Hello, Matt!
My configs:
Guacamole 1.4.0, NGINX, Duo Auth, MariaDB
guacamole.properties:
guacd-hostname: 127.0.0.1
guacd-port: 4822
user-mapping: /etc/guacamole/user-mapping.xml
#auth-provider:
net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider
#auth-provider:
net.sourceforge.guacamole.net.auth.mysql.MySQLAuthenticationProvider
auth-provider:
net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
# >>>>>>>>>>>>> MySQL Start config
mysql-hostname: <<dbserver.domain.local>>
mysql-port: 3306
mysql-database: guacamole
mysql-username: usrguacamole
mysql-password: <<password>>
mysql-user-password-min-length: 8
mysql-user-password-require-multiple-case: true
mysql-user-password-require-symbol: true
mysql-user-password-require-digit: true
mysql-user-password-prohibit-username: true
mysql-user-password-min-age: 7
mysql-user-password-max-age: 60
mysql-user-required: false
mysql-auto-create-accounts: true
# <<<<<<<<<<<<< end
# >>>>>>>>>>>>> LDAP Start config
ldap-hostname: <<adserver.domain.local>>
ldap-port: 389
ldap-encryption-method: none
ldap-user-base-dn: DC=domain,DC=local
ldap-username-attribute: sAMAccountName
ldap-search-bind-dn: CN=<<user_ad_login>>,OU=UsersServices,DC=domain,DC=local
ldap-search-bind-password: <<password>>
ldap-group-name-attribute: cn
ldap-member-attribute: member
ldap-user-search-filter:(&(&(objectClass=user)(objectCategory=person))(memberof=CN=access_guacamole,OU=GroupsServices,DC=domain,DC=local))
# <<<<<<<<<<<<< end
# >>>>>>>>>>>> MFA Start config
duo-api-hostname: <<api_hostname>>.duosecurity.com
duo-integration-key: <<integration_key>>
duo-secret-key: <<secret_key>>
duo-application-key: <<application_key>>
# <<<<<<<<<<<< end
nginx default file start config
##
upstream guacamole {
server guacanew:8080;
}
server {
listen 80;
server_name guacamole.domain.loca;
return 301 https://$host$request_uri;
location / {
proxy_pass http://guacamole/guacamole/;
set_real_ip_from guacamole.domain.loca;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
proxy_buffering off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/ssl/private/cert2022.crt;
ssl_certificate_key /etc/ssl/private/cert2022.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://guacamole/guacamole/;
set_real_ip_from guacamole.domain.local;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
proxy_buffering off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
}
[ ]'s
Luciano
________________________________
De: Matt Fox <[email protected]>
Enviado: sexta-feira, 29 de abril de 2022 16:31
Para: [email protected] <[email protected]>
Assunto: NGINX LDAP Mariadb and DUO
Hi,
I have a functioning deployment of Guacamole 1.4 with matching extensions for
LDAP and JDBC-MYSQL behind a NGINX proxy for SSL. All appears to work fine.
When I configure and deploy the DUO plugin authentication breaks. If I remove
the NGINX proxy and attach to Tomcat directly, DUO secondary authentication
works. Does anybody know of any document I could study for guidance on fixing
my NGINX configuration?
My current config is:
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name taurus3.augie.edu<http://taurus3.augie.edu>;
server_tokens off;
ssl_certificate guacamole.crt;
ssl_certificate_key guacamole.key;
ssl_ciphers
'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384';
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
add_header Referrer-Policy "no-referrer";
add_header Strict-Transport-Security "max-age=15768000;
includeSubDomains" always;
add_header Content-Security-Policy "connect-src 'self'; object-src
'self'; frame-src 'self'; img-src 'self' data:; style-src 'self'
'unsafe-inline'; font-src 'self'; form-action 'self'; base-uri 'self';
frame-ancestors 'self';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
proxy_hide_header Server;
proxy_hide_header X-Powered-By;
client_body_timeout 10;
client_header_timeout 10;
location /guacamole/ {
proxy_pass http://127.0.0.1:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_cookie_path /guacamole/ "/guacamole/;";
access_log /var/log/nginx/guac_access.log;
error_log /var/log/nginx/guac_error.log;
}
}
Thanks,
Matt Fox
