On Fri, Jan 24, 2025 at 3:47 AM Bhupender <[email protected]> wrote:
> Thank you Sean for sharing the NGINX-based smart card authentication > solution. > > I'm interested in implementing this NGINX configuration with Guacamole. A > few questions: > > 1. Does this configuration require specific smart card middleware or > drivers on the NGINX server? > 2. Will the smart card certificates need to be periodically updated in the > NGINX configuration? > 3. Is there a recommended way to test the configuration before production > deployment? > > Best regards, > Bhupender > > One other note I'll add on Sean's suggestion for using Nginx to validate the Smart Cards - if you use this in combination with the guacamole-auth-header authentication module, you can have Nginx pass through the name of the user who has been authenticated and allow Guacamole to "trust" this authentication and log the user in directly. This requires slightly more scrutiny from a security perspective, as you must make absolute certain that nothing can spoof the header used for Nginx to pass the username to Guacamole (by default REMOTE_USER), but it can be done. See: https://guacamole.apache.org/doc/gug/header-auth.html -Nick >
