On Sun, Feb 18, 2024 at 3:21 AM Andrea Miconi <[email protected]> wrote:
> I've made some progress. > I configured ha-proxy in my small personal laboratory. > Listening to 0.0.0.0:443 and calling IP-LAN:8080 > > Now if I type https://MyDomain.TLD/guacamole on a PC on the Internet, the > Guacamole login page appears. > > However, I still have doubts. > > I now call the service with HTTPS and see the padlock marking the > certificate with Let's Encrypt. > However, I would like there to be the redirect from 80 to 443, but I think > this is a problem with how the certificate is generated in the firewall. > > This is entirely possible, but depends on what you're using for a reverse proxy. Here are a couple of quick references for Nginx, Apache httpd, and HAProxy: https://serversforhackers.com/c/redirect-http-to-https-nginx https://www.ssl.com/how-to/redirect-http-to-https-with-apache/ https://www.haproxy.com/blog/redirect-http-to-https-with-haproxy > Furthermore, I didn't understand if I should also install the certificate > on the PC on which guacamole runs. > I generated a certificate for *.mydomain.tld and therefore it is also > valid for the PC, but I don't know how to bring the certificate here. > If I solve it I would have access to Guacamole via HTTPS also from the LAN > and not just from the Internet. > However, this is also not a HA Proxy problem. > > If you're running the reverse-proxy for the Internet on a different system from where Guacamole is installed, and want the HTTPS configuration with that wildcard certificate in both places, then you'd need to install the certificate on that system, as well. However, you don't need just the generated certificate, you also need the private key that you used for that certificate. Once you have that pair, you can copy them to the system where Guacamole is installed and use them on it, as well. As far as how to configure HTTPS on that system, it all depends on how you want to do that. You could: * Install HAProxy on that system, as well, and configure it with the same certificate. * Install Nginx or Apache httpd and configure one of them as a reverse proxy using that certificate. * Install the certificate into Tomcat and configure Tomcat for HTTPS, as long as you're okay with it running on the non-standard port numbers. I still don't recommend this approach. -Nick
