Hello all,
I was wondering if anyone else has run into this problem. I have
guacamole 1.1.0 setup and running and working with no issues if I access
the app directly. If I access via my nginx reverse proxy some part of
the duo extension is getting blocked and can't complete authentication
correctly. On firefox this just gives a spinning wheel graphic, and on
Chrome it shows up as "this element was blocked by an extension".
I'm fairly sure part of the nginx security options I have is the problem
but it's a bit outside of my area to identify.
Thanks,
--Caleb
Here's the relevant section of my nginx config:
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name myserver;
server_tokens off;
ssl_certificate /path/to/my/cert;
ssl_certificate_key /path/to/my/key;
ssl_ciphers
'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384';
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
add_header Referrer-Policy "no-referrer";
add_header Strict-Transport-Security "max-age=15768000;
includeSubDomains" always;
add_header Content-Security-Policy "default-src 'none'; script-src
'self' 'unsafe-eval'; connect-src 'self'; object-src 'self'; frame-src
'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src
'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'self';"
always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
proxy_hide_header Server;
proxy_hide_header X-Powered-By;
client_body_timeout 10;
client_header_timeout 10;
location / {
proxy_pass http://myserver/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_cookie_path /guacamole/ "/; HTTPOnly; Secure; SameSite";
access_log /var/log/nginx/guac_access.log;
error_log /var/log/nginx/guac_error.log;
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org