On Thu, May 19, 2022 at 3:48 AM Lionel PRAT <lionel.pr...@gmail.com> wrote:
> Hi, > > I'm looking for a solution to use guacamole to limit access to certain web > administration interfaces (firewall, vmware, ...). > > I had thought of using a chrome in VNC but I find this solution too > dangerous. > The best solution would surely be to develop a connector for the > 'http/https' protocol (perhaps starting from the existing code in the > connector > https://github.com/apache/guacamole-server/tree/master/src/protocols/ > kubernetes). > Has anyone had this problem before and if so, how did you resolve it? > > This has come up several times, and, to date, we have not really seriously entertained the idea and have kind of pushed back against it. The conversation in the past has been that Guacamole has been targeted toward remote desktop protocols, and HTTP/HTTPS are not remote desktop protocols. Furthermore, there are plenty of solutions out there to proxy/reverse-proxy HTTP and HTTPS pages, and those could be used in place of Guacamole. We may be shifting a bit on this, but, today, it isn't possible to use HTTP/HTTPS through guacd. Several alternatives have been offered that continue to use Guacamole - for example, you can set up a remote server running RDP or VNC and create a remote connection to that server, and you can even have the remote connection open only a web browser, and you could even do it in Kiosk mode with either Firefox or Chrome to prevent users from using it for other web pages. Beyond that, adding HTTP/HTTPS support is possible, but I would not say it's all that straight-forward. We've had some conversations about how it could be done, and it seems like we would need to use some sort of back-end rendering engine that guacd could interface with (there are a couple of good ones out there) and then write the logic to translate between the rendering engine and the Guacamole protocol. Definitely possible, just not easy. And I'm not sure the Kubernetes protocol is a great place to start - it's text-only, similar to Telnet and SSH, whereas the HTTP/HTTPS protocol is going to need to be graphics-based, more along the lines of VNC or RDP. -Nick >