On Mon, Jul 31, 2023 at 7:55 AM Nick Couchman <[email protected]> wrote:
>
> On Mon, Jul 31, 2023 at 7:46 AM Robert Dinse <[email protected]>
> wrote:
> >
> >
> > It is going to the login screen most of the time (but not always).
> >
>
> I'll try to give this a go in my test setup today, including the
> static username configuration that you're doing, and see what I can
> get working. It's been quite a while since I did anything with the
> header module, so I'm not able to think through all of the things to
> check to make sure it is working properly.
Okay, I had a suspicion about what was going on, here, and my testing
confirmed my suspicion.
The configuration you posted in the other thread for your httpd proxy was:
<Location /guacamole/>
Order allow,deny
Allow from all
RequestHeader set X-Remote-User "public"
ProxyPass http://localhost:8080/guacamole/ flushpackets=on
ProxyPassReverse http://localhost:8080/guacamole/
</Location>
This passes through a header with the name "X-Remote-User" to Tomcat.
The header authentication module, by default, uses the header
REMOTE_USER. There's not automatic translation between these two
headers - X-Remote-User does not get translated by Tomcat into
REMOTE_USER - it remains X-Remote-User. So, you have one of two
options:
* In guacmaole.properties, specify "http-auth-header: X-Remote-User"
and reload the Guacamole application (restart Tomcat, touch the WAR
file, or re-deploy the WAR file).
* In your httpd proxy configuration, change X-Remote-User to
REMOTE_USER, leaving the guacamole.properties file untouched.
In the testing I did, I used the first method - reconfiguring the
header module in Guacamole to use X-Remote-User rather than the
default of REMOTE_USER - and it worked perfectly.
One other thing that is worth noting is that the default file
authentication mechanism, using user-mapping.xml, does *not* stack
with any of the other authentication modules. So, if you try to use
the header module to access connections specified in the
user-mapping.xml file, it won't work - you won't see those
connections. You have to use some other module - generally JDBC - to
store connection information that can be used with other modules, like
the header module.
-Nick
>
> > With respect to tomcat and IP passing, even if I could do this, I
> > already have a fail2ban jail for apache-auth. Right now it's primary
> > picking up Wordpress hackers, but it does work.
>
> Yeah, I wasn't suggesting that you remove the fail2ban for Apache
> httpd, I was just pointing out the way to fix the issue with not being
> able to see actual client IPs in Guacamole.
>
> -Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
