I apologize, someone replied to this and I accidentally deleted
your reply, but you asked what IP was tomcat logging, and if I'm looking
in the right place, in catalina.out:
catalina.out:[2023-08-04 17:35:02] [info] 17:35:02.572
[http-nio-8080-exec-8] INFO o.a.g.event.EventLoggingListener - User
"public" (authenticated by "default") successfully authenticated from
[50.251.249.49, 127.0.0.1]
In localhost_access_log.2023-08-04.txt.gz:
localhost_access_log.2023-08-04.txt.
These are both in /var/log/tomcat9.
50.251.249.49 is actually the IP address I am originating from
but when I connect to a host, the host sees the connection coming from
204.122.16.20 which is that of the web server. I personally do not
understand how it could possibly pass the originating IP address to the
host it's connecting to since it is originating the connection from the
web server.
On 8/4/23 18:12, Robert Dinse wrote
I still haven't gotten Apache external authentication to work
properly. I did manage to get mod_authnz_external to peacefully
co-exist with mod_suphp, the secret was to compile mod_authnz_external
and dynamically load it rather than compiling it statically into
httpd, which would have been my preference. But, for some reason it
will work with a static web page or PHP application, but not a proxy,
but that's another issue.
For now I am just trying to get the Apache to pass the IP of the
connecting customer through to Tomcat, have it pass it through to the
guacamole process so that when a user connects to a host, the host
sees the IP the user is originating from and not the IP of the web
server. I was referred to this webpage for instructions:
https://guacamole.apache.org/doc/gug/reverse-proxy.html#setting-up-the-remote-ip-valve
And so I've setup the <host> section in Tomcat9 as follows:
The website shows to add this valve to the <host> section of the
server.xml file:
<ValveclassName="org.apache.catalina.valves.RemoteIpValve"
internalProxies="127.0.0.1"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"/> Here is what the <host> section
of my servers.xml looks like: <Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"> <!-- SingleSignOn valve, share
authentication between web applications Documentation at:
/docs/config/valve.html --> <!-- <Valve
className="org.apache.catalina.authenticator.SingleSignOn" /> --> <!--
Access log processes all example. Documentation at:
/docs/config/valve.html Note: The pattern used is equivalent to using
pattern="common" --> <Valve
className="org.apache.catalina.valves.AccessLogValve" directory="
logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t
"%r" %s %b" /> <Valve
className="org.apache.catalina.valves.RemoteIpValve"
internalProxies="127.0.0.1" remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto" /> </Host> Note that guacamole is
the only application I have running under tomcat9. I have another Java
application running (yacy) but it is not containerized. Then it shows
for the Apache:
<Location/guacamole/> Orderallow,deny Allowfromall
ProxyPasshttp://HOSTNAME:8080/guacamole/flushpackets=on
ProxyPassReversehttp://HOSTNAME:8080/guacamole/ </Location> I already
had this except for HOSTNAME I had "localhost", then it also shows
proxying guacamole with websocket, and says it will reduce network
latency. Well already it was fast enough to watch videos on a proxy
connection, but why not, so I added:
<Location/new-path/websocket-tunnel> Orderallow,deny
Allowfromall
ProxyPassws://localhost:8080/guacamole/websocket-tunnel
ProxyPassReversews://localhost:8080/guacamole/websocket-tunnel
</Location>
Like this, if I go to the URL and login to a host, the IP the hosts sees
is that of the web server and not the IP I am originating from.
With respect authentication, if I wrap these proxy statements with access
statements I get a 404 error with '/#/' as the URL
If I remove the proxy statements and substitute some simple HTML it works
as expected, prompts for login and password, and if correct displays the code.
If I type the wrong username and password, it rejects the attempt.
This was basically the auth code I was using:
SetExternalAuthMethod pwauth pipe
AddExternalAuth pwauth /usr/sbin/pwauth
AuthType Basic
AuthName "Authentication Required"
AuthExternal pwauth
Require valid-user
AuthExternal authnz_external
AuthBasicProvider external
If I can get it to pass IP correctly then auth isn't required because
fail2ban will pick up and ban offending IPs trying to brute-force passwords so
right now that is my focus.