transport-Security "max-age=15768000;
includeSubDomains" always;
add_header Content-Security-Policy "connect-src 'self'; object-src
'self'; frame-src 'self'; img-src 'self' data:; style-src 'self'
'unsafe-inline'; font-src 'self'; form-action 'self'; base-uri 'self';
frame-ancestors 'self';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
proxy_hide_header Server;
proxy_hide_header X-Powered-By;
client_body_timeout 10;
client_header_timeout 10;
location /guacamole/ {
proxy_pass http://127.0.0.1:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_cookie_path /guacamole/ "/guacamole/;";
access_log /var/log/nginx/guac_access.log;
error_log /var/log/nginx/guac_error.log;
}
}
Thanks,
Matt Fox
