I still haven't gotten Apache external authentication to work
properly. I did manage to get mod_authnz_external to peacefully
co-exist with mod_suphp, the secret was to compile mod_authnz_external
and dynamically load it rather than compiling it statically into httpd,
which would have been my preference. But, for some reason it will work
with a static web page or PHP application, but not a proxy, but that's
another issue.
For now I am just trying to get the Apache to pass the IP of the
connecting customer through to Tomcat, have it pass it through to the
guacamole process so that when a user connects to a host, the host sees
the IP the user is originating from and not the IP of the web server. I
was referred to this webpage for instructions:
https://guacamole.apache.org/doc/gug/reverse-proxy.html#setting-up-the-remote-ip-valve
And so I've setup the <host> section in Tomcat9 as follows:
The website shows to add this valve to the <host> section of the
server.xml file:
<ValveclassName="org.apache.catalina.valves.RemoteIpValve"
internalProxies="127.0.0.1"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"/> Here is what the <host> section of
my servers.xml looks like: <Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"> <!-- SingleSignOn valve, share
authentication between web applications Documentation at:
/docs/config/valve.html --> <!-- <Valve
className="org.apache.catalina.authenticator.SingleSignOn" /> --> <!--
Access log processes all example. Documentation at:
/docs/config/valve.html Note: The pattern used is equivalent to using
pattern="common" --> <Valve
className="org.apache.catalina.valves.AccessLogValve" directory=" logs"
prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t
"%r" %s %b" /> <Valve
className="org.apache.catalina.valves.RemoteIpValve"
internalProxies="127.0.0.1" remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto" /> </Host> Note that guacamole is the
only application I have running under tomcat9. I have another Java
application running (yacy) but it is not containerized. Then it shows
for the Apache:
<Location/guacamole/> Orderallow,deny Allowfromall
ProxyPasshttp://HOSTNAME:8080/guacamole/flushpackets=on
ProxyPassReversehttp://HOSTNAME:8080/guacamole/ </Location> I already
had this except for HOSTNAME I had "localhost", then it also shows
proxying guacamole with websocket, and says it will reduce network
latency. Well already it was fast enough to watch videos on a proxy
connection, but why not, so I added:
<Location/new-path/websocket-tunnel> Orderallow,deny
Allowfromall
ProxyPassws://localhost:8080/guacamole/websocket-tunnel
ProxyPassReversews://localhost:8080/guacamole/websocket-tunnel
</Location>
Like this, if I go to the URL and login to a host, the IP the hosts sees
is that of the web server and not the IP I am originating from.
With respect authentication, if I wrap these proxy statements with access
statements I get a 404 error with '/#/' as the URL
If I remove the proxy statements and substitute some simple HTML it works
as expected, prompts for login and password, and if correct displays the code.
If I type the wrong username and password, it rejects the attempt.
This was basically the auth code I was using:
SetExternalAuthMethod pwauth pipe
AddExternalAuth pwauth /usr/sbin/pwauth
AuthType Basic
AuthName "Authentication Required"
AuthExternal pwauth
Require valid-user
AuthExternal authnz_external
AuthBasicProvider external
If I can get it to pass IP correctly then auth isn't required because fail2ban
will pick up and ban offending IPs trying to brute-force passwords so right now
that is my focus.