Tomcat 9.x server.xml Config For Guacamole (RHEL/CentOS 8.x)?

Mon, 04 May 2020 17:54:33 -0700 

OS: RHEL/CentOS 8.x
Tomcat: 9.0.34 installed from tar.gz (into /opt/tomcat)
Guac: 1.1.0

I previously have setup tomcat from the package in yum on RHEL/CentOS 7.x.
For that I did the following in server.xml:

(in the <Connector port="8080" ... redirectPort="8443" /> tag)
URIEncoding="UTF-8"

I then added the following connect a little lower in the config:

<Connector port=&quot;8443&quot; protocol=&quot;HTTP/1.1&quot;
SSLEnabled=&quot;true&quot; \
                                maxThreads=&quot;150&quot; 
scheme=&quot;https&quot;
secure=&quot;true&quot; \
                                clientAuth=&quot;false&quot; 
sslProtocol=&quot;TLS&quot; \
                                
keystoreFile=&quot;/opt/tomcat/webapps/.keystore&quot; \
                                keystorePass=&quot;my_password&quot; \
                                URIEncoding=&quot;UTF-8&quot; />

The above, as I understand it sets up using port 8443 with TLS between
tomcat and the JKS key store

I then towards the bottom of the config, above the </Host> closing tag
added:

<Valve className=&quot;org.apache.catalina.valves.RemoteIpValve&quot; \
                                internalProxies=&quot;GUAC_SERVER_IP&quot; \
                                remoteIpHeader=&quot;x-forwarded-for&quot; \
                                
remoteIpProxiesHeader=&quot;x-forwarded-by&quot; \
                                protocolHeader=&quot;x-forwarded-proto&quot; />

and

<Valve className=&quot;org.apache.catalina.valves.ErrorReportValve&quot; \
                                showReport=&quot;false&quot; \
                                showServerInfo=&quot;false&quot;/>

The valves meant to pass client IP's to the connection logs in the Guac web
app (and I guess behind the scenes too) and the 2nd valve hides the server
info from error pages.

After some research (/doc/config/http.html) it appears I may need to change
my approach:

"As of Tomcat 8.5, the majority of the SSL configuration attributes in the
Connector are deprecated. If specified, they will be used to configure a
SSLHostConfig and Certificate for the defaultSSLHostConfigName. Note that if
an explicit SSLHostConfig element also exists for the
defaultSSLHostConfigName then that will be treated as a configuration error.
It is expected that Tomcat 10 will drop support for the SSL configuration
attributes in the Connector."

So it sounds like I would/should be setting up the connector for port 8443
in another file? Or have I misunderstood the documentation? Also it seems
like some parameters I am using are deprecated?

TLDR - the above snippets in server.xml work in RHEL/CentOS 7.x, tomcat 7.x
with Guacamole 1.1.0. Do I need to (or should I) update the above, omit them
or take a different approach to accomplish the same goals with RHEL/CentOS
8.x, tomcat 9.x and Guacamole 1.1.0? IE: have attributes changed, structure,
options, etc. that I should use instead? OR should they work as is and there
is no need to change/update them?

Any help would be great, working on updating my RHEL/CentOS 7.x script for
Guac install for RHEL/CentOS 8.x and much has changed. Thanks



--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Reply via email to