On Tue, Jan 21, 2020 at 2:28 AM Vieri <[email protected]> wrote:
> Hi, > > I configured Apache HTTPD to reverse proxy Guacamole. I'm running > guacamole-client with another name (changed the war file). > > # ls /var/lib/tomcat-9-hman/webapps/ > sg sg.war ROOT > > I want client browsers to simply open https://sg.mydomain.org to access > the Guacamole portal. > > This seems to work fine: > > <VirtualHost *:443> > ServerName sg.mydomain.org > ErrorLog /var/log/apache2/rprox_ssl_sg_error_log > # LogLevel debug > > <Location /> > Require all granted > ProxyPass http://localhost:8080/sg/ flushpackets=on > ProxyPassReverse http://localhost:8080/sg/ > ProxyPassReverseCookiePath /guacamole/ / > </Location> > > <Location /websocket-tunnel> > Require all granted > ProxyPass ws://localhost:8080/sg/websocket-tunnel > ProxyPassReverse ws://localhost:8080/sg/websocket-tunnel > </Location> > > I'm not sure though about the ProxyPassReverseCookiePath parameters. > Should it be /sg/ / in my case instead of the above? > Yes. > Also, the Guacamole manual does not mention how to connect to a backend > server with https if it wasn't in localhost. Well, here's a "working" > config snippet with the backend as https: > > <VirtualHost *:443> > ServerName sg.mydomain.org > > <Location /> > Require all granted > ProxyPass https://localhost:8443/sg/ flushpackets=on > ProxyPassReverse https://localhost:8443/sg/ > ProxyPassReverseCookiePath /guacamole/ / > </Location> > > <Location /websocket-tunnel> > Require all granted > ProxyPass ws://localhost:8443/sg/websocket-tunnel > ProxyPassReverse ws://localhost:8443/sg/websocket-tunnel > </Location> > Do you see any warnings in your Tomcat logs from Guacamole regarding WebSocket not being used? I think the WebSocket URLs here may need to be "wss://", not "ws://". > SSLEngine on > SSLProxyEngine on > SSLProxyCheckPeerName off > > The Tomcat configuration for the https bit is: > > <Connector port="8443" > protocol="org.apache.coyote.http11.Http11AprProtocol" > maxThreads="150" SSLEnabled="true" > > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" > /> > <SSLHostConfig> > <Certificate certificateKeyFile="/etc/ssl/tomcat/server.key" > certificateFile="/etc/ssl/tomcat/server.crt" > > certificateChainFile="/etc/ssl/CA-MYORG/cacert.pem" > type="RSA" /> > </SSLHostConfig> > </Connector> > > The http bit is: > > <Connector port="8080" protocol="HTTP/1.1" > connectionTimeout="20000" > URIEncoding="UTF-8" > redirectPort="8443" /> > > Do you see anything you would advise against (except of course for the > SSLProxyCheckPeerName directive)? > > I don't immediately see anything wrong here, except ... > Should I copy the parameters below to the "8443" connector? > connectionTimeout="20000" > URIEncoding="UTF-8" > ... you should definitely copy the URIEncoding parameter. Not having this will cause failures if anything managed within Guacamole involves Unicode characters. See: http://guacamole.apache.org/doc/gug/proxying-guacamole.html#preparing-servlet-container - Mike
