Re: Passing IP of connecting client through Proxy

Michael Jumper Fri, 04 Aug 2023 22:36:00 -0700

It's possible that "localhost" on your system maps to the IPv6 addressfor localhost, so the source address of your proxy doesn't actuallymatch the value you specified for "internalProxies".


- Mike


On 8/4/2023 6:12 PM, Robert Dinse wrote:

I still haven't gotten Apache external authentication to workproperly. I did manage to get mod_authnz_external to peacefullyco-exist with mod_suphp, the secret was to compile mod_authnz_externaland dynamically load it rather than compiling it statically into httpd,which would have been my preference. But, for some reason it will workwith a static web page or PHP application, but not a proxy, but that'sanother issue.
For now I am just trying to get the Apache to pass the IP of theconnecting customer through to Tomcat, have it pass it through to theguacamole process so that when a user connects to a host, the host seesthe IP the user is originating from and not the IP of the web server. Iwas referred to this webpage for instructions:
https://guacamole.apache.org/doc/gug/reverse-proxy.html#setting-up-the-remote-ip-valve

      And so I've setup the <host> section in Tomcat9 as follows:
The website shows to add this valve to the <host> section of theserver.xml file:
<ValveclassName="org.apache.catalina.valves.RemoteIpValve"
internalProxies="127.0.0.1"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"/> Here is what the <host> section ofmy servers.xml looks like: <Host name="localhost" appBase="webapps"unpackWARs="true" autoDeploy="true">    <ValveclassName="org.apache.catalina.valves.AccessLogValve" directory=" logs"prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t"%r" %s %b" /> <ValveclassName="org.apache.catalina.valves.RemoteIpValve"internalProxies="127.0.0.1" remoteIpHeader="x-forwarded-for"remoteIpProxiesHeader="x-forwarded-by"protocolHeader="x-forwarded-proto" /> </Host> Note that guacamole is theonly application I have running under tomcat9. I have another Javaapplication running (yacy) but it is not containerized. Then it showsfor the Apache:<Location/guacamole/> Orderallow,deny AllowfromallProxyPasshttp://HOSTNAME:8080/guacamole/flushpackets=onProxyPassReversehttp://HOSTNAME:8080/guacamole/ </Location> I alreadyhad this except for HOSTNAME I had "localhost", then it also showsproxying guacamole with websocket, and says it will reduce networklatency. Well already it was fast enough to watch videos on a proxyconnection, but why not, so I added:<Location/new-path/websocket-tunnel> Orderallow,deny
Allowfromall
ProxyPassws://localhost:8080/guacamole/websocket-tunnel
ProxyPassReversews://localhost:8080/guacamole/websocket-tunnel
</Location>

      Like this, if I go to the URL and login to a host, the IP the hosts sees 
is that of the web server and not the IP I am originating from.
      With respect authentication, if I wrap these proxy statements with access 
statements I get a 404 error with '/#/' as the URL
      If I remove the proxy statements and substitute some simple HTML it works 
as expected, prompts for login and password, and if correct displays the code.

      If I type the wrong username and password, it rejects the attempt.

      This was basically the auth code I was using:

SetExternalAuthMethod pwauth pipe
AddExternalAuth pwauth /usr/sbin/pwauth
     AuthType Basic
     AuthName "Authentication Required"
     AuthExternal pwauth
     Require valid-user
     AuthExternal authnz_external
     AuthBasicProvider external

  If I can get it to pass IP correctly then auth isn't required because 
fail2ban will pick up and ban offending IPs trying to brute-force passwords so 
right now that is my focus.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Passing IP of connecting client through Proxy

Reply via email to