Thanks Luciano.
I got some help from Bob Healey with a copy of his working configuration
and I finally have a functioning installation. I inherited a bunch of
settings I wasn't too familiar with from previous installations. Looks
like dropping by add_header from:
add_header Referrer-Policy "no-referrer";
add_header Strict-Transport-Security "max-age=15768000;
includeSubDomains" always;
add_header Content-Security-Policy "connect-src 'self'; object-src
'self'; frame-src 'self'; img-src 'self' d
ata:; style-src 'self' 'unsafe-inline'; font-src 'self'; form-action
'self'; base-uri 'self'; frame-ancestors 'self'
;" always;
to:
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains;
preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
did the job for me. When I have some time I plan to dissect this a little
further and see if I can isolate this down a little more. But the box is
now in user testing so I don't want to break it. Thanks for all the help
on this one.
Thanks
Matt Fox
Systems Engineer
IT Department
Augustana University
2001 S Summit Ave | Sioux Falls, SD 57197
[email protected]
605-274-5059
www.augie.edu
On Fri, May 6, 2022 at 3:06 PM Luciano Oliveira <[email protected]>
wrote:
> Hello, Matt!
>
> My configs:
>
> Guacamole 1.4.0, NGINX, Duo Auth, MariaDB
>
> guacamole.properties:
>
> guacd-hostname: 127.0.0.1
> guacd-port: 4822
> user-mapping: /etc/guacamole/user-mapping.xml
> #auth-provider:
> net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider
> #auth-provider:
> net.sourceforge.guacamole.net.auth.mysql.MySQLAuthenticationProvider
> auth-provider:
> net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
>
> # >>>>>>>>>>>>> MySQL Start config
> mysql-hostname: <<dbserver.domain.local>>
> mysql-port: 3306
> mysql-database: guacamole
> mysql-username: usrguacamole
> mysql-password: <<password>>
> mysql-user-password-min-length: 8
> mysql-user-password-require-multiple-case: true
> mysql-user-password-require-symbol: true
> mysql-user-password-require-digit: true
> mysql-user-password-prohibit-username: true
> mysql-user-password-min-age: 7
> mysql-user-password-max-age: 60
> mysql-user-required: false
> mysql-auto-create-accounts: true
> # <<<<<<<<<<<<< end
>
> # >>>>>>>>>>>>> LDAP Start config
> ldap-hostname: <<adserver.domain.local>>
> ldap-port: 389
> ldap-encryption-method: none
> ldap-user-base-dn: DC=domain,DC=local
> ldap-username-attribute: sAMAccountName
> ldap-search-bind-dn:
> CN=<<user_ad_login>>,OU=UsersServices,DC=domain,DC=local
> ldap-search-bind-password: <<password>>
> ldap-group-name-attribute: cn
> ldap-member-attribute: member
>
> ldap-user-search-filter:(&(&(objectClass=user)(objectCategory=person))(memberof=CN=access_guacamole,OU=GroupsServices,DC=domain,DC=local))
> # <<<<<<<<<<<<< end
>
> # >>>>>>>>>>>> MFA Start config
> duo-api-hostname: <<api_hostname>>.duosecurity.com
> duo-integration-key: <<integration_key>>
> duo-secret-key: <<secret_key>>
> duo-application-key: <<application_key>>
>
> # <<<<<<<<<<<< end
>
> nginx default file start config
> ##
> upstream guacamole {
> server guacanew:8080;
> }
>
> server {
> listen 80;
> server_name guacamole.domain.loca;
> return 301 https://$host$request_uri;
> location / {
> proxy_pass http://guacamole/guacamole/;
> set_real_ip_from guacamole.domain.loca;
> real_ip_header X-Forwarded-For;
> real_ip_recursive on;
> proxy_buffering off;
> proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> proxy_http_version 1.1;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection $http_connection;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-Host $host;
> proxy_set_header X-Forwarded-Server $host;
> proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> access_log off;
> }
> }
>
> server {
> listen 443 ssl default_server;
> listen [::]:443 ssl default_server;
> ssl_certificate /etc/ssl/private/cert2022.crt;
> ssl_certificate_key /etc/ssl/private/cert2022.key;
> ssl_session_timeout 5m;
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
> ssl_prefer_server_ciphers on;
> location / {
> proxy_pass http://guacamole/guacamole/;
> set_real_ip_from guacamole.domain.local;
> real_ip_header X-Forwarded-For;
> real_ip_recursive on;
> proxy_buffering off;
> proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> proxy_http_version 1.1;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection $http_connection;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-Host $host;
> proxy_set_header X-Forwarded-Server $host;
> proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> access_log off;
> }
>
> }
>
>
> [ ]'s
> *Luciano*
>
> ------------------------------
> *De:* Matt Fox <[email protected]>
> *Enviado:* sexta-feira, 29 de abril de 2022 16:31
> *Para:* [email protected] <[email protected]>
> *Assunto:* NGINX LDAP Mariadb and DUO
>
> Hi,
>
> I have a functioning deployment of Guacamole 1.4 with matching extensions
> for LDAP and JDBC-MYSQL behind a NGINX proxy for SSL. All appears to work
> fine. When I configure and deploy the DUO plugin authentication breaks.
> If I remove the NGINX proxy and attach to Tomcat directly, DUO secondary
> authentication works. Does anybody know of any document I could study for
> guidance on fixing my NGINX configuration?
> My current config is:
>
> server {
> listen 443 ssl http2 default_server;
> listen [::]:443 ssl http2 default_server;
> server_name taurus3.augie.edu;
> server_tokens off;
> ssl_certificate guacamole.crt;
> ssl_certificate_key guacamole.key;
> ssl_ciphers
> 'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384';
>
> ssl_protocols TLSv1.3 TLSv1.2;
> ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
> ssl_prefer_server_ciphers on;
> ssl_session_cache shared:SSL:10m;
> ssl_session_timeout 1d;
> ssl_session_tickets off;
> add_header Referrer-Policy "no-referrer";
> add_header Strict-Transport-Security "max-age=15768000;
> includeSubDomains" always;
> add_header Content-Security-Policy "connect-src 'self'; object-src
> 'self'; frame-src 'self'; img-src 'self' data:; style-src 'self'
> 'unsafe-inline'; font-src 'self'; form-action 'self'; base-uri 'self';
> frame-ancestors 'self';" always;
> add_header X-Content-Type-Options "nosniff" always;
> add_header X-XSS-Protection "1; mode=block" always;
> proxy_hide_header Server;
> proxy_hide_header X-Powered-By;
> client_body_timeout 10;
> client_header_timeout 10;
>
> location /guacamole/ {
> proxy_pass http://127.0.0.1:8080/guacamole/;
> proxy_buffering off;
> proxy_http_version 1.1;
> proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection $http_connection;
> proxy_cookie_path /guacamole/ "/guacamole/;";
> access_log /var/log/nginx/guac_access.log;
> error_log /var/log/nginx/guac_error.log;
> }
> }
>
> Thanks,
>
>
> Matt Fox
>
>
