It is going to the login screen most of the time (but not always).
With respect to tomcat and IP passing, even if I could do this, I
already have a fail2ban jail for apache-auth. Right now it's primary
picking up Wordpress hackers, but it does work.
On 7/31/23 04:38, Nick Couchman wrote:
On Mon, Jul 31, 2023 at 3:53 AM Robert Dinse <[email protected]> wrote:
Sorry, lost original message I was replying to. This regarding
guacamole_noauth.
Ok, try to clarify, if my users could use same login and passwords
as they do for the hosts, email, ftp, basically everything else, that
would make it easier for them and me, I don't want to try to keep two
separate user databases in sync, and I especially can't see making that
script work for 500 users.
Yep, this makes perfect sense.
In theory I could do this with one of the mod external modules for
apache except there is a weird conflict with mod_suphp and mod_su_cgi
which I use to cause php and cgi code to be run with the user ID of the
owner of said code rather than a generic httpd or apache2 or www-data or
some such. The reason for this is that it takes away the need for
publicly writable directories for upload, and if one users code has a
flaw that allows an attacker to gain a shell, that shell has the
permissions of that user and thus can't trash everyone else's website.
I do not know why but if I compile those in with
mod_auth_external, which I use with a little short program to
authenticate against the system authentication system (pam). This used
to work in the old days and I used it to wrap php_mysqladmin because
it's got some exploits, but in recent days the modules will compile in
but the server won't start with them both in.
It's been a long time since I've messed with Apache httpd
authentication modules outside of the ones that are built/included
with the Linux distros I run, so I'm afraid I won't be of much help,
here.
But I could work around this by compiling a separate instance and
just have it listen to a different port just for running guac.
However trying to understand how the header auth extension works
so far I have not gotten it to function just sending static usernames to
the header to test so not sure how to make this work.
I saw that you mentioned this in a previous e-mail, as well - when you
say it isn't functioning, what behavior are you seeing? For example,
you get a login screen when you'd expect it to go through to the
Guacamole Home screen, or you get a blank home screen when you expect
to see connections, or you get an error message, or...?
I am unfortunately not very fluent in many interpretive languages,
I know C, some assembly languages, a smigin of Javascript, and that's
about it, python, perl, java, all languages I do not grock well. About
the only interpretive language I knew well was actionscript and adobe
stabbed me in the back there.
The other advantage to having the web server handle authentication
as opposed to guacamole, is that I can log auth failures with IP's and
have fail2ban lock them out when they're being used to brute force
password attack. Guacamole only has the IP of the web server so not
very useful in that regard. MITM proxy, (man in the middle?), not
familiar with how that works.
This is likely a configuration issue between Apache httpd and Tomcat -
the following manual page has some hints on configuring the Remote IP
Valve in Tomcat in such a way that the information will be correct and
available:
https://guacamole.apache.org/doc/gug/reverse-proxy.html#setting-up-the-remote-ip-valve
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
