That's what I do with everything. Reverse proxy with https coming in to nginx and then http to each device. Https is to much of a pain internally esp since Google decided to thing for us and decide that self signed certs are gonna give browser warnings.
The risk is low enough (if my lan is compromised I have way buffety problems). > > On 16/02/2024 at 12:31, Andrea Miconi <[email protected]> > wrote: > > > > > > > Thanks for your answers. > > > > Now I'm using guacamole in a LAN and I don't need a reverse proxy. > > When I have finished the configuration and everything is OK, I will connect > from the Internet using the reverse proxy on the firewall (OPNsense with HA > Proxy). > > > > If you assure me that it is already sufficient, then I will leave HTTP. > > Instead I would like to know if I can use another port from the Internet and > let HAProxy redirect to 8080. > > > > > > > > > Il venerdì 16 febbraio 2024 alle ore 12:53:42 CET, Nick Couchman > <[email protected]> ha scritto: > > > > > > > > > > I agree with both Alessandro and Robert's advice to just go ahead and install > a reverse proxy. There are several issues with running https directly in > Tomcat - one of them is that you either have to a) choose a port above 1024 > for the HTTPS traffic and then use port redirection magic to move standard > port 443 traffic to that port, or b) run Tomcat in such a way that it has the > privileges to open port 443 itself. In the past, running Tomcat with > privileges to operate on the standard HTTPS port (443) meant running it as > root, which is a Bad Idea; however, there are some changes to at least Linux, > maybe even some of the BSDs, recently, that allow you to set a capability for > the Tomcat user to open privileged ports without having to elevate to root. > > > > The thing is, the above are just the things you have to do to get Tomcat to > even listen or process traffic on 443, and you haven't even set up the > private key/certificate, yet. You're really better off just installing either > Nginx or httpd and going that route. > > > > -Nick > > > > > On Fri, Feb 16, 2024 at 6:06 AM Alessandro Sironi <[email protected]> > wrote: > > > > > > > > > Hi Andrea, > > > > > > > > it would be better to not expose directly Tomcat to internet, instead, you > > sohould use a reverse proxy such as NGINX or Apache and land there over > > HTTPS. > > > > > > > > Regards, > > > > > > > > Alessandro > > > > > > > > Il 16/02/2024 11:47, Andrea Miconi ha scritto: > > > > > > > > > > > > > > > > > I'm new to guacamole and now I can access the login page with HTTP. > > > > > > > > > > > > I want to access it with HTTPS instead, but I can't figure out what I > > > should do. > > > > > > Reading online I found a suggestion to install Nginx as a reverse proxy, > > > but I would like to avoid it. > > > > > > > > > > > > Shouldn't it be enough to activate https on Tomcat? > > > > > > How to do it? > > > > > > > > >
