tl;dr : Your browser's address bar may give you the wrong idea about whether you've connected with HTTP or HTTPS. Take 5 seconds to check why you don't have a secure connection before you hack away on config files.
If your Guacamole deployment doesn't seem to connect securely even if you're sure you've set everything up correctly, you may not have a problem at all. Browsers indicate the security level of your connection to a site in different ways. As of Dec 2018, for instance, Chromium / Chrome visually distinguishes between an unsecured HTTP site, an HTTPS site with a certificate signed by a Certificate Authority and an HTTPS site using a self-signed certificate. An HTTP site will have the words 'Not secure' to the left of the website address, while an HTTPS site with a CA-signed certificate will have a green padlock symbol. An HTTPS site using a self-signed certificate, however, will have a red triangle w/ an exclamation mark to the left of the address with the 'https' portion of the address in red and struck through. Opera, in contrast, only visually distinguishes between a CA-signed HTTPS site and other types of sites. The first type of site will show a green padlock like Chromium / Chrome, but all others will simply have the words 'Not secure' to the left of the address bar. Opera does show a pop-up to warn you about the self-signed certificate when you first visit it. However, the browser silently ignores the self-signed certificate on subsequent visits to the site if you 'Continue Anyway'. In addition, Opera does not display the 'http://' or 'https://' portion of a website's address. These behaviors matter if a) you use Opera or a browser that behaves like Opera; and, b) you make an exception for your Guacamole website, that is, you 'Continue Anyway', during development and then forget you did so at some later point, as I did. I wasted several hours of my life trying to figure out why my properly-configured Guacamole setup did not provide the expected HTTPS connection. In reality, I *did* have an HTTPS connection, but Opera only displayed 'Not secure'. Eventually, I tried connecting with Chromium, which is when I noticed the differences described above. Both browsers will provide more information if you click on the area to the left of the address bar. In both cases, the browsers told me that my Guac site wasn't trusted because of the self-signed certificate, but only Chromium provided a visual clue. -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
