Hi! I want to expand a little bit on this idea. My intention is to run the client in a centralized location (e.g. the cloud), and have multiple daemons deployed in remote locations, with the hosts in a location not accessible over the internet. For example, to connect to a host in a given location, you need to use the SSH JumpProxy/Bastion approach (https://www.redhat.com/sysadmin/ssh-proxy-bastion-proxyjump).
One idea we wanted to explore is to have guacd(s) installed in the remote location's bastions, exposing the guacd port to the internet, and then from a cloud deployed client create connections to the location hosts using the "Guacamole Proxy Parameters (Guacd)" option. The problem with this approach is that there is no strong authentication between the client and the daemon (AFAIK), so in this way anybody could connect to that guacd running in the bastion and attempt to configure connections to the internal hosts. From the documentation, we see that the configuration parameters in the client are the following: https://guacamole.apache.org/doc/gug/configuring-guacamole.html guacd-hostname The host the Guacamole proxy daemon (guacd) is listening on. If omitted, Guacamole will assume guacd is listening on localhost. guacd-port The port the Guacamole proxy daemon (guacd) is listening on. If omitted, Guacamole will assume guacd is listening on port 4822. guacd-ssl If set to “true”, Guacamole will require SSL/TLS encryption between the web application and guacd. By default, communication between the web application and guacd will be unencrypted. Note that if you enable this option, you must also configure guacd to use SSL via command line options. These options are documented in the manpage of guacd. You will need an SSL certificate and private key. Is there any way to make that SSL a mutual SSL / mutual TLS authentication? in that way, the client will authenticate the daemon, and the daemon will authenticate the client, and everybody should be happy (reference: https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/) Also, in general, which are the security implications of having a guacd serving request to incoming internet requests? Are there any docs you can share on that? Finally, if having guacd exposed to the world is not a good idea, should we go with something like ssh tunnels or site-to-site VPNs to get the remote locations connected with the cloud deployed client? Any other options to consider? Thank you! ________________________________ From: Ivanmarcus <ivanmar...@yahoo.com.INVALID> Sent: Saturday, April 20, 2024 4:36 PM To: user@guacamole.apache.org <user@guacamole.apache.org> Subject: Re: guacd and guac-client in different hosts Robert, You might want to look to the links that Nick posted, they will give you an idea of where progress is on this matter. Also, you are always welcome to contribute, particularly if there's an issue you see would assist the project as a whole in addition to your operation. On 21/04/24 00:30, Robert Dinse wrote: > > It is six years old, in computer terms this is stone age. As one who > usually maintains the current distro on my servers apps with old > requirements > are a PITA, especially pitted against other apps that only work with the > latest > and perhaps not always greatest. --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
