If you use a connection, what IP address does Guacamole record in the
history as being your source address?
- Mike
On 8/4/23 23:59, Robert Dinse wrote:
nslookup localhost
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: localhost.eskimo.com
Address: 127.0.0.1
root@inuvik:~# grep localhost /etc/hosts
127.0.0.1 localhost localhost.localdomain loghost
On 8/4/23 22:35, Michael Jumper wrote:
It's possible that "localhost" on your system maps to the IPv6 address
for localhost, so the source address of your proxy doesn't actually
match the value you specified for "internalProxies".
- Mike
On 8/4/2023 6:12 PM, Robert Dinse wrote:
I still haven't gotten Apache external authentication to work
properly. I did manage to get mod_authnz_external to peacefully
co-exist with mod_suphp, the secret was to compile
mod_authnz_external and dynamically load it rather than compiling it
statically into httpd, which would have been my preference. But, for
some reason it will work with a static web page or PHP application,
but not a proxy, but that's another issue.
For now I am just trying to get the Apache to pass the IP of
the connecting customer through to Tomcat, have it pass it through to
the guacamole process so that when a user connects to a host, the
host sees the IP the user is originating from and not the IP of the
web server. I was referred to this webpage for instructions:
https://guacamole.apache.org/doc/gug/reverse-proxy.html#setting-up-the-remote-ip-valve
And so I've setup the <host> section in Tomcat9 as follows:
The website shows to add this valve to the <host> section of
the server.xml file:
<ValveclassName="org.apache.catalina.valves.RemoteIpValve"
internalProxies="127.0.0.1"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"/> Here is what the <host> section
of my servers.xml looks like: <Host name="localhost"
appBase="webapps" unpackWARs="true" autoDeploy="true"> <!--
SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html --> <!-- <Valve
className="org.apache.catalina.authenticator.SingleSignOn" /> -->
<!-- Access log processes all example. Documentation at:
/docs/config/valve.html Note: The pattern used is equivalent to using
pattern="common" --> <Valve
className="org.apache.catalina.valves.AccessLogValve" directory="
logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u
%t "%r" %s %b" /> <Valve
className="org.apache.catalina.valves.RemoteIpValve"
internalProxies="127.0.0.1" remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto" /> </Host> Note that guacamole is
the only application I have running under tomcat9. I have another
Java application running (yacy) but it is not containerized. Then it
shows for the Apache:
<Location/guacamole/> Orderallow,deny Allowfromall
ProxyPasshttp://HOSTNAME:8080/guacamole/flushpackets=on
ProxyPassReversehttp://HOSTNAME:8080/guacamole/ </Location> I already
had this except for HOSTNAME I had "localhost", then it also shows
proxying guacamole with websocket, and says it will reduce network
latency. Well already it was fast enough to watch videos on a proxy
connection, but why not, so I added:
<Location/new-path/websocket-tunnel> Orderallow,deny
Allowfromall
ProxyPassws://localhost:8080/guacamole/websocket-tunnel
ProxyPassReversews://localhost:8080/guacamole/websocket-tunnel
</Location>
Like this, if I go to the URL and login to a host, the IP the
hosts sees is that of the web server and not the IP I am originating
from.
With respect authentication, if I wrap these proxy statements
with access statements I get a 404 error with '/#/' as the URL
If I remove the proxy statements and substitute some simple
HTML it works as expected, prompts for login and password, and if
correct displays the code.
If I type the wrong username and password, it rejects the attempt.
This was basically the auth code I was using:
SetExternalAuthMethod pwauth pipe
AddExternalAuth pwauth /usr/sbin/pwauth
AuthType Basic
AuthName "Authentication Required"
AuthExternal pwauth
Require valid-user
AuthExternal authnz_external
AuthBasicProvider external
If I can get it to pass IP correctly then auth isn't required
because fail2ban will pick up and ban offending IPs trying to
brute-force passwords so right now that is my focus.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
