I thought I was reasonably proficient with Apache web server but I
discovered it won't do what I want.
I solved the issue with mod_suphp verses mod_authnz_external. I
had compiled the entire server statically, I did this because I have a
machine with a large amount of RAM (256GB) so I prefer eating RAM to CPU
each time the program loads and links. And suphp is structured to only
be compiled statically, mod_authnz_external by contrast can be compiled
statically or dynamically. Any time I tried to compile it static,
mod_suphp would disappear, if I removed mod_authnz_external, then
mod_suphp would return. However, I found that if I compiled
mod_authnz_external dynamically and then loaded it when Apache started,
I could get the two to peacefully co-exist.
Now, I know apache access controls can be applied either to
directories or locations, and since the proxy for guacamole was already
inside a <location /> tag in the virtual domain, I figured it would be
easy to add access controls to this, turns out not.
I tested the access control by substituting a directory and for
directories they work fine. For some reason they do not work with
proxies. It fires off guacamole without requesting authentication then
when guacamole returns with a '/#/' URL, it immediately blows up and
gives me a 404 error.
Now with the header authentication module I can essentially bypass
authentication, and so what I was hoping to do is have apache
authenticate via external authentication and if successful launch
guacamole with a header that allows the user to connect, else reject and
log the failed attempt so that fail2ban can monitor the failures and
lock out offending IP's. That's my preferred method of handling this.
But it may not be a doable method, my main reason for wanting to wrap it
with apache authentication is that apache will log failed to auth temps
and I already have a fail2ban jail set up to watch for those. I have
it setup so that if they get five bad auths in a two day period they get
banned for two days, and if they keep doing this the recidive jail picks
up and blocks the IP for a year save for manual intervention.
If I can figure out how to get tomcat to pass the IP to guacamole
so when someone logs into a server via guacamole it correctly logs the
originator IP and failed logins that will work also but I am utterly
unfamiliar with tomcat.
What I have now in Apache is this:
# guacamole.eskimo.com
<Virtualhost 204.122.16.20:80>
ErrorLog /space/weblogs/guacamole.log
ServerName guacamole.eskimo.com
Redirect permanent / https://guacamole.eskimo.com/
</VirtualHost>
# guacamole.eskimo.com SSL
<VirtualHost 204.122.16.20:443>
ServerName guacamole.eskimo.com
SSLengine On
SSLCertificateFile "/misc/ssl/eskimo.com/certs/STAR_eskimo_com.crt"
SSLCertificateChainFile
"/misc/ssl/eskimo.com/certs/STAR_eskimo_com.ca-bundle"
SSLCertificateKeyFile "/misc/ssl/eskimo.com/key/eskimo.key"
RequestHeader set X-Remote-User "public"
SetExternalAuthMethod pwauth pipe
AddExternalAuth pwauth /usr/sbin/pwauth
<location /#/>
ProxyPass http://localhost:8080/guacamole/ flushpackets=on
ProxyPassReverse http://localhost:8080/guacamole/
AuthType Basic
AuthName "Authentication Required"
AuthExternal pwauth
Require valid-user
AuthExternal authnz_external
AuthBasicProvider external
</location>
</VirtualHost>
If anyone has any suggestions on how to beat this thing into
submission, I'd appreciate it.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org
